• BackupFan
    2
    Hello,

    We use SentinelOne as our antivirus software, and we have been getting incidents involving "Program Files\*company name*\online backup\Cloud.Backup.Scheduler.exe"
    Is this file expected while using MSP360? What is the recommended manner in dealing with SentinelOne as it pertains to MSP360 in order to avoid false positive incidents? Is it recommended to enter the Signer Certificate for Cloud.Backup.Scheduler.exe ? And if so, can you tell me the Signer Certificate for this?
    Thank you.
  • David Gugick
    118
    What is the program reporting? I think you'll need to follow whitelisting procedures with that product and you may be able to submit the binary to sentinel one for exclusion, but I'm not sure exactly what the report is. If you want to provide more details you can do so here
  • David Gugick
    118
    there's another customer with the same report in the system. I think the best thing for you to do would be to open up a support case directly with the support team. I've added your comments to that particular case. You can submit logs from that machine using the tools diagnostic toolbar option to get things started.
  • BackupFan
    2
    It's reporting it as a threat--though we have experienced false positives before, especially pertaining to MSP360 components.
    The following threat indicators are given:

    INDICATORS (5)
    Evasion
    Internal process resource was manipulated in memory.
    Attempt to evade monitoring using the Process hollowing technique.

    Exploitation
    Shellcode execution was detected.

    Privilege Escalation
    Suspicious Kerberoasting attack. Too many SPN tickets requests.

    General
    User logged on.
  • David Gugick
    118
    It's best to work with support on this as there's an open case already with another customer reporting similar false positives with sentinel one. Please submit the logs and work with the support team on a resolution if you're unable to whitelist the application using the posted sentinel one articles.
  • David Gugick
    118
    I spoke with Support and they are waiting for the logs to be sent. I've also passed on the info you provided in the previous post.
  • BackupFan
    2
    Thank you! I've sent the logs now.
bold
italic
underline
strike
code
quote
ulist
image
url
mention
reveal
youtube
tweet
Add a Comment