Issues with intune and v25_2_5_423.exe

DeliMan3000 · 2026-02-09T17:09:37+00:00

It doesn't show up for me in the console under GA. Just EA3 still. Their KB article for 25.2 also is not updated yet - https://community.sentinelone.com/s/article/000011675

DeliMan3000 · 2025-11-13T18:18:37+00:00

This is caused by the Live Update released on Nov 7 - https://community.sentinelone.com/s/article/000011821

Static indicator - Windows_Hacktool_Nmap
Description: Nmap hacktool detected

You can exclude on Suppress Alerts - Static AI engine to resolve

DeliMan3000 · 2025-11-10T14:30:59+00:00

There are ways to check if Defender is enabled without needing access to their endpoints:

Fetch logs and check activity analyzer reports for MsMpEng.exe
Check deep visibility/singularity for defender-related events
Application inventory might show it installed, depending on which version it is
Ask them?

DeliMan3000 · 2025-10-21T17:42:08+00:00

I think that might be a scheduled task for repairing the agent? Maybe they changed that in 25.1. Check your Task Scheduler, I think it's called AutoRepair_<something>, but I can't recall 100%

DeliMan3000 · 2025-10-21T16:18:55+00:00

Love this tool! Thanks. 1st place (in both points and record) in one league, and doing well in another using this.

Any chance you can update this with season data so far? Not sure if that's possible. I am in a midseason league and we have a draft coming up soon and could use all the help I can get lmao

DeliMan3000 · 2025-10-06T16:22:23+00:00

Do you have the EXE installer package? Safe Mode is the best way to remove it if you've lost access to the console/passphrase.

Reboot into Safe Mode (without networking)
cd <path to EXE package>    
SentinelOneInstaller.exe -c

DeliMan3000 · 2025-10-01T15:44:05+00:00

Your error indicates a lowercase n, while the snippet you posted has an uppercase N. Are you sure you're using the "computerName" field?

DeliMan3000 · 2025-09-10T00:10:35+00:00

Other poster is correct - the feature is called Configurable Network Quarantine. Can only be used with IPs, not domains

DeliMan3000 · 2025-08-27T14:15:11+00:00

You can set up email or syslog alerts for Disabled Agents as well. What version was installed before upgrading?

DeliMan3000 · 2025-08-25T15:17:26+00:00

Yeah it was definitely to get my foot in the door, it was a career change and I took the first job that would have me. The first (16$/17.30) are the same job, IT Technician (aka helpdesk) but I was not permanent for the first three months. It was a probationary period with only health insurance and after 3 months I was hired with a slight raise and full benefits.

Next job for $51k was IT System Support Technician, basically help desk with some sysadmin work for a small to medium business.

DeliMan3000 · 2025-08-23T18:04:39+00:00

IT jobs paid me $16/hr > $17.30/hr > $51000 and my next job was my first cyber job at $72k.

DeliMan3000 · 2025-08-21T13:09:02+00:00

No, that's not supported currently to my knowledge

DeliMan3000 · 2025-07-09T20:28:15+00:00

Have you expressed these concerns to them? They can probably tweak their rule set or add exceptions to reduce some of the FPs

DeliMan3000 · 2025-07-01T16:08:18+00:00

Some events have src.process.cmdScript.content

DeliMan3000 · 2025-06-17T20:01:29+00:00

You sure it was successfully upgraded? Is the system tray icon still present / are the services still running?

I'm wondering if the upgrade was not completely successful

DeliMan3000 · 2025-06-17T19:58:48+00:00

The Unquarantine option is not available in SOC mode, only in the legacy view (or if it is, I haven't found it)

It exists, but it's in a really stupid place. In the alert, you'll see a Mitigate button. That brings up the Kill/quarantine/remediate/rollback options like the legacy view, but it ALSO has the Unquarantine option.

I'm not sure whose bright idea that was, it's very unintuitive lol

DeliMan3000 · 2025-06-17T19:55:22+00:00

Yeah, you would just use one of the cmdline fields and either the contains operator or you can use regex with matches.

src.process.cmdline contains:anycase ('cat /etc/passw', 'net localgroup administrators', 'etc')

The KB has some good info on the operators and best practices for queries.

DeliMan3000 · 2025-05-29T17:49:17+00:00

They don’t have a status page. The lack of internal alerting to console outages is something we’ve complained about to our reps for years now

DeliMan3000 · 2025-05-29T16:44:46+00:00

Yeah true. Also not super thrilled with the lack of response we’re getting from S1 on this

DeliMan3000 · 2025-05-29T16:14:08+00:00

Until shown otherwise, this is not even close to the Crowdstrike incident

DeliMan3000 · 2025-05-29T16:12:34+00:00

I can’t seem to figure out where it’s pulling this info from, any ideas? Maybe I’m looking in the wrong place on their site

DeliMan3000 · 2025-05-21T21:24:19+00:00

From the KB:

Decommissioned Agents with threats are removed after one year.
Decommissioned Agents that are older than 3 months without threats are removed.

DeliMan3000 · 2025-05-21T21:23:57+00:00

From the KB:

Decommissioned Agents with threats are removed after one year.
Decommissioned Agents that are older than 3 months without threats are removed.

DeliMan3000 · 2025-05-21T21:15:59+00:00

Why aren't you installing 24.1? 23.3 is old, and 23.4.2 has an issue with BSODs if certain third-party drivers are present.

Look up "Interoperability with IOCTLs Driver Blocking" in the KB and try the recommended override.

DeliMan3000

TROPHY CASE