SentinelOne VM Host VSS Standby Issue with Virtual Machines

Fortify for Endpoint Security

Issue

An issue with VM Hosts exists that if VSS Snapshots are turned on for a drive that contains VMs, it can put the guest in a standby or paused state during a snapshot. To resolve this problem, SentinelOne snapshots need to be disabled on the host.

Note: This will disable the ability to roll back at the host level. This does not impact SentinelOne installs inside the guests from performing snapshots and being able to roll back.

Solution

Instructions for SentinelOne Agent Version 2.0.2.x and Older

To disable the snapshots on the host use the following steps:

1. Request the host computer's SentinelOne passphrase from the Security support team ().

1. Open a command prompt on the host computer as administrator with elevated permissions.

1. Change directory to C:\Program Files\SentinelOne\Sentinel Agent X.X.X.XXXX (where X.X.X.XXXX represents the version number installed).

1. Run the command: sentinelctl.exe unprotect -k "passphrase" (inside the quotes place the passphrase provided by the Security support team).

1. Run the command: sentinelctl.exe configure -p agent.vssConfig.snapshotInterval -v 0

1. Run the command: sentinelctl.exe configure agent.vssConfig.snapshotInterval (verify that the snapshotinterval shows 0)

Once this is complete, SentinelOne will no longer take VSS snapshots on the host machine.

To re-enable protection on the host, run the following command:

sentinelctl.exe protect

Instructions for SentinelOne Agent Version 2.1.1.6000 and Newer

To disable the snapshots on the host, follow these steps:

1. Request the host computer's SentinelOne passphrase from the Security support team ().

1. Open a command prompt on the host computer as administrator with elevated permissions.

1. Change directory to C:\Program Files\SentinelOne\Sentinel Agent X.X.X.XXXX (where X.X.X.XXXX represents the version number installed).

1. Run the command: sentinelctl.exe unprotect -k "passphrase" (inside the quotes place the passphrase provided by Security support).

1. Run the command: sentinelctl.exe configure -p agent.snapshotIntervalMinutes -v 0.

1. Run the command: sentinelctl.exe configure agent.snapshotIntervalMinutes (verify that the command output is "0" indicating that it is disabled).

1. Run the command: sentinelctl.exe configure -p agent.vssSnapshots -v false

1. Run the command: sentinelctl.exe configure -p agent.vssConfig.vssProtection -v false

Once this is complete, SentinelOne will no longer take VSS snapshots on the host machine.

To re-enable protection on the host, run the following command:

sentinelctl.exe protect