Frustration about SentinelOne - Blocking without notification

Posted by ITStril@reddit | sysadmin | View on Reddit | 19 comments

Hi! I am using SentinelOne now for some years. It is clear to me, that every security-tool has got a false-positive rate and sometimes, whitelistings are the way to go.  **The thing with S1 is, that things are getting blocked without ANY notification! After an update, some third party app does not start anymore. The answer of the S1-support-team: "You need an exclusion".**  So, it's always a problem to know, if it is a regular IT-problem, or if S1 does one more time block something without telling it to me.  How do you handle this? Is crowdstrike an option, that does not work like that?  Thank you for your thoughts ITStril

Reply to Post

19 Comments

[-]

hiddenmaces@reddit

Afaik, this happens when the app is failing because of the s1 injection in the process. In DV you can see the process starting but then you see werfault.exe is immediatly starting after that. If that is the case, you should put an exclusion on that specific process.

[-]

s3cguru@reddit

Look for Event ID 1000 in the Application Event Log channel in Zevent Viewer that makes reference to InProcessClient_unloaded or other variations like InProcessClient*. In some cases applications don't like the SentinelOne driver getting injected in to their memory and will silently crash (not blocked by S1)

[-]

NameEnvironmental358@reddit

S1 Firewall blocked a couple of our applications from functioning correctly. Took a while to troubleshoot since well, it doesn’t log anywhere that it blocked anything.

[-]

981flacht6@reddit

I don't have a lot of clients on S1 so I don't know how good it is but so far I've found it catch some good stuff based on behavioral traits and some potential PUPS and things like that. I always get emailed immediately when it happens. I setup weekly reports as well so I can review them. You should also be seeing what is getting blocked in your dashboard. What release are you on? 22-23 GA?

[-]

ITStril@reddit (OP)

I am just testing the first agents with v23.2 GA. For the last issues, the dashboard and reports did not show anything.

[-]

981flacht6@reddit

Interesting. Do you have Singularity XDR through the Visibility tab where you can see all events through your environment and endpoint data collected? I would imagine you might see something in there if S1 is actually blocking something but isn't being flagged at an alert level.

[-]

ITStril@reddit (OP)

>Interesting. Do you have Singularity XDR through the Visibility tab where you can see all events through your environment and endpoint data collected? I would imagine you might see something in there if S1 is actually blocking something but isn't being flagged at an alert level. Yes, I am using "Complete", but there was nothing like an alert for the affected app.

[-]

981flacht6@reddit

But you're not seeing all of the actions being taken on the endpoint for the software whether it was executed or not? I would have to imagine that if S1 actually blocked it, it would be in the timeline for what happens on the individual endpoint. How else would you even know how to make a confident exclusion? That's what I always looked for when making exclusions in other products.

[-]

nitroman89@reddit

From what I've seen S1 barely ever alerts a user unless it's really bad. Usually, we get alerts on the dashboard and email. BeyondTrust would always get flagged so we had to exclude by hash otherwise file path can work.

[-]

ITStril@reddit (OP)

I did not see any alerts or notifications in the dashboard. The apps did just stop to work

[-]

Aegisnir@reddit

That’s not normal. Your dashboard should report all detections. Contact support and tell them the agent is detecting threats and not reporting them on the dashboard. That is a big problem.

[-]

ITStril@reddit (OP)

The dashboard is showing every detection, the agents are showing, but not, if processes are just "not working".

[-]

Aegisnir@reddit

Well if a process is simply not working, there should be a crash event in the logs right? Are you looking at the xdr?

[-]

MrYiff@reddit

What could be happening is that the app isn't getting blocked explicitly, which is why you don't see any alerts for it, but rather S1 is injecting/inspecting the app (iirc it will do this sort of thing for things like .NET apps), and the app is then not handling this well for some reason and silently crashing/failing to launch. When you create an exclusion in S1 you don't have to disable all scanning for that app, if you create a Path exclusion type you can try initially to just disable some of the more aggressive detection methods by selecting one of the advanced Interoperability options, this way you aren't turning off detection entirely, just tweaking some settings: https://i.imgur.com/aIt1mz6.png

[-]

sodiumbromium@reddit

I was going to say this. I've seen issues where cylance and s1s dll injection for memory monitoring will cause an app to crash, but from the users perspective it appears that it has been blocked. The apps that do this most frequently are older apps (think xp or older), vb apps (not vb.net) and older .net apps.

[-]

cptNarnia@reddit

Another user mentioned its not technically blocking or stopping but rather the inspection process breaking the software. We’ve seen this with SPSS for example https://www.ibm.com/mysupport/s/defect/aCI3p000000bn2yGAA/dt208153?language=en_US

[-]

LucyEmerald@reddit

In alot of occasions you need to understand how the software being blocked is designed to troubleshoot this. In particular more often then not the EDR components are not strictly blocking the software but instead the mechanisms (hooks, drivers, elam service, mini filter, static scanner) are interfering with the execution of the softwares instructions say for example the interference causes delay and an error is returned or a resource is held up that the software expects to have. Generally poor software design is to blame as developers write incredibly poor code very often. Within SentinelOne there are levels that enable you to gradually lower the amount of mechanisms that interact with a given system artefact Iterate through each one until you find the minimum level that returns normal functionality. Otherwise as a customer of SentinelOne request support from them.

[-]

littlePosh_@reddit

All EDR+NGAV do this. All of them.

[-]

DankNanky@reddit

You can use the Insite tool for dashboards. By default, there’s logging options with verbosity. You can also change the default behaviour of a group to be less or more aggressive. I often find on my small fleet (6,500) that it’s a static file or entry that gets flagged. It’s easy to locate via Insight and happens maybe once a fortnight at most.