At Cyber Vigilance, we take great pride in building great relationships with our customers. We update them on the latest product enhancements and techniques to get the best value from their investment. These relationships go both ways, as was shown recently when one of our fantastic customers spotted a flaw in the version of SentinelOne agent they were running and passed on the fix to us. In this article, we will dive into the issue and how we are able to resolve it by working closely with our customer.

This specific customer was updating the SentinelOne agent on his servers in a phased approach, just in case there were any issues. They started with their SQL servers, then moved on to the IIS servers.

‍

As a precaution, they updated one server from each role to have redundancy in case of problems.

After updating the SentinelOne agent on some of their IIS ARR load-balancer farms, our customer noticed they began receiving 500 Internal Server Errors across all applications.

These 500 errors were only occurring on the 2 servers that had been updated.

On further investigation, they could see these errors in the event logs on the ARR servers that had not been updated, referencing SentinelOne, which seemed very strange.

The error details uncovered that IIS could not load all ISAPI filters for the site 'DEFAULT WEB SITE'.  Therefore, the site startup aborted.

The HTTP Filter DLL C:\Program Files\SentinelOne\Sentinel Agent 24.2.3.471\SentinelWSFilter64.dll failed to load.  This data is the error.

They found that the agent update on the IIS servers added several ISAPI filters such as:

• Sentinel Agent 24.2.3.471\SentinelWSFilter32.dll  
• Sentinel Agent 24.2.3.471\SentinelWSFilter64.dll

‍

Among others.

Because the customer uses IIS shared config, the non-updated IIS servers were instructed to use the ISAPI filter, but did not have the \SentinelWSFilter64.dll file present (thus causing the 500 errors)

This was an extremely interesting find, which we have passed on to our vendor for their records, so that other customers don’t fall foul of it, and to update the installation instructions for load-balancing servers for future reference.

We believe this issue doesn’t just highlight the importance of testing application updates on a small number of machines before rolling out on mass, as our customer did . But also how important it is to form close relationships with your customers, with this comes two-way information sharing and fantastic nuggets of information such as this that make the life of technicians a little easier.

Our technical team boasts years of experience, specifically around EDR, so if you need any support with onboarding, optimisation or health checks you can reach out here.

‍

‍

‍

Chris Faulkner

Senior Cyber Security Consultant, SentinelOne Paladin

‍

‍

‍