SentinelOne (S1) just destroyed Atera

Options
alberto
alberto Member Posts: 9

One of my clients run S1 and it's now classified as ransomware. 50+ endpoints were all quarantined and disconnected from the network.

Fun times…

Don't forget to add those exclusions for Atera now I guess. Never had a need until now.

Comments

  • gilgi
    gilgi Administrator, Moderator Posts: 101 admin
    Options

    Hey,

    Our team is on this and checking! I'll update when I have some more info, thanks for flagging this.
    You're most welcome to share your exclusion how-to with the community for others to learn from :)
    SentinalOne offers some KB articles about this as well.

  • gilgi
    gilgi Administrator, Moderator Posts: 101 admin
    Options

    Hey, our security team had a look at this:

    We checked in VT and it seems that Sentinel One does not block Atara.

    It is worth recommending to the technicians to update to the latest version of Atera and of course check in the settings of the antivirus that it does not block PUA.


  • bzortman
    bzortman Member Posts: 1
    Options

    We had the same issue on Friday. more than 400 agents were flagged and network disconnected

    We are still dealing with the fallout.

  • gilgi
    gilgi Administrator, Moderator Posts: 101 admin
    Options

    Sorry to hear @bzortman

    Our team has contacted SentinalOne support to investigate this further. I'll be updating when I learn more.
    I've also made sure to update the relevant CSM!

  • gilgi
    gilgi Administrator, Moderator Posts: 101 admin
    Options

    From our security team:

    We are aware that an older Atera agent version (1.8.3.1) is being incorrectly flagged by SentinelOne. We are working with SentinelOne to have this classification removed as soon as possible.
    As a workaround, we recommend whitelisting Atera.
    If you need assistance, please contact our support team or refer to this Knowledge Base article.

  • mjones
    mjones Member Posts: 169 ✭✭✭✭
    Options

    To be fair, all RMM tools are RATS and many are used by ransomware groups.
    It's always best practice to exclude, just in case.