Category: SentinelOne

Disable SentinelOne to Permit Clearing of System Volume Information
article #1438, updated 188 days ago

SentinelOne (S1) considers deletion of volume shadows to be bad actor behavior, because it often is a way that cryptolockers delete last-known-good checkpoints. Unfortunately, there is a lot of cleanup which ends up being required, as the hidden NTFS System Volume Information folders on Windows machines build up and up and up in size. I’ve seen instances ranging from 20G to hundreds of gigabytes, and every time this occurs, the overall system slows down, and often slows down a whole lot. WizTree is my favorite method of identifying this situation, but there are many.

In order to clear a huge SVI folder with S1 installed, one must do this:

  1. First get the Passphrase for the machine, from the S1 console. It’s under Actions, you can choose Show Passphrase. Do be aware that your S1 admin will probably receive a notice that you have asked for this.
  2. cd "C:\Program Files\SentinelOne\Sentinel*"
  3. Please put the actual passphrase in, and the quotes are necessary:
    .\sentinelctl.exe unload -slam -k "<passphrase>"
  4. vssadmin delete shadows /all
  5. Only if this is a server, check System Volume Information size again. If it’s still big, we have three options.
    1. The first is to do these two:
      diskshadow
      (within diskshadow’s command line:) delete shadows all

      This can take a while, especially if SVI is big, e.g., more than 20-30 gigabytes. It can get huge occasionally, hundreds of gigabytes. I recently saw 1,022 shadow copies deleted (it tells you the count at the end) from one server.
    2. The second is to do this:
      wmic shadowcopy delete /nointeractive
      which runs the cleanup nicely, and possibly a bit faster than the other.
    3. The third is to do this, in Powershell:
      Start-Job -ScriptBlock { wmic shadowcopy delete /nointeractive }
      which does #2, but in the background.
  1. .\sentinelctl.exe load -slam

And you are done.

If you should need to reenable S1 after work such as the above, here’s a paste:

cd "C:\Program Files\SentinelOne\Sentinel*"
.\sentinelctl.exe load -slam

Categories: