SentinelOne - Configuring Snapshots

Updated: Mar 28, 2020

As highlighted in our previous article, SentinelOne's Rollback feature is one of the most prominent ransomware remediation solutions in the market.

In this article, we would like to show you how to change the default VSS (Volume Shadow Copy Service) configurations while at the same time analyse how these changes affect the security of your environment.

Windows VSS is a technology included in Microsoft Windows that can create snapshots of computer files or volumes, even when they are in use. SentinelOne uses VSS snapshots to provide its rollback capabilities.

SentinelOne can keep a certain amount of snapshots on the device depending on how much storage the operating system has allocated to the VSS. The frequency in which SentinelOne takes these snapshots is every 4 hours by default, but this can be changed by an administrator. Its important to note that the space allocated to VSS snapshots is wholly governed by the OS and is not a SentinelOne amendable setting.

Changing the VSS size using Windows command line:

1. On the endpoint, start cmd with Run as Administrator and type:

vssadmin Resize ShadowStorage /For=<drive> /On=<storage_drive> /MaxSize=<percent>%

example: vssadmin Resize ShadowStorage /For=C: /On=C: /MaxSize=10%

Space Allocation can impact Security: Imagine a scenario where the VSS is at 1% and can essentially store only 1 snapshot. The agent is set to the default 4 hours window from snapshot to snapshot. If ransomware infects the endpoint, the user has less than 4 hours to mitigate the attack, the time until the next snapshot. If the user waits too long, the good copies will be replaced with malicious ones. Moreover, if the attack happens just before a snapshot, there is almost no chance the security team will be able to rollback the endpoint to a healthy state.

That is why it is very important that you keep the space allocation to the VSS snapshots at 5% to 10%.

Change the VSS timing.

As before-mentioned, SentinelOne interacts with VSS to take a snapshot every 4 hours, starting at installation. The timer does not count