SentinelOne - How does Rollback Work?

Updated: Mar 28, 2020

Rollback, SentinelOne's rewind for ransomware. This feature boasts the ability to restore, with a single click, files that have been maliciously encrypted/deleted, to their previous state. What's more, this functionality is provided in a single agent EPP/EDR solution that has an average CPU footprint of 1-5%.


In this article, we take a technical deep dive into the rollback feature to understand its key strengths, let's dive in.


Introducing the Volume Shadow Copy Service (VSS)

To understand how SentinelOne implements rollback functionality, we first need to understand the VSS (Volume Shadow Copy Service) feature provided in Microsoft's Windows Operating Systems. The VSS is a feature that can maintain backup copies of volumes or computer files, even while they are in use. The VSS operates by taking what is called a 'copy on write' snapshot of a system which ensures that for each disk write operation, a copy of the file currently on disk is taken and moved to a small temporary storage location allocated by the VSS. The disk write operation can terminate after the end of the snapshot creation.

The process of moving a copy of files to a temporary storage location enables the VSS to efficiently take a snapshot of only files that have changed since the previous snapshot, instead of having to take a full copy of a disk.


These copies are read-only point-in-time copies of the volume. The VSS was introduced in Microsoft Windows XP/Server 2003, and since then it has become a core feature in all recent versions of the Windows OS. SentinelOne's rollback service is available from Windows Vista/Windows Server 2008 R2 and onward. Unfortunately, the SentinelOne rollback feature does not extend to macOS versions, and Linux Supported kernels.


How SentinelOne is using VSS

SentinelOne uses VSS snapshots to provide its rollback capabilities. As a VSS requestor, it interacts with the service to create, manage and protect snapshots by detecting any attempt of VSS tampering and blocking it on the spot. On top of that, it gives administrators the ability to e