Use SentinelOne with x360Recover

x360Recover

Written By Tami Sutcliffe (Super Administrator)

Updated at November 4th, 2022

How does SentinelOne work with x360Recover?

SentinelOne is a popular antivirus platform which is effective against both existing and newly-released malware. It offers file rollback for recovery, using Microsoft's Volume Shadow copy Services (VSS) to provide ransomware remediation. 

  • Both x360Recover and SentinelOne rely on VSS services to perform their functions.

However, SentinelOne takes a heightened security stance against other processes interacting with VSS. It may even block the x360Recover agent from deleting snapshots after a backup. 

NOTE: It essential to keep enough free space on your protected system volumes to accommodate shadow storage snapshots for both SentinelOne and x360Recover.

Systems with limited free space will compromise both SentinelOne’s ability to provide ransomware remediation and x360Recover’s ability to provide backup and disaster recovery.


Improve interoperability of SentinelOne with x360Recover by

  • Configuring SentinelOne to work with x360Recover
  •  Cleaning up the system
  • Understanding snapshot storage limits

The following instructions will help in this process:


Configure SentinelOne to work with x360Recover 

STEP 1. Add an exception for Axcient products in SentinelOne

Unlike traditional antivirus engines, SentinelOne is purely heuristics-based. (Instead of relying on pattern-matching bits of code against a dictionary of known viruses, SentinelOne uses algorithms to monitor the behavior of applications and classifies them as suspicious based on what they are attempting to do.)

Unfortunately, while this method can be highly effective in identifying new ‘unknown’ malware, it also has a tendency to generate false positive hits on some types of trusted software.  

  • By design, SentinelOne typically requires explicit allow listing of some types of applications.
  • Backup agents, by their nature, have elevated security permissions. They perform sensitive operations that can easily be flagged by such heuristic detection mechanisms. 
  • The  x360Recover agent is one such item that requires specific allow listing.

Signing a certificate is the simplest way to add an exclusion for Axcient products to SentinelOne. 

How to sign a certificate excluding Axcient products in SentinelOne

All Axcient products are signed by our extended validation code signing certificate in the name of EFOLDER, INC


Note: This exclusion is effective for x360Recover agents, Recovery Center, and Axcient DirectRestore. (All are signed by the same Axcient code signing certificate.)

To create a SentinelOne exclusion, perform the following steps:


1. On the SentinelOne side navigation, click Scope and select a scope:

2. Click Sentinels from the side navigation and then click Exclusions from the top navigation.

3. Click Signer Identity and then click New Exclusion.


4. In the OS field, select Windows and then in the Certificate ID field enter EFOLDER, INC.


5. Click on either Save to complete this addition or click Save and Add Another to continue with additional changes.

Delete

STEP 2. Add a path exclusion for the x360Recover agent installation folder, typically found at C:\Program Files (x86)\Replibit)  in Performance Focus – Extended mode.


Clean up the system

If shadow copy storage has become messy because SentinelOne was not allowing x360Recover to delete snapshots, perform the following steps to recover storage space:

STEP 1. Temporarily disable SentinelOne’s VSS rollback.

Sentinelctl.exe configure -p agent.snapshotIntervalMinute-v 0

STEP 2. Delete all the snapshots on the system to free storage space.

  • Open an administrator-elevated command prompt 
  • Navigate to the x360Recover Agent installation folder, which is typically
    •  C:\Program Files(x86)\Replibit)

efsvss -da

  • Answer Y when prompted to delete all shadow copies in the system


STEP 3. Re-enable SentinelOne VSS rollback

Sentinelctl.exe configure -p agent.snapshotIntervalMinute-v 240

Note: You can set any minute interval you prefer for snapshot creation. The default is four hours. Please note that more frequent snapshots will require more free disk space on the system.


Understand snapshot storage limits

When a limit is set, Windows automatically deletes the oldest snapshot when the limit is exceeded. (This is necessary to avoid completely filling the volume.)

The number of previous snapshots retained for VSS rollbacks depends on:

  • the amount of space available/allocated for shadow storage
  • the rate of change of files on the system

From SentinelOne’s perspective, nearly any shadow storage limit is acceptable - as long as the system can create several snapshots before reaching that limit. Since SentinelOne is only interested in creating historical recovery points  and since SentinelOne is actively using the snapshots on an ongoing basis, it doesn’t matter when Windows eventually comes along and deletes the snapshot to recover shadow storage space.

However, from the x360Recover agent perspective, there must be sufficient shadow storage space available on the system so Windows does not delete our snapshot before we’ve completed taking a backup. 

Ongoing incremental backups typically only take a few minutes to complete but the initial full backup of a system might take hours (or even days, for Direct-to-Cloud (D2C)systems.)

If the system does not have a substantial amount of free space on every disk volume available for use by shadow storage, it may be necessary to

  • increase shadow storage limits
  • relocate shadow storage to another volume with more free space
  • alter SentinelOne to take VSS rollback snapshots less frequently
  • temporarily disable VSS rollback entirely until the initial full backup is completed

Related articles:






SUPPORT | 720-204-4500 | 800-352-0248

1284  |  1338