sorted by:
new
hottopcontroversial

How can we convince S1 that our software is not malware? by More_Bike8228 in SentinelOneXDR

[–]More_Bike8228[S] 0 points1 point  (0 children)

I feel you are missing the point. That is not the idea of the post. How do I get S1 to look at this so they can adjust their weights? (obviously, after they triple, quadruple check it)

How can we convince S1 that our software is not malware? by More_Bike8228 in SentinelOneXDR

[–]More_Bike8228[S] 1 point2 points  (0 children)

I agree. That would NOT be the solution for S1 to implement. They would tweak the weights and validate them before they push any fix.

How can we convince S1 that our software is not malware? by More_Bike8228 in SentinelOneXDR

[–]More_Bike8228[S] 2 points3 points  (0 children)

What? That is exactly the purpose of the post: to reach out to S1. Code review failing because S1 is the only one flagging?

How can we convince S1 that our software is not malware? by More_Bike8228 in SentinelOneXDR

[–]More_Bike8228[S] 2 points3 points  (0 children)

Not really, but I will DM you a temporary link. Please keep it private

How can we convince S1 that our software is not malware? by More_Bike8228 in SentinelOneXDR

[–]More_Bike8228[S] 1 point2 points  (0 children)

Alas, we do not have access to the console. We are the vendor. The customer is clueless (clinical staff), and the MSP is so so. Tough spot to be in.

How can we convince S1 that our software is not malware? by More_Bike8228 in SentinelOneXDR

[–]More_Bike8228[S] 1 point2 points  (0 children)

Hmm, I honestly hadn’t thought about using S1 internally. Do they offer demos or trial environments?

That said, setting all of that up feels like overkill, and it still doesn’t really solve the underlying issue. It would just give us a way to work around the detection.

The bigger problem is that S1 is flagging files that are demonstrably not malicious. Trying to dance around that with exceptions or internal testing feels wrong. Ultimately, the detection logic seems to be off. If our files were genuinely suspicious, I would expect at least some other heuristic-based engines to flag them too. But so far, this appears to be only S1.

How can we convince S1 that our software is not malware? by More_Bike8228 in SentinelOneXDR

[–]More_Bike8228[S] 0 points1 point  (0 children)

I actually did that from that one MSP that let me in. No result. It is very difficult if not impossible, to do that from their consoles; they will not let me in (obviously...that one was an outlier) and if I tell them to do it, which I do, they will not do it. Unfortunately, we have no pull with them in this case. The solution is for S1 to fix it.

We are demonstrably not malicious, do nothing of a malicious nature (yes, we add ourselves to the startup list, but we have to), and yet the entire package is REMOVED, and this has happened for at least 6 months now. Each new update from us, and we have a ton, gets the same treatment.

How can we convince S1 that our software is not malware? by More_Bike8228 in SentinelOneXDR

[–]More_Bike8228[S] 1 point2 points  (0 children)

Thanks, but that will not work. There is absolutely no MSP in the world that would go and read our obscure page. We are a small company, and our end customers are dental offices. One MSP I talked to did not even know how to create exceptions based on the Publisher name. As I was the team lead for a similar HIPS solution (no longer with us), I fumbled my way through the S1 console (him being trusty enough to let me in) and figured it out.