Uninstalling Agents from the CLI

Overview

For Windows and macOS Agents, if Anti-Tampering is enabled, a passphrase is required to uninstall an Agent from the CLI. Take note these steps should only be attempted when uninstallation via the SentinelOne console is unsuccessful or unavailable.

Note: If you are unable to uninstall the Agent with the steps in this article, please contact the SOC via phone or at

To uninstall an Agent with CLI:

1. Save or copy the passphrase.
2. Log in to the endpoint permissions: sudo for macOS, root or sudo for Linux, Administrator for Windows.
3. Run the commands appropriate for the operating system as demonstrated below (and for Linux, for the distribution).
4. Reboot the endpoint.

Note: To make sure that all remnants of the Agent are removed, reboot the endpoint after uninstallation.

To uninstall a local macOS Agent with CLI:

Use the key in a terminal app to unprotect and then uninstall the Agent:

$ sudo sentinelctl unprotect –passphrase "passphrase"

===Sentinel protection has been disabled

$ sudo sentinelctl uninstall –local

To uninstall the Linux Agent version 3.x with the sentinelctl CLI:

With root permissions:

sudo /opt/sentinelone/bin/sentinelctl control uninstall –passphrase "string"

To uninstall the Linux Agent version 3.x with Linux commands:

Note: We highly recommend that you run these commands only with SOC assistance, and only if the sentinelctl command (and reboot) do not successfully uninstall the Agent.

Ubuntu:

1)  service sentineld stop

2)  chkconfig –del sentineld

3)  rm -f /etc/init.d/sentineld

4)  umount /opt/sentinelone/mount

5)  rm -rf /opt/sentinelone

6)  sudo rm /usr/local/sentinelctl

7)  userdel sentinelone

8)  rm /var/lib/dpkg/info/sentinelagent.*

9)  dpkg –purge –force-all sentinelagent

Red Hat, CentOS, SuSE, Fedora:

1)  service sentineld stop

2)  chkconfig –del sentineld

3)  rm -f /etc/init.d/sentineld

4)  umount /opt/sentinelone/mount

5)  sudo rm /usr/local/sentinelctl

6)  rm -rf /opt/sentinelone

7)  userdel sentinelone

8)  sudo rpm -ev –noscripts SentinelAgent

To uninstall a local Linux Agent version 2.6 with CLI:

Local Linux Agent on AMI, CentOS, OEL, or RHEL:

$ sudo rpm -e sentinelagent

Local Linux Agent on Ubuntu:

$ dpkg -r sentinelagent

To uninstall a Windows Agent EXE package silently with CLI:

Uninstall with permissions: 

From the Windows cmd, run:

> cd "C:\Program Files\SentinelOne\Sentinel Agent <version>"

> uninstall.exe /norestart /uninstall /q /k "<passphrase>"

On success, there is no output. When uninstallation is done, the prompt shows. After a few seconds, the taskbar icon is removed.

To send a Windows Agent uninstall request to an Admin:

Send uninstall request to administrator:

From the Windows cmd, run:

> cd "C:\Program Files\SentinelOne\Sentinel Agent <version>"  > uninstall.exe /norestart /q

On success, the output is:

> Error: You are not authorized to perform this operation. A notification was sent to the system administrator. Please contact your system administrator for details.

An uninstall request is sent to the Management Console.

Management Console:

Review the Global Default Policy

The Global Default Policy is the set of mitigation and configuration settings that defines the behavior of SentinelOne agents on endpoints. All sites inherit the Global Default Policy when the site is created. Refer to the table below for the Global Default Policy settings.

Important!: Continuum strongly recommends that you keep the default policy settings in place for all endpoints, as modifying these settings could impact performance and/or potentially invalidate SentinelOne's Ransomware Warranty.

If you feel you must make changes to the default policy, contact the SOC ()  to review and discuss potential policy changes with a SOC technician before applying policy edits to endpoints under management.

Global Default Policy Settings

Global Default Policy Settings
Policy Modes	Default Setting	Description
Threats	Protect (Kill & Quarantine)	Automatically kills and quarantines malware and sends Mitigated Threat alerts.
Suspicious	Protect (Kill & Quarantine)	Automatically kills and quarantines files and sends Mitigated Threat alerts.
Protect Level
Kill & Quarantine
Policy Engine	Default Setting	Description
Reputation	On	An engine that uses the SentinelOne Cloud to make sure that no known malicious files are written to the disk or executed. This cannot be disabled.
DFI (Deep File Inspection)	On	A preventive Static AI engine that scans for malicious files written to the disk.
DFI – Suspicious	Off	A more aggressive Static AI engine that scans for suspicious files written to the disk. When in Protect mode, this engine is preventive.
DBT – Executables (Dynamic Behavioral Tracking)	On	A Behavioral AI engine that implements advanced machine learning tools. This engine detects malicious activities in real-time, when processes execute.
Documents, Scripts	On	A Behavioral AI engine, focused on all types of documents and scripts.
Lateral Movement	On	A Behavioral AI engine that detects attacks initiated by remote devices.
Anti Exploitation / Fileless	On	A Behavioral AI engine, focused on exploits and all fileless attack attempts, such as web-related and command line exploits.
Potentially unwanted applications	On	A Static AI engine on macOS devices that inspects applications that are not malicious, but are considered unsuitable for business networks.
Intrusion Detection	On	Focuses on insider threats, such as malicious activity through Powershell or CMD.
More Options
Category	Default Setting	Description
Containment
Disconnect from network	Off	Upon detection, block all agent's network connections besides the link to the Management Console.
Advanced
Agent notification on suspicious	Off	Open alerts on endpoint computers for detections.
Auto decomission after 21 days	Off	Remove agents from the Management Console after x days of no communication.
Agent Configuration
Scan New Agents	Off	Run Full Disk Scan after installation.
Anti Tamper	On	Do not allow end users or malware to manipulate, uninstall, disable the agent.
Agent UI	On	Show agent tray icon, application, and notifications if disabled, there is no trace of the agent for the end user.
Snapshots	On	Set Windows agents to keep VSS snapshots for Rollback.
Logging	On	Save logs for troubleshooting and support. If disabled, you can free some disk space.

Policy Engine Support by OS

Note that not all policy engines are supported for each supported operating system. You can assign a policy to a group of agents with mixed operating systems. There is no impact (and no message), if engines that some of the agents cannot use are enabled.

Creating and Using Filters

Filter are used to find endpoints that match specific criteria. With filters, you can:

• Use the filtered results to run actions on matching agents.

• Create a Dynamic group based on the filters (when one site is selected). (Note: Continuum recommends creating Static groups for optimal performance).

• Save the filters as a Filter Set (when one site is selected).

Filter examples

• Filter for infected endpoints, to isolate them and mitigate issues.

• A filter for agents that have pending actions.

• A filter to track compliance and OS upgrades for endpoints of an operating system.

How to Create a Filter

1. In the SentinelOne Console, select Network from the left-navigation menu.
2. In the Network view, click Select filters.

The filtering categories and sub-categories will display. The number next to a sub-category indicates the number of matched endpoints.

3. Click on a sub-category to add it to the filter. Category tiles will appear in the filter bar as you make selections, allowing you to easily view the filter contents. Click on a tile to remove it from the filter.
4. To use the filter results:

1. • Select one or more endpoints from the results, click Actions, and select an action from the menu.

1. • To save a filter set. Click Save New Set.

1. • To create a Dynamic group based on the filter results, follow these steps:

1. • 1. Click the Group button and select New Group.
     2. In the Add New Group wizard, name the group.
     3. For Group Type, select Dynamic Group.
     4. Select Save and use the current query and name the filter set.

These filter categories cannot be used if you create filters to make a Dynamic group:

• Network status

• Pending uninstall

• Pending actions

• Update status

• Scan status

• Management connectivity

• Health status

• Group

• Last online

Creating and Managing Exclusions

Agents sometimes mark benign items as potential threats. You can configure Exclusions to make your agents suppress alerts and mitigate these items.

Important: Take care to set up exclusions correctly and accurately. Setting exclusions incorrectly can expose systems to risk.

Important: Some exclusions are not recommended by SentinelOne as they may incur security risks and will invalidate your SentinelOne Ransomware Warranty. See for a list of not recommended exclusions.

Exclusion Hierarchy

• Sites can have their own exclusions.

• Groups use the site exclusions, but can also have their own exclusions.

Exclusion Types

The following types of exclusions can be created:

• Hash

• Path

• Certificate signer

• File type

• Browser

Creating Exclusions

There are two types of exclusions that can be created: Site and Group.

When you create exclusions manually or from the Analyze view, the exclusion scope is based on the view that is active (Site or Group) when the exclusion is created:

• If you are in a Site view when you create the exclusion, it applies to the entire Site.

• If you are in a Group view when you create the exclusion, it applies to that specific Group.

How to add an exclusion automatically after threat analysis

1. In the SentinelOne Management Console, select Analyze.

 

2. Click a threat from the Dashboard, or the Analyze view. The Analysis Details window opens.
3. Click on the More widget (upper-right corner, directly beneath the user name displayed in the Console) and select Mark as benign.

4. In the resulting window, select the type of exclusion to create. If you select Check to apply to similar threats, all threats with the same hash are marked as benign.

5. Click Save.

Insight Reports

Insight reports let you view high-level and detailed information on the state of your endpoint security. Reports include statistics, trends, and summaries and contain easy-to-read and actionable information about your network. You can view reports in the Management Console and automatically send them by email to the addresses you enter.

Insight report types include:

• Executive Insights

• Executive Insights by Group

• Threat Insights

• Mitigation and Response Insights

• Application Insights

Report Scope

The scope of the report is based on the Management Console view you are in when you create the report.

• If you are in one Site, the scope of the report is that Site.

• If you are an Admin of multiple Sites in the All Sites view, reports that you create include cumulative information for all Sites in your scope.

• If you select a report for a specific group (for example, Executive Insights by Group), a field displays to enter the Group Name.

How to Create an Insight Report

1. 1. In the SentinelOne Management Console, select Reports in the left navigation menu.

2. In Reports, click New Report Task. The New Report Task window opens.
3. In Report name, enter a name for the report.
4. In Report content, select the report type.
5. If the report is for a specific entity in the Management Console, you are prompted to enter the required information. For example, if you select Executive Insights by Group, you must enter the Group Name, as shown in the Management Console.
6. For Frequency select if the report should be generated One time or on a Scheduled basis.

7. For Interval, select the time period for report data.

• For a One-time report:

1. • 1. Select Last 30 Days, to create a report that includes information for the preceding 30 days.
     2. Select Manual to pick a date range from the calendar.

• For a Scheduled report:

1. 1. 1. Select Weekly to run reports on a specific day of the week. For example, if you select a Weekly report to generate on Tuesday, a report will be created on the next Tuesday, and then every Tuesday from that point on.
      2. Select First of every month if you want the report to be generated on the first day of the next month and each month afterwards.

Note that future dates cannot be selected.

8. Click Next.
9. Optional: In Recipients, enter one or more email addresses to get the report. Separate addresses with a comma.

Note: To configure email recipients, SMTP must be configured in Settings → Integrations. Recipients do not require SentinelOne Management Console privileges.

10. In Report format, select the report files that the email recipients will receive: PDF, HTML, or both. Both file types are available when you view reports from the Management Console.
11. Click Create.

Veeam Backup Workaround

Issue

VMware Veeam Backup & Replication v9.5 fails to make scheduled backups on endpoints with the SentinelOne agent installed.

Cause

SentinelOne agent version 2.0 introduced protection enhancements that are incompatible with Veeam default functionality.

Workaround

1. Make sure the backup operating actually fails.
2. On the endpoint on which the backup is failing, open CMD as Admin.
3. If the VM is configured such that:

1. • vSphere > Enable VMware Tools quiescence is selected

1. • and Enable application-aware image processing is not selected

run:

vssConfig.vssProtection: false

4. If Enable application-aware image processing is selected, go to

C:\Program Files\SentinelOne\SentinelOne 2.*\

and run:

sentinelctl config agent.safeBootProtection false -k "PASSPHRASE"

Follow Up

Be careful with this fix as it disables some protections. Make sure you run this only on endpoints that must have backups by Veeam.

SentinelOne is working on a permanent fix for future releases of the agent.

Emolet Incident Response Steps

Every cyber attack is different and the actual steps taken to protect the confidentiality, integrity, and availability of business data is critical to the survival of a business after an attack. This checklist is provided as a reference only and incorporates direction and advice for Managed Service Providers who are called into a cyber attack situation. Continuum accepts no legal liability, in any circumstances, for how you choose to implement your specific Incident Response and the suggestions provided herein.

Preparation Steps for Any Incident Response Scenario

• Have the affected business contact their insurance company (If they choose not to do this and later want to make a claim, the insurance company may reject it). They will guide you on their requirements. Their requirements take precedence. Certain steps may need to be taken to protect forensic data. You never want to place yourself between your customer and their ability to collect an insurance claim.

• Check the affected business’s Business Continuity/Disaster/Cyber Recovery Plan for the business. There may be specific requirements mandated by policy or the business owners.

• If applicable, have the client acknowledge, either in writing or via email, that the infection occurred prior to your arrival onsite and that you were not the cause of this infection.

• Backup everything, even the encrypted or infected computers, to have a recovery path if the containment or remediation steps destroy data. Test your backups and if you can, make a manual set and store them off the network. (This may also be required by the business insurance company for a claim)

• Run an NMAP scan or similar tool like RapidFire from the internet looking for any unusual protocols or services that shouldn’t be open. If you don’t know how, please send ALL public IP addresses back to us in the ticket and we’ll check for you.

• Deny all international traffic in the firewall. (Make sure to exempt any countries currently used by the customer’s vendors i.e Ireland as Microsoft O365 runs there)

• Deny all inbound traffic across RDP (port 3389/tcp by default) or other remote access tools to the client site. If necessary, enable VPN access first prior to establishing a remote session, regardless of the protocol used in this context. You may need to unplug the internet at this time temporarily until you have regained control of the network.

• Check all security and system logs for any unusual activity. Take special not e if any logs have been deleted.

• Check for stolen credentials for sale on the Dark Web. (Note: This is a service provided by Continuum)

• Check local and domain accounts for any unexpected changes or creations. Remove or disable any old accounts and verify ones created recently as being expected.

DO NOT DELETE THE “KRBTGT” ACCOUNT. This will be addressed below.

Containment:

1. Before starting these steps, ensure that all endpoints at the site(s) is covered with the Fortify for Endpoint Security agent.

• The agent should be at the current GA build. Do not reboot any endpoints in this step.
• Isolate all known infected endpoints using the “Disconnect from Network” command in the SentinelOne Management Console.
• If international traffic cannot be contained logically in your networking equipment, remove the default gateway IP address of your DNS configuration temporarily. This will stop lateral movement, but it will also drop all ingress and egress traffic bound for external IP’s.

2. Disable Autorun on all systems on the network using a Group Policy Object (GPO) in Windows.

• For GPO read: How to disable the Autorun functionality in Windows
• To disable Autorun yourself on operating systems that do not include Gpedit.msc, follow these steps:
• Click Start, click Run, type regedit in the Open box, and then click OK.
• Locate and then click the following entry in the registry: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveTypeAutorun
• Right-click NoDriveTypeAutoRun, and then click Modify.
• In the Value data box, type 0xFF to disable all types of drives. Or, to selectively disable specific drives, use a different value as described in the "How to selectively disable specific Autorun features" section.
• Click OK, and then exit Registry Editor.
• Restart to make these changes effective. DO NOT REBOOT the endpoint at this time.

Note: It is strongly recommended to disable the Autorun feature using Group Policy from the Domain Controller, if applicable.

3. Disable Windows Task Scheduler on all systems on the network

• For more information read: How to prevent a user from running Task Scheduler in Windows
• Log on as Administrator to the computer where you want to modify the registry settings.
• Click Start, and then click Run.
• In the Open box, type regedit, and then click OK.
• In Registry Editor, locate the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Task Scheduler5.0
• In the details pane, follow these steps:
• Right-click DragAndDrop, and then click Modify.
• In the Edit DWORD Value dialog box, type 1, and then click OK.
• Right-click Execution, and then click Modify.
• In the Edit DWORD Value dialog box, type 1, and then click OK.
• Right-click Task Creation, and then click Modify.
• In the Edit DWORD Value dialog box, type 1, and then click OK.
• Right-click Task Deletion, and then click Modify.
• In the Edit DWORD Value dialog box, type 1, and then click OK.
• On the File menu of Registry Editor, click Exit.

4. Note: It is strongly recommended to disable the Windows Task Scheduler using Group Policy from the Domain Controller, if applicable.
5. NOTE: The URL below contains a script that can be used to search for scheduled tasks or startup items:
6. https://www.dropbox.com/s/rc3se6pzzerax4b/List_tasks.zip?dl=1
7. Extract and run this from an AD server (after it’s been cleaned) and inspect the results looking for any unusual items that you wouldn’t expect to be scheduled to run.
8. To obtain a list of running scheduled tasks on the fly, in CSV format for a single endpoint, run the following commands:
9. -First: Change to a directory where you want to place the output file.
10. -Run the following command as an admin: schtasks /query /v /fo CSV > tasks.csv
11. 4. Patch all systems with the latest Security Patches for the appropriate operating system.
12. Once the containment items have been completed and a best effort has been made to confirm that all external parties are out of the network, reset all passwords to a default password, then share that new password verbally around the affected site(s) so they can reset their passwords. Do not use email to communicate this as it could be compromised by the attacker, therefore allowing the attacker back into the system.
13. Moreover, force all users (including administrative and service account users) to change from the new temporary password you set. If you simply force password changes without setting a temporary password in advance, there is a high probability that the threat actor will successfully reset their compromised credentials and maintain persistent access to the network, and even launch additional attacks.
14. If you are working within an Active Directory environment, it is critical that the “KRBTGT” account password is reset. This has to be performed twice in order to successfully clear the password since this account has a two password history.
15. NOTE: DO NOT DELETE THE “KRBTGT” ACCOUNT. It is critical for the functionality of Kerberos authentication.
16. Every Active Directory domain controller is responsible for handling Kerberos ticket requests, which are used to authenticate users and grant them access to computers and applications. The KRBTGT account is used to encrypt and sign all Kerberos tickets within a domain, and domain controllers use the account password to decrypt Kerberos tickets for validation. This account password never changes, and the account name is the same in every domain, so it is a well-known target for attackers. See the following Microsoft Documentation for instructions to reset the “KRBTGT” account: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password
17. To reset the krbtgt password:
18. – Click [Start], point to [Control Panel], point to [Administrative Tools], and then click [Active Directory Users and Computers].
19. – Click [View], and then click [Advanced Features].
20. – In the console tree, double-click the domain container, and then click [Users].
21. – In the details pane, right-click the krbtgt user account, and then click [Reset Password].
22. – In [New password], type a new password, retype the password in [Confirm password], and then click [OK]. The password that you specify is not significant because the system will generate a strong password automatically independent of the password that you specify.
23. Reboot each server one server at a time, clean it and if it’s not a required server, shut it down until you have completed clean-up of the network. Note: If applicable, it is strongly recommended to clean all domain controllers FIRST (possibly in safe mode) of the infection.
24. Reboot each workstation one workstation at a time (off the network) and clean as needed. Reboot several times looking for a return of the infection. See Note below for additional steps or items to check either by script or manually if it’s a small site.
25. Check your backups again. You can never have enough good backups.
26. Notify the Continuum SOC when you get through these steps.

Recovery:

If any endpoints are determined to be compromised beyond practical manual repair, restore from clean backups. If reloading the device becomes necessary in your judgment upon inspection, reload the device at your discretion.

If clean backups do not exist, Continuum DOES NOT advise our partners or their clients as to if they should pay a ransom. That decision is entirely up to the insurance company and the data owners.

Scan all endpoints on the affected site one additional time with SentinelOne, or with another updated security scanning engine of your choosing.

Once the network is back online, run a NEW backup job and backup all critical data BEFORE allowing users back onto the network. We understand this may be time consuming – but we also know the significant effort that is required to recover if the site is infected a second time. Inspect your backups to ensure that all of them are clean of any malicious threats if they are to be used in a production restore scenario going forward.

Debrief:

Review and document the entire incident.

Debrief with the client and implement a security plan designed for their budget that will help defend against this type of attack in the future.