SentinelOne (S1) just destroyed Atera

alberto
alberto Member Posts: 9
in General

One of my clients run S1 and it's now classified as ransomware. 50+ endpoints were all quarantined and disconnected from the network.

Fun times…

Don't forget to add those exclusions for Atera now I guess. Never had a need until now.

Comments

  • gilgi
    gilgi Administrator, Moderator, Internal Posts: 313 admin

    Hey,

    Our team is on this and checking! I'll update when I have some more info, thanks for flagging this.
    You're most welcome to share your exclusion how-to with the community for others to learn from :)
    SentinalOne offers some KB articles about this as well.

  • gilgi
    gilgi Administrator, Moderator, Internal Posts: 313 admin

    Hey, our security team had a look at this:

    We checked in VT and it seems that Sentinel One does not block Atara.

    It is worth recommending to the technicians to update to the latest version of Atera and of course check in the settings of the antivirus that it does not block PUA.

    image.png


  • bzortman
    bzortman Member Posts: 1

    We had the same issue on Friday. more than 400 agents were flagged and network disconnected

    We are still dealing with the fallout.

  • gilgi
    gilgi Administrator, Moderator, Internal Posts: 313 admin

    Sorry to hear @bzortman

    Our team has contacted SentinalOne support to investigate this further. I'll be updating when I learn more.
    I've also made sure to update the relevant CSM!

  • gilgi
    gilgi Administrator, Moderator, Internal Posts: 313 admin

    From our security team:

    We are aware that an older Atera agent version (1.8.3.1) is being incorrectly flagged by SentinelOne. We are working with SentinelOne to have this classification removed as soon as possible.
    As a workaround, we recommend whitelisting Atera.
    If you need assistance, please contact our support team or refer to this Knowledge Base article.

  • mjones
    mjones Member Posts: 185 ✭✭✭✭
    https://community.atera.com/discussion/503/sentinelone-s1-just-destroyed-atera

    To be fair, all RMM tools are RATS and many are used by ransomware groups.
    It's always best practice to exclude, just in case.

  • mikepage
    mikepage Member Posts: 6

    This is a bit old at this point but this just happened for my clients today as well. Many dozens of computers incorrectly labelled Atera as malicious. Despite adding exclusions I am still unable to use Atera for remote management.

  • jens
    jens Member Posts: 6

    I'm seeing this today too 😭😭

    ... And very often with eset too. Why can't the rmm and Av vendors not fint a way to trust each other??! It's so annoying.

  • gilgi
    gilgi Administrator, Moderator, Internal Posts: 313 admin

    Heya,

    I can confirm that yesterday the S1 issue raised again and was resolved within several hours after they whitelisted us.

    Adding the exclusion is still a good practice and recommended.

  • se
    se Member Posts: 1

    Same thing happened to us last month and again today, even though whitelisted. What's the real long term solution to this?

  • gilgi
    gilgi Administrator, Moderator, Internal Posts: 313 admin
    https://community.atera.com/discussion/comment/3157#Comment_3157

    Could you kindly open a ticket with support? I checked with the reelvant team and there is no known issue that resurfaced. Best to go through the help widget in-app (?) button and start from there!

Topics