Jump to content

Virus Scan Question


Recommended Posts

Ok, so - with the increase in Ransomware issues, we've started deploying SentinelOne to our clients. This is different than other AV solutions, in that it does not use a set of definitions to check files against, but rather it monitors behavioral patterns to detect/prevent/stop malware/viruses/ransomware/etc. before they can even do anything.

 

Since there isn't a SentinelOne plugin, or anything like that, I figured I'd add the Definitions to Dashboard > Config > Configurations > Virus Scan:

 

Name:                SentinelOne																			Scan Template:				 AP Process:      sentinelagent 
Program Location:    {%-HKLM\SYSTEM\ControlSet001\Services\SentinelAgent:ImagePath-%}					                 
Definition Location: {%-HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sentinel Agent:InstallDate-%}		Date Mask:       
Update Command:																  																	OS Type:         All OSs
Version Check:       {%-HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sentinel Agent:DisplayVersion-%}	Version Mask:    
Infection Check:											  					 	 															Infection Match: 

 

I've verified that the Program Location and Version Check registry values are correct, and I put the Definition Location reg key in because that field can't be blank.

 

How do I force the Virus Scan/detection to run, so I can see if it's finding it?

Link to post
Share on other sites
  • 2 weeks later...

Well.............shit.

 

No dice. Guess I'll need to come up with a new method of detecting SentinelOne. Or, I'm screwed, because there is no 'Definitions' file for it to pull a date from/whatever. I'll try again once I get my other stuff working. Thanks for the reply, tlphipps! (and sorry it took me so long to get back to you).

Link to post
Share on other sites
  • 4 months later...

We just signed up with Carvir and they had this on their site that another partner created. Haven't tested it yet but hopefully it may help you out. Keep in mind that you need to do a new once for each version. I will probably experiment with some wildcards.

 

59ec9444105c0_SentinelOne-LabTechAVDetection.png.9496cd9e87c35ee2c4f44cadaf541571.png

Link to post
Share on other sites

Thanks for that - helped me out quite a bit.

 

I modified it, for if you just want a 'SentinelOne' detection, and you don't care about the version:

S1Def.png

 

For the definitions, it's just checking the 'Date Modified' of the 'Data.bin' file. The actual 'defnitions' are stored on SentinelOne's servers, I guess. So...for me, it shows Virus Definitions: 5/12/2017 - whereas, something like AVG or whatever, would show today's date (hopefully).

 

I think I'm going to just create one definition per version, anyway...but the beauty of that is...just having to adjust the version check line. The paths in the example from Carvir's website are the values of the Registry keys I'm using, so - perhaps - if the install is done differently, or the physical locations are somehow different for some reason - the registry keys should provide the correct paths automatically (again, hopefully). If I can create them...and they work, I'll post them, as well - for anyone who's interested.

 

Edit: Went ahead and did them by version:

 

1.8.2.2536

S1822536Def.png

 

1.8.2.2566

S1822566Def.png

 

1.8.2.2570

S1822570Def.png

 

1.8.4.3524

S1843524Def.png

 

1.8.4.3628

S1843628Def.png

 

1.8.4.3668

S1843668Def.png

Edited by Seth
dead picture links
Link to post
Share on other sites
  • 3 months later...
  • 8 months later...

Juan,

I have it working with the following settings, it uses the date of installation for the uninstall.exe file as the definition date.

It also is working to detect multiple agent versions as it goes by a registry key for the Sentinel Monitor service which stays constant between versions.

 

25-06-2018-11-44-53.png

Edited by abeauchamp
Link to post
Share on other sites
  • 3 months later...
  • 10 months later...
  • 3 months later...
  • 1 month later...
  • 6 months later...
  • 2 weeks later...

I was provided the following configuration by PAX8 for detecting SentinelOne.  Unfortunately, it works very sporadically; SentinelOne is found on some systems and not on others.

Anyone have an idea on what could be wrong here?

SentinelOneCfg.JPG

Link to post
Share on other sites
4 hours ago, LoneWolf said:

I was provided the following configuration by PAX8 for detecting SentinelOne.  Unfortunately, it works very sporadically; SentinelOne is found on some systems and not on others.

Anyone have an idea on what could be wrong here?

SentinelOneCfg.JPG

Version Check field and Version Mask, if I had to guess. I can get a better look at it when I’m back at my desk.

We have one entry per SentinelOne Version, so if you’re looking for a blanket-approach, I’m not sure if that’s do-able. (Though, if it is - sign me up!)

Link to post
Share on other sites
12 hours ago, Seth said:

Version Check field and Version Mask, if I had to guess. I can get a better look at it when I’m back at my desk.

We have one entry per SentinelOne Version, so if you’re looking for a blanket-approach, I’m not sure if that’s do-able. (Though, if it is - sign me up!)

I would prefer a blanket approach, mainly because we update versions pretty regularly, though, if it isn't possible, I'll take the approach of doing the three most recent GA releases.

The odd thing is that those settings work for some systems and not others, even using the same version of SentinelOne.

@alsilva Your virus info appears similar to mine.  Is it working properly across all of your clients?

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...