Specific build of SentinelOne antivirus causes system state to fail

SUMMARY

PUBLIC

ISSUE

This set of errors will be seen in the job log in the UI:

*** Sentinel Agent Research Data VSS Writer *** is excluded
<Error> System State agent failed verify component '{9112a876-c17f-4051-b2c3-43f646cde241}:\C:\ProgramData\Sentinel\swrd' was not found in the writer components list! Aborting backup.
Please check the definitions of the component name in profile file: 'BackupTarget' and 'RestoreTarget'.
07/22/20 17:11:21 : ..\CommonVss\uVssClient.cpp::4760::CClientVss::VerifyExplicitelyIncludedComponent failure.
<Error> System State agent failed to get system volume list.
07/22/20 17:11:21 : AppVssBuildVolumeList::545 failure.
07/22/20 17:11:21 : Unitrends agent was not able retrieve or validate volume list for backup!d
07/22/20 17:11:21 : <VSS> Failed to build Volume's list for snapshot!!!

RESOLUTION

We've have a confirmed workaround as of September, 2020 to this issue from Sentinel1, which involves an agent downgrade to a devbuild version and registry change.

Below are the full instructions:

1. As of September 4th, 2021 Installer v4.1.4.15944 is no longer present on SentinelOne's website.

The development build that was in place was only for use on endpoints where issues related to backups were involved. It was only for testing purposes and log collection in the event the error occurred again. No additional update found from SentinelOne stating changes to the below steps. 


Upgrade to the engineering build Sentinel Installer v4.1.4.15944, download link: https://sentinelone.sharefile.com/d-s5378a9059034a8fa reboot the endpoint after upgrade.
The development build that is in place is only for use on endpoints where issues related to backups are involved. It is only for testing purposes and log collection in the event the error occurs again. 
**If the S1 agent was deployed with an MSI utility, the agent will need to be manually uninstalled before the above build can be deployed.


2. Disable protection: Open an administrative command prompt and go to: C:\Program Files\SentinelOne\Sentinel Agent version\ sentinelctl unprotect -k "agent passphrase"

3. Create the following Reg Key: • Create a DWORD value named Flags under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SentinelMonitor\Config\ProcMon with the hex value data: 10

4. Unload the Monitor driver and load the driver: Sentinelctl unload -m -k "agent passphrase" Sentinelctl load -m Restore protection: sentinelctl protect

5. Run the Backup job on the Backup software (Unitrends, EndPoint Backup, etc.)

6. Reply indicating your results. The registry change should be left in place. The Reg Key is a SentinelOne Reg key. When a build comes out that has the fix in place the registry key will be modified (if needed) by the installer.

CAUSE

Sentinel One antivirus issue caused by bad registry keys.  They will be releasing an update to resolve this issue going forward.

Have more questions?

Contact us

Was this article helpful?
0 out of 0 found this helpful

Provide feedback for the Documentation team!

Browse this section