How does SentinelOne work with x360Recover?
SentinelOne is a popular antivirus platform which is effective against both existing and newly-released malware. It offers file rollback for recovery, using Microsoft's Volume Shadow copy Services (VSS) to provide ransomware remediation.
- Both x360Recover and SentinelOne rely on VSS services to perform their functions.
However, SentinelOne takes a heightened security stance against other processes interacting with VSS. It may even block the x360Recover agent from deleting snapshots after a backup.
NOTE: It essential to keep enough free space on your protected system volumes to accommodate shadow storage snapshots for both SentinelOne and x360Recover.
Systems with limited free space will compromise both SentinelOne’s ability to provide ransomware remediation and x360Recover’s ability to provide backup and disaster recovery.
Improve interoperability of SentinelOne with x360Recover by
- Configuring SentinelOne to work with x360Recover
- Cleaning up the system
- Understanding snapshot storage limits
The following instructions will help in this process:
Configure SentinelOne to work with x360Recover
STEP 1. Add an exception for Axcient products in SentinelOne
Signing a certificate is the simplest way to add an exclusion for Axcient products to SentinelOne.
STEP 2. Add a path exclusion for the x360Recover agent installation folder, typically found at C:\Program Files (x86)\Replibit) in Performance Focus – Extended mode.
Clean up the system
If shadow copy storage has become messy because SentinelOne was not allowing x360Recover to delete snapshots, perform the following steps to recover storage space:
STEP 1. Temporarily disable SentinelOne’s VSS rollback.
Sentinelctl.exe configure -p agent.snapshotIntervalMinute-v 0
STEP 2. Delete all the snapshots on the system to free storage space.
- Open an administrator-elevated command prompt
- Navigate to the x360Recover Agent installation folder, which is typically
- C:\Program Files(x86)\Replibit)
- Answer Y when prompted to delete all shadow copies in the system
STEP 3. Re-enable SentinelOne VSS rollback
Sentinelctl.exe configure -p agent.snapshotIntervalMinute-v 240
Note: You can set any minute interval you prefer for snapshot creation. The default is four hours. Please note that more frequent snapshots will require more free disk space on the system.
Understand snapshot storage limits
When a limit is set, Windows automatically deletes the oldest snapshot when the limit is exceeded. (This is necessary to avoid completely filling the volume.)
The number of previous snapshots retained for VSS rollbacks depends on:
- the amount of space available/allocated for shadow storage
- the rate of change of files on the system
From SentinelOne’s perspective, nearly any shadow storage limit is acceptable - as long as the system can create several snapshots before reaching that limit. Since SentinelOne is only interested in creating historical recovery points and since SentinelOne is actively using the snapshots on an ongoing basis, it doesn’t matter when Windows eventually comes along and deletes the snapshot to recover shadow storage space.
However, from the x360Recover agent perspective, there must be sufficient shadow storage space available on the system so Windows does not delete our snapshot before we’ve completed taking a backup.
Ongoing incremental backups typically only take a few minutes to complete but the initial full backup of a system might take hours (or even days, for Direct-to-Cloud (D2C)systems.)
If the system does not have a substantial amount of free space on every disk volume available for use by shadow storage, it may be necessary to
- increase shadow storage limits
- relocate shadow storage to another volume with more free space
- alter SentinelOne to take VSS rollback snapshots less frequently
- temporarily disable VSS rollback entirely until the initial full backup is completed
- How to configure Microsoft Volume Shadow copy Service (VSS)
- Need details on excluding your backup agent from other antivirus scans? Please refer to Exclude an agent from antivirus scans
SUPPORT | 720-204-4500 | 800-352-0248
1284 | 1338