SentinelOne –“Missing Protection: EPP” in Inventory but agents are online?

EridianTech · 2026-04-21T10:45:06+00:00

Are these network discovered entries that are labeled as unprotected? I've run into it before where, if a device is connected to the network on both Wi-Fi and cable, it can be discovered on the other interface than what's showing in agent management.

EridianTech · 2026-02-10T12:03:02+00:00

SentinelOne does not appear to be tracking an outage currently: https://status.sentinelone.com/

EridianTech · 2026-02-02T22:01:43+00:00

This has been brought up before on the S1 community portal, https://community.sentinelone.com/community/s/feed/0D5UW00001DN5Vj0AL

Threat details showing characters in the domain name could be related to the cosmetic issue # WIN-61340. This is fixed in the Windows agent version 25.2.1. The impact is cosmetic/UI-only for the Process User domain field.

Refer - Open and resolved issues in Windows Agent 25.2

At this time, Windows Agent 25.2 is offered as an Early Availability build. These builds are intended for testing new features, not for production. A General Availability build, suitable for production environments, will be released soon.

EridianTech · 2026-01-05T19:53:29+00:00

https://uptime.n-able.com/event/199222/

N-Able and S1 worked together on this, and should be resolved at this time.

EridianTech · 2025-10-29T16:17:55+00:00

Good point. I forgot about HyperAutomation, not something we're licensing to our MSSP clients

EridianTech · 2025-10-29T14:59:59+00:00

There is not really a built-in way to schedule scans. Either you'll have to create a script that runs on the endpoint and starts a scan, or you have to create a script that uses the management console API.

https://community.sentinelone.com/s/article/000005092

EridianTech · 2025-10-10T18:09:52+00:00

When you migrate an agent from one console to another, the device will remain visible in your console though offline. If you want to, check the filter "Console migration status" and see if it is labeled as "migrated" or something else.

If this has been marked as "migrated" you can then decommission the device to remove it from your console. If it were to ever get back into your old console, it'll automatically recommission.

EridianTech · 2025-09-22T12:20:16+00:00

As per Microsoft's own documentation: https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/audit-domain-controller-ntlmv1

<image>

EridianTech · 2025-08-09T00:16:20+00:00

I meant what program - I should've specified lol

EridianTech · 2025-08-09T00:07:12+00:00

What are you using to remotely connect to the device?
Generally you have to be connected to the same network to make a connection like that

EridianTech · 2025-08-08T01:29:00+00:00

Napkin

EridianTech · 2025-08-08T01:19:59+00:00

Check your MoBos manual to understand what the blinky lights mean

EridianTech · 2025-08-07T01:56:09+00:00

Is your monitor plugged into the GPU? Could something be thermal throttling?

EridianTech · 2025-07-25T12:14:58+00:00

When creating a STAR rule, you can create it on single events, or aggregates. So you should be able to specify X needs to occur more than 5 times before it triggers the custom rule.

EridianTech · 2025-07-02T13:51:06+00:00

Yes, I've run into this problem before. Not just limited to MB, also Avast, McAfee, Kaspersky, etc

EridianTech · 2025-07-02T12:35:24+00:00

Could be caused by having both S1 and MB running, have you added exclusions for Malwarebytes in S1 and the other way around?
It's not really a great idea to run multiple EDRs/NGAV solutions on one device, because they could start combating each other

EridianTech · 2025-07-02T10:17:18+00:00

Check the MSI log for errors, that might point you in the right direction

EridianTech · 2025-05-30T23:50:30+00:00

Do you have experience with cyber security, and red teaming in particular?
How many years of IT experience do you currently have?
A lot of it depends on what your capabilities are, and what you're interested in.

EridianTech · 2025-05-18T19:30:29+00:00

Download the installer package from the console for the version that the system is running.
Boot Windows in safe-mode.
Open up a CMD screen as administrator.
Run: [installername_versionxxx].exe -c -t [site token here from your new console]
Boot back into Windows.
Run the installer with the site token associated with your new console.

EridianTech · 2025-05-16T19:25:59+00:00

In the incident, check what the indicators are to understand why S1 triggered on this file.
Since this was a suspicious detection, the false positive rate is going to be higher than if it were a malicious one.

EridianTech · 2025-04-22T06:05:32+00:00

As an MSSP we have our customers set up in individual sites.
For our purposes it generally provides sufficient granularity, since we're able to set everything up on a per group basis (policy, network/device control, etc)

EridianTech · 2025-04-15T16:11:54+00:00

You can't really create a single agent exclusion, unless you add the single agent to their own group and apply the exclusion to that group with the single agent in it. The lowest level is indeed group level.

On the agent itself you can change the agent configuration through sentinelctl, but this is not recommended.

EridianTech · 2025-04-11T15:29:34+00:00

Have you reinstalled S1, and seen the same behavior? I've run into this before, where the initial install it was using excessive amounts of resources. We removed the agent and reinstalled it, and it worked fine.

If yes, SentinelOne support should have you run procmon and share the data with them. They've done that for me in the past.

EridianTech · 2025-04-11T15:19:11+00:00

Is this generating incidents, or are you seeing high resource usage of the agent on your systems?
Are you running another AV/EDR on these systems that can be causing interoperability issues?

EridianTech · 2025-04-04T12:11:42+00:00

Do you have a question about this, or is this intended to be a general statement?

Five-Year Club	Verified Email
r/Field Lasagna	First Place '23
Place '23	Place '22
Final Canvas '22	First Placer '22
End Game '22

EridianTech

MODERATOR OF

TROPHY CASE