Wednesday, October 2, 2024

SentinelOne - Exclude Files from Scans

 



Excluding Files From S1 Scanning:

If you wish to exclude a file from being scanned by the SentinelOne agent you can exclude it by adding the file's SHA1 hash in the console.

Make sure the computer is in the correct site and or group before adding the exclusion. Exclusions propagate down from sites to groups.



How to Add a File to the Exclusion List:

For the file to be added to the exclusion list you need to either A. have the file trigger a warning in the console and then add it to the exclusion list or B. you can generate the SHA1 hash for the file and add that to the exclusion list.


Let's go with generating the SHA1 hash for the file in question:

1. Open PowerShell on the machine where the file exists and run the following command:

    a. Get-FileHash .\xcopy.exe -Algorithm SHA1

2. Here's the SHA1 hash of "xcopy.exe"

    a. C5BD7815ED18F7E3D1CE93CC47AECF58D908DCA8

3. Log in to the S1 console, expand the chevron in the upper left, find the site or group you want to apply the exclusion to and click on it.

4. Click on "Exclusions" in the top menu and make sure it's underlined in purple.



5. Click on "New Exclusion" in purple...



6. Click "Create Exclusion"...



7. It should default the selection to "Hash" at the top.

    Fill out the following form with the OS and the SHA1 hash from earlier. Give it a description so you know what it is. Click "Save" when done.



8. Using "xcopy.exe" as an example...



9. Once saved you can search for it by clicking once on the bar where I drew the 3 red dashes. It should be more obvious that this is where they hide the search options. I literally made a post on Reddit because I couldn't find it. This goes to show that UI developers aren't actual users of the software. Anyway, you'll find your newly created entry by the description if you entered one.



10. Changes should propagate down to the agent in a matter of seconds.



πŸ‘½

Wednesday, September 11, 2024

Windows 10/11 - Change Network Profile From Public to Private Using Powershell

 


Problem:

Cannot change the network connection profile from public to private from the GUI because the option does not exist in certain scenarios.



Solution:

1. Open PowerShell as Admin

2. Get-NetConnectionProfile to show all available network profiles (only shows enabled adapters).

3. Identify the Name of the network profile you wish to change.

4. Set-NetConnectionProfile -Name "nameofnetworkprofile" -NetworkCategory Private

5. or

6. Set-NetConnectionProfile -Name "nameofnetworkprofile" -NetworkCategory Public

7. Done




πŸ‘½

Thursday, August 29, 2024

Using Devcon to Clear Putty’s “Access Is Denied” Message Without a Reboot

Issue:

Occasionally, after connecting to a USB to UART bridge, you may encounter an "Access is denied" error when launching PuTTY after a successful previous session. Restarting Windows can temporarily resolve this issue, but the error tends to recur. I believe it's happening because the port is still being hung open despite the closing of PuTTY.

Interesting read:
https://stackoverflow.com/questions/20058542/is-it-possible-to-generate-a-deadlock-with-single-lock



Resolution:

Disabling and enabling the device in Device Manager doesn't seem to resolve the issue. However, you can fix it by running the following command in devcon, as long as you know the specific device you're targeting.

1. List all USB devices that are currently connected to the machine:

devcon.exe find *USB*



2. Identify the device you're looking to toggle:

USB\VID_10C4&PID_EA60\0001                                  : Silicon Labs CP210x USB to UART Bridge (COM3)


3. Make sure PuTTY is closed at this point!

4. Disable and enable the device using devcon.exe:

devcon.exe disable "USB\VID_10C4&PID_EA60*"
devcon.exe enable "USB\VID_10C4&PID_EA60*"

5. Open PuTTY and try connecting to COM3 again.




πŸ‘½