Hello,
We use SentinelOne as our antivirus software, and we have been getting incidents involving “Program Files*company name*\online backup\Cloud.Backup.Scheduler.exe”
Is this file expected while using MSP360? What is the recommended manner in dealing with SentinelOne as it pertains to MSP360 in order to avoid false positive incidents? Is it recommended to enter the Signer Certificate for Cloud.Backup.Scheduler.exe? And if so, can you tell me the Signer Certificate for this?
Thank you.
[reply=“BackupFan;d2273”] What is the program reporting? I think you’ll need to follow whitelisting procedures with that product and you may be able to submit the binary to sentinel one for exclusion, but I’m not sure exactly what the report is. If you want to provide more details you can do so here
[reply=“BackupFan;d2273”] there’s another customer with the same report in the system. I think the best thing for you to do would be to open up a support case directly with the support team. I’ve added your comments to that particular case. You can submit logs from that machine using the tools diagnostic toolbar option to get things started.
[reply=“David Gugick;8134”] It’s reporting it as a threat–though we have experienced false positives before, especially pertaining to MSP360 components.
The following threat indicators are given:
INDICATORS (5)
Evasion
Internal process resource was manipulated in memory.
Attempt to evade monitoring using the Process hollowing technique.
Exploitation
Shellcode execution was detected.
Privilege Escalation
Suspicious Kerberoasting attack. Too many SPN tickets requests.
General
User logged on.
[reply=“BackupFan;8138”] It’s best to work with support on this as there’s an open case already with another customer reporting similar false positives with sentinel one. Please submit the logs and work with the support team on a resolution if you’re unable to whitelist the application using the posted sentinel one articles.
[reply=“BackupFan;8138”] I spoke with Support and they are waiting for the logs to be sent. I’ve also passed on the info you provided in the previous post.
[reply=“David Gugick;8140”] Thank you! I’ve sent the logs now.