Заметки сисадмина » SentinelOne: Removal of SentinelOne Agent Antivirus without passphrase

Заметки сисадмина о интересных вещах из мира IT, инструкции и рецензии. Настраиваем Компьютеры/Сервера/1С/SIP-телефонию в Москве

SentinelOne: Removal of SentinelOne Agent Antivirus without passphrase

2023-01-20 · Posted in Антивирусы

Variant 1:

Just ran into this issue with a ‘old’ system that another MSP had installed Sentinelone through their posture check. S1 detected some action I took and then I noticed a bunch of stuff was inaccessible to me. These steps should work for disabling Sentinelone services from loading.

1)reboot the system into safe mode / safe mode with command prompt (hold down SHIFT key then hit RESTART)

2)open regedit and browse to HKLM\system\currentcontrolset\services

3)right-click on each sentinel* key -> permissions and take ownership of the key

4)after taking ownership, set ‘administrators’ to full control on the key

5)in each key, set the ‘start’ value to 4 (disabled); if you still get access denied then your take ownership or full control permission didn’t apply/take

6)do this for every sentinel* key listed

7)reboot system and you should at least have s1 disabled. Worked for me, the GUI actions I was prevented from are no longer prevented and I see the S1 services stopped. At this point, you could theoretically use a software cleaner and remove S1 completely.

8)fltmc — I didn’t discern a Sentinel1 filter loaded on reboot based on expected name

Variant 2:

1)Go to safemode.

2)rename C:\ProgramData\Sentinel to something else.

3)Delete all files in C:\Program Files\Sentinel One\Sentinel Agent <Version>\config\*

4)Reboot into normal mode and uninstall like so:

And it should let you uninstall.

I was logged in as SYSTEM with ScreenConnect Backstage feature and had to use takeown and icacls, but it worked.
Administrator would have probably worked, if not see

Variant 3:

Thank you for your time. I do apologize if the chat session got disconnected suddenly. As discussed earlier, You want to uninstall SentinelOne agent from all the devices on your test machines.

Please follow the steps below on how to obtain the Passphrase (also know as verification key) to do CLI uninstall on a device.

1)In the Management Console, click Sentinels.
2)In the Sentinels view, search for the endpoint.
3)Click the endpoint to open its details.
4)In the Details window, click Actions and select Show passphrase.
5)The Passphrase opens in a new window. Copy it to a file to use as needed.

I have attached the updated SentinelCleaner_3.1.1.12_64bit. Please see the below procedure on how to run the “SentinelCleaner” on safe mode.

1. Download the SentinelCleaner and save it to the C drive. Password to open the zip : solarwinds
2. Reboot the machine into Safe Mode (MANDATORY)
3. Run the cleaner in Safe Mode (MANDATORY), from C drive (Same folder you have extracted the file)
4. Verify cleaned correctly.
a. Run regedit.
b. Verify that all the ‘sentinel’ registry keys are removed. Search for the string ‘sentinel’. If it is present, remove the outstanding keys manually.
Note: If the deletion is not possible, change the ownership of those registry keys to the current admin
c. Verify that the “Sentinel” Program folder, its sub-directories, and the hidden Sentinel ProgramData folder are removed.
Reminder: To see the hidden ProgramData folders, change the folder view options to show hidden items.
5. When the system reboots twice, it is ready for fresh agent installation.

I have also attached screenshots of the things you need to check in the registry. In addition, on the images, there are items that can’t be scrolled to the right, that is why I have added them below. This is under “Solution B” of the “The batch file contains the following”.

Please let us know if you need further assistance. Thanks again for contacting Solarwinds MSP.

Leave a Reply