Excluding Files From S1 Scanning:
If you wish to exclude a file from being scanned by the SentinelOne agent you can exclude it by adding the file's SHA1 hash in the console.
Make sure the computer is in the correct site and or group before adding the exclusion. Exclusions propagate down from sites to groups.
How to Add a File to the Exclusion List:
For the file to be added to the exclusion list you need to either A. have the file trigger a warning in the console and then add it to the exclusion list or B. you can generate the SHA1 hash for the file and add that to the exclusion list.
Let's go with generating the SHA1 hash for the file in question:
1. Open PowerShell on the machine where the file exists and run the following command:
a. Get-FileHash .\xcopy.exe -Algorithm SHA1
2. Here's the SHA1 hash of "xcopy.exe"
a. C5BD7815ED18F7E3D1CE93CC47AECF58D908DCA8
3. Log in to the S1 console, expand the chevron in the upper left, find the site or group you want to apply the exclusion to and click on it.
4. Click on "Exclusions" in the top menu and make sure it's underlined in purple.
5. Click on "New Exclusion" in purple...
6. Click "Create Exclusion"...
7. It should default the selection to "Hash" at the top.
Fill out the following form with the OS and the SHA1 hash from earlier. Give it a description so you know what it is. Click "Save" when done.
8. Using "xcopy.exe" as an example...
9. Once saved you can search for it by clicking once on the bar where I drew the 3 red dashes. It should be more obvious that this is where they hide the search options. I literally made a post on Reddit because I couldn't find it. This goes to show that UI developers aren't actual users of the software. Anyway, you'll find your newly created entry by the description if you entered one.
10. Changes should propagate down to the agent in a matter of seconds.
๐ฝ
No comments:
Post a Comment