SentinelOne - Configuring Snapshots

Updated: Mar 28, 2020

As highlighted in our previous article, SentinelOne's Rollback feature is one of the most prominent ransomware remediation solutions in the market.

In this article, we would like to show you how to change the default VSS (Volume Shadow Copy Service) configurations while at the same time analyse how these changes affect the security of your environment.

Windows VSS is a technology included in Microsoft Windows that can create snapshots of computer files or volumes, even when they are in use. SentinelOne uses VSS snapshots to provide its rollback capabilities.

SentinelOne can keep a certain amount of snapshots on the device depending on how much storage the operating system has allocated to the VSS. The frequency in which SentinelOne takes these snapshots is every 4 hours by default, but this can be changed by an administrator. Its important to note that the space allocated to VSS snapshots is wholly governed by the OS and is not a SentinelOne amendable setting.

Changing the VSS size using Windows command line:

1. On the endpoint, start cmd with Run as Administrator and type:

vssadmin Resize ShadowStorage /For=<drive> /On=<storage_drive> /MaxSize=<percent>%

example: vssadmin Resize ShadowStorage /For=C: /On=C: /MaxSize=10%

Space Allocation can impact Security: Imagine a scenario where the VSS is at 1% and can essentially store only 1 snapshot. The agent is set to the default 4 hours window from snapshot to snapshot. If ransomware infects the endpoint, the user has less than 4 hours to mitigate the attack, the time until the next snapshot. If the user waits too long, the good copies will be replaced with malicious ones. Moreover, if the attack happens just before a snapshot, there is almost no chance the security team will be able to rollback the endpoint to a healthy state.

That is why it is very important that you keep the space allocation to the VSS snapshots at 5% to 10%.

Change the VSS timing.

As before-mentioned, SentinelOne interacts with VSS to take a snapshot every 4 hours, starting at installation. The timer does not count during hibernate and sleep, and it does not follow any global clock. An administrator can change the interval between shadow copies being taken. Setting the value to zero will result in shadow copies being disabled.

Changing the VSS timer:

1. In the management console, click on the endpoint you want to change

2. Click Actions and then select "Show Passphrase" and copy that passphrase to a side note.

3. On the endpoint, start cmd with Run as Administrator

4. Go to the SentinelOne directory:

cd c:\program files\sentinelone\sentinel agent <version>\

5. Turn off SentinelOne self-protection with the passphrase you copied:

sentinelctl.exe unprotect -k "<passphrase>"

Note: It is very important that you do not leave the agent in this unprotected vulnerable state for a long time, do what you have to do quickly!

6. Run the command:

sentinelctl.exe configure -p agent.snapshotIntervalMinutes -v <minutes>

example: sentinelctl.exe configure -p agent.snapshotIntervalMinutes -v 240

7. Run the command:

sentinelctl.exe protect

Important: If the <minutes> input is set to zero, SentinelOne stops taking snapshots. This is for specific situations where you need to disable the VSS for a short amount of time. If other programs use VSS to take "ApplicationRollback" type snapshots, SentinelOne can utilise these snapshots to initiate Rollback.

Note: By decreasing the interval time, you might also need to increase the space allocated to the VSS snapshots. We recommend this because it helps avoid situations where new malicious snapshots overwrite the healthy old ones limiting the time that the security team has to respond to an attack.