Category: SentinelOne

Clear System Volume Information (and Disable Sentinel One)
article #1438, updated 73 days ago

The hidden NTFS “System Volume Information” folders on Windows machines, can build up and up and up in size. I’ve seen instances ranging from 20G to hundreds of gigabytes, and every time this occurs, the overall system slows down, and often slows down a whole lot. SpaceSniffer is my favorite method of identifying this situation, but there are many. The only preventative I have been able to identify so far, is here.

But here we are discussing cleanup. If you have SentinelOne (S1) installed on this machine, you need to know that S1 considers deletion of volume shadows to be very bad actor behavior. This is because it often is a way that cryptolockers and others delete last-known-good checkpoints. S1 will not let you clear SVI, unless you disable it first, and it will complain very loudly if you try. Instructions for disabling S1, are at the end of this article. There may well be other security tools which will behave similarly, and need similar interaction beforehand.

General cleanup steps:

  1. This command usually gets all of them: wmic shadowcopy delete /nointeractive
  2. Very rarely, this will get a few more: vssadmin delete shadows /all
  3. And even more rarely on a server only, the above two don’t get it done, and this is needed:

    diskshadow
    then within diskshadow’s command line: delete shadows all

Any of these can take a while, especially if SVI is big, e.g., more than 20-30 gigabytes. It can get huge occasionally, hundreds of gigabytes. I recently saw 1,022 shadow copies deleted (the first and third methods tell you the count) from one server.

Special case cleanup steps

Special cases do occur. Here are steps which can help a lot.

  • Sometimes the steps above quit in the middle. Start them over again. Often they’ll complete.
  • If the above does not completely solve the situation (if the SVI folder is still huge), do vssadmin resize shadowstorage for the relevant drive(s) (try /? for syntax…), first to 10%, then back to whatever it was. Sometimes Windows will do a lot of steady cleanup for you, sometimes over hours of time. You’ll see it by watching File Explorer.
  • Run CHKDSK /F at reboot. Then start from the beginning :-)

To disable SentinelOne:

  1. First get the Passphrase for the machine, from the S1 console. It’s under Actions, you can choose Show Passphrase. Do be aware that your S1 admin may receive a notice that you have asked for this.
  2. cd "C:\Program Files\SentinelOne\Sentinel*"
  3. Please put the actual passphrase in, and the quotes are necessary:
    .\sentinelctl.exe unload -slam -k "<passphrase>"

Then, and only then, will the cleanup commands above work.

To reenable S1:

  1. .\sentinelctl.exe load -slam

If you should need to reenable S1 and your command prompt is not where you need it, here’s a paste:

cd "C:\Program Files\SentinelOne\Sentinel*"
.\sentinelctl.exe load -slam

Categories:      

==============

Silent install of SentinelOne
article #1559, updated 152 days ago

This works rather well with the .EXE installer:

installer.exe --dont_fail_on_config_preserving_failures -t "site-token-in-quotes" /qn

Do make sure the site token is in quotes.

Categories:      

==============

SentinelOne agent removal
article #1509, updated 431 days ago

For a long time the standard was, contact your S1 support and receive a removal tool. I don’t know if this always works, but it did for one corrupt agent:

SentinelOneInstaller_windows_64bit_v22_2_4_558.exe --clean_only --dont_preserve_config_dir --dont_preserve_agent_uid -t xyzpdqxyzpdq

where xyzpdqxyzpdq is the site token (much longer of course). Not entirely sure the -t xyzpdqxyzpdq is needed.

Categories: