Specific build of Sentinel1 antivirus causes system state to fail

SUMMARY

PUBLIC

ISSUE

This set of errors will be seen in the job log in the UI:

*** Sentinel Agent Research Data VSS Writer *** is excluded
<Error> System State agent failed verify component '{9112a876-c17f-4051-b2c3-43f646cde241}:\C:\ProgramData\Sentinel\swrd' was not found in the writer components list! Aborting backup.
Please check the definitions of the component name in profile file: 'BackupTarget' and 'RestoreTarget'.
07/22/20 17:11:21 : ..\CommonVss\uVssClient.cpp::4760::CClientVss::VerifyExplicitelyIncludedComponent failure.
<Error> System State agent failed to get system volume list.
07/22/20 17:11:21 : AppVssBuildVolumeList::545 failure.
07/22/20 17:11:21 : Unitrends agent was not able retrieve or validate volume list for backup!d
07/22/20 17:11:21 : <VSS> Failed to build Volume's list for snapshot!!!

RESOLUTION

We've got a confirmed workaround to this issue from Sentinel1, which involves an agent downgrade to a devbuild version. Below are the full instructions:

1. Upgrade to the engineering build Sentinel Installer v4.1.4.15944, download link: https://sentinelone.sharefile.com/d-s5378a9059034a8fa reboot the endpoint after upgrade. **If the S1 agent was deployed with an MSI utility, the agent will need to be manually uninstalled before the above build can be deployed.

2. Disable protection: Open an administrative command prompt and go to: C:\Program Files\SentinelOne\Sentinel Agent version\ sentinelctl unprotect -k "agent passphrase"

3. Create the following Reg Key: • Create a DWORD value named Flags under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SentinelMonitor\Config\ProcMon with the hex value data: 10

4. Unload the Monitor driver and load the driver: Sentinelctl unload -m -k "agent passphrase" Sentinelctl load -m Restore protection: sentinelctl protect

5. Run the Backup job on the Backup software (Veeam,Rapid Recovery,etc.)

6. Reply indicating your results. The registry change should be left in place. The development build that is in place is only for use on endpoints where issues related to backups are involved. It is only for testing purposes and log collection in the event the error occurs again. The Reg Key is a SentinelOne Reg key. When a build comes out that has the fix in place the registry key will be modified (if needed) by the installer.

CAUSE

Sentinel One antivirus issue caused by bad registry keys.  They will be releasing an update to resolve this issue going forward.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Contact us