I've been using SentinelOne for a couple of years, and while I'm quite satisfied with its performance as an Endpoint Detection and Response (EDR) tool, I'm running into major issues with backup solutions like Veeam and Cove. We keep experiencing backup failures on critical systems because SentinelOne hogs all the available Volume Shadow Copy Service (VSS) storage. This leaves no space for our backups to operate correctly on several servers.
We reached out to SentinelOne support, and they informed us that it's impossible to change VSS usage across the organization; adjustments can only be made on a per-device basis. They also mentioned that modifying VSS timing would void any support guarantees.
Given this situation, I'm wondering if we need to set up a complicated process where we programmatically disable the SentinelOne agent, clear the VSS snapshots, reset the VSS storage limits, and then re-enable the agent. This sounds overly complex and potentially fragile, relying on multiple APIs and on-device scripts.
I'm looking for advice on:
* Whether there's a viable solution to this issue,
* If there's a backup solution that genuinely works well with SentinelOne,
* If I should consider switching to a different EDR that doesn't rely so heavily on VSS.
Thanks for your insights!
3 Answers
When we had problems with Veeam and SentinelOne, one fix was to permit Veeam to modify the boot configuration for a non-authoritative restore. We also use both Veeam and SentinelOne without any backup issues. It might be worth checking if you can bypass specific VSS writers from being protected by SentinelOne or expanding VSS storage limits as a temporary fix.
I've encountered similar issues with SentinelOne and Veeam, but we managed to fix it by adjusting some policy settings. Here's a sample snippet you might want to try:
```json
{
"antiTamperingConfig": {
"allowSignedKnownAndVerifiedToSafeBoot": true
},
"vssConfig": {
"excludedVssWriters": "",
"vssProtection": true
}
}
```
It’d help if you let me know what version of SentinelOne your systems are on. The compatibility can vary depending on that!
I think the problem isn't really interoperability, but more about VSS settings. It seems like S1 just takes up too much storage when it gets the chance. It’s frustrating that you can’t centrally manage the settings across multiple devices!
I use SentinelOne with Rubrik for backups, and I haven't faced any issues so far. It’s been pretty smooth sailing with no backup failures from my end.
I’m not entirely sure what this policy actually does. Aren't those the default settings? Could you clarify that for me?