SentinelOne agent command line tool
06/02/2023 32 People found this article helpful 477,860 Views
Description
SentinelCtl.exe is a command line tool that can be used to executes actions on Agent on a Windows endpoint. This can be typically used to unprotect, unload/disable, load/re-enable, protect and perform policy updates for S1 Agent on your devices. We recommend that you do not use this for any other purpose unless Support suggests.
Press the Windows Start key.
Enter: cmd
Right-click Command Prompt and select Run as administrator.
Go to the [C:\Program Files\SentinelOne\Sentinel Agent <Version>]
To run the tool: SentinelCtl.exe <command> [options]
To see all options of a command: SentinelCtl.exe <command> -help
Resolution
Useful commands are as follows:-
> SentinelCtl.exe unprotect -k "S1 Passphrase"
This disables the anti-tampering. Please refer to end of the article on how to obtain S1 Passphrase.
> SentinelCtl.exe unload -m -a
This Stops the Agent services
> SentinelCtl.exe load -m -a
This Starts Agent services.
> SentinelCtl.exe protect
Set Anti-Tampering. Protects the Agent from unauthorized changes or uninstall.
> sentinelctl unquarantine_net -k <S1 Passphrase>
Connect a disconnected endpoint (remove network quarantine).
> SentinelCtl.exe reload -m -a
Stop and then start the Agent services.
> SentinelCtl.exe is_scan_in_progress
To check if Full Disk Scan is in progress.
Return: Full disk scan in progress: with a value of True or False
> SentinelCtl.exe scan_folder -i path
To scan on a folder
Options:
-i, --infile
Folder to scan. If you do not use this parameter, the complete drive is scanned.
> SentinelCtl.exe is_scan_in_progress
To see if full disk scan is in progress
Returns: Full disk scan in progress: with a value of True or False
> SentinelCtl.exe status
To get the status of Agent services and policy basics.
Notes
Mitigation policy: none - The Agent does not enforce policy with mitigation.
Mitigation policy: quarantineThreat - The Agent enforces policy with kill and quarantine mitigation.
> SentinelCtl.exe ever_connected_to_management
Use this to check if S1 agent ever connected to management
Sample output
Mgmt key part: 4ba007899be132d45a1590ds4f2ff2f2f031c4ffa3
This command requires admin privileges (Run as Administrator) but does not require a passphrase.
> SentinelCtl.exe ie_protection [-e|-d] -k "<passphrase>"
This can be used to Enable or Disable IE protection. Requires reboot to apply.
Options:
-e, --enable
Enable IE protection.
-d, --disable
Disable IE protection.
> SentinelCtl.exe config agent.wscRegistration {1 | 0 } -k "<passphrase>"
Use this command to disable Windows Security Center (WSC). It is not recommended to disable WSC. By default, the SentinelOne Windows Agent registers with WSC as anti-virus protection and Windows Defender is disabled.
>SentinelCtl.exe config [-p] parameter [-d] [-v] value [-f {json | default}] -k "passphrase"
Use this command to change the configuration values of S1 Windows Agent
Options:
-p, --parameter
Specify the parameter to get or change. This flag is optional, but if not used to prefix the parameter name, the -v flag must not be used to prefix the value.
-d, --delete
Undo the change last made to this value through sentinelctl.
-v, --value
Set the configuration of the parameter to this value. If a value is not given, output shows the current value. If the -p flag is not used to prefix the parameter name, the -v flag must not be used to prefix the value.
-f, --format
Output configuration to json format or two-column text. To save as a file, use a redirect.
-k, --key
If Anti-Tampering is enabled on the Agent, all configure commands require validation.
NOTE: S1 Passphrase can be obtained by Capture Client admin (from management console) for the device. Go to "Devices" section and download devices list. Look for "S1 Passphrase" for the respective device in the downloaded list. Screenshots provided below for reference.
Related Articles
Categories