Disclaimer: Disabling VSS snapshots will invalidate the Sentinel One ransomware warranty. If there are any questions on this, please contact the SOC at- [email protected]

Issue

Protected servers with SentinelOne installed may exhibit very slow performance and in some cases unexpectedly reboot, when SentinelOne is configured to perform VSS snapshots on the protected server.

Cause

When SentinelOne is configured to perform VSS snapshots on a server, it creates persistent shadow copies of the volume and stores them on the disk with no retention or overwrite mechanism. Each shadow copy maintains multiple cache files in the VSS storage area and corresponding registry entries are added under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\STORAGE\VolumeSnapshot.

Over a period of time, the number of cache files grows exponentially and the Enum\STORAGE\VolumeSnapshot registry gets flooded with the shadow copy entries. When a VSS requestor backup application like Windows Backup or Recover creates non-persistent snapshots and stores them on the disk which does not have enough disk space, the backups start to fail and eventually cache files under System Volume information folder may get corrupted. It has been observed, this leads to slow performance of the protected server and in some cases unexpected reboot of the server.

Symptoms

• The HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\STORAGE\VolumeSnapshot registry gets flooded with a lot of volume shadow copy entries.

• VSS storage area on the volume gets filled up rapidly leading to performance degradation of the server.

Workaround

Disable SentinelOne VSS snapshots on protected servers by creating a group policy and add the server to the non-VSS snapshot policy group. For more information, please contact the SOC at- [email protected]