To whitelist an item in SentinelOne means to create an exclusion, instructing the agent to ignore specific files, folders, processes, or behaviors that might otherwise be flagged as malicious but are known to be legitimate. This is crucial for preventing false positives and ensuring the smooth operation of legitimate software.
Understanding Whitelisting (Exclusions) in SentinelOne
SentinelOne's robust endpoint protection can sometimes identify legitimate applications or processes as threats due to their behavior or characteristics. Whitelisting, or creating an exclusion, tells SentinelOne to permit these items to run without interference, alerts, or remediation actions. It's a key administrative task to balance security with operational efficiency.
Step-by-Step Guide to Creating a Path Exclusion
Creating an exclusion for a specific file or folder path is a common method of whitelisting in SentinelOne. Follow these steps to set up a new path exclusion:
-
Navigate to the Exclusions Tab:
- From your SentinelOne Management Console, select Sentinels from the sidebar menu.
- Then, navigate to the Exclusions tab.
-
Initiate a New Exclusion:
- Click on the New Exclusion or Create Exclusion button to open the exclusion configuration window.
-
Choose the Path Option:
- In the New Exclusion window, select the Path option. This specifies that you want to whitelist based on a file or folder location.
-
Specify the Path:
- In the Path field, enter the exact path to the file, folder, or process you wish to whitelist.
- Examples:
C:\Program Files\MyApplication\app.exe(for a specific executable)C:\Program Files\MyApplication\*(for all files within a specific folder)C:\CustomScripts\*.ps1(for all PowerShell scripts in a folder)%ProgramData%\MonitoringTool\*(using environment variables for common system paths)
- Use wildcards (
*for multiple characters,?for a single character) cautiously to avoid overly broad exclusions that could reduce security.
-
Configure Exclusion Mode:
- Under the Exclusions mode section, select Suppress Alerts. This mode is typically used for whitelisting as it prevents SentinelOne from generating alerts or taking any remediation actions (like quarantining or killing a process) on events originating from the specified path. Other modes, such as "Detect" or "Monitor," might be used for specific auditing or testing scenarios where you still want visibility without full suppression.
-
Save the Exclusion:
- Review all your settings to ensure the path and mode are correct.
- Click Save to apply the new exclusion.
Once saved, the SentinelOne agents will receive the new exclusion policy, and the specified items will no longer be flagged or acted upon by the security software.
Important Considerations for Path Exclusions
- Specificity: Be as specific as possible with your paths. Overly broad exclusions (e.g.,
C:\*) can significantly weaken your security posture. - Environment Variables: Utilize environment variables (e.g.,
%ProgramFiles%,%AppData%) where appropriate to make exclusions portable across different systems and user profiles. - Testing: Always test your exclusions on a small group of endpoints before deploying them broadly to ensure they resolve the issue without introducing new vulnerabilities or issues.
Other Types of SentinelOne Exclusions
While path exclusions are common, SentinelOne offers other powerful exclusion types for more granular control:
Hash Exclusions
Hash exclusions are ideal for whitelisting specific, unchanging files. Each unique file has a unique hash (e.g., SHA256). If you know the exact hash of a legitimate file that is being flagged, creating a hash exclusion ensures only that precise file is whitelisted, regardless of its location or filename.
- When to use: For static files like installers, signed binaries, or known-good application components.
- Benefit: Highly secure as it targets only one specific version of a file.
Certificate (Publisher) Exclusions
This method allows you to whitelist applications based on their digital signature or the certificate used to sign them. Many reputable software vendors sign their executables.
- When to use: For legitimate applications from trusted vendors (e.g., Microsoft, Adobe, major security vendors).
- Benefit: Whitelists all applications signed by a specific trusted publisher, reducing the need for individual file/path exclusions for that vendor.
Behavioral Exclusions
Behavioral exclusions target specific process behaviors rather than file paths. If a legitimate application exhibits a behavior that SentinelOne's behavioral AI might deem suspicious, you can create a behavioral exclusion to allow that specific action for that process.
- When to use: When a legitimate application performs actions like injecting code, modifying system files, or interacting with other processes in a way that triggers an alert, but is part of its normal operation.
- Benefit: Allows fine-grained control over specific behaviors without whitelisting the entire application if other parts of it might still be a risk.
For more detailed information on SentinelOne exclusions and best practices, refer to the official SentinelOne Support Documentation.
Best Practices for SentinelOne Whitelisting
To maintain a strong security posture while effectively managing exclusions:
- Be Specific: Never create overly broad exclusions unless absolutely necessary and thoroughly justified.
- Document Everything: Keep a record of all exclusions, including the reason for creation, the date, and who approved it.
- Regularly Review: Periodically review your exclusion list. Remove any exclusions that are no longer needed or that could pose a risk.
- Test Thoroughly: Implement exclusions on a pilot group of endpoints before rolling them out to your entire organization.
- Understand the Risk: Every exclusion slightly lowers your security coverage. Only create exclusions for known-good items and after careful consideration.
By following these guidelines and utilizing the various exclusion methods, you can effectively whitelist necessary items in SentinelOne, ensuring both robust security and operational continuity.
