How to Temporarily Disable SentinelOne

If you are running SentinalOne (an excellent next generation, behavior based malware detection system) you likely know that there no obvious way to temporarily disable it.  This is unfortunate, as it would be very handy for testing.

On the bright side, there are two easy-ish ways to disable SentinalOne on a machine without uninstalling it:

A – Disable SentinalOne Using Groups

Create a new GROUP with a policy that has everything turned off, then put the machine in question into that group

B – Disable SentinalOne via command line:

  1. On the SentinelOne web console, copy the PASSPHRASE
    1. Expand SENTINALS and click on the machine in question
    2. Click the ACTIONS button and select SHOW PASSPHRASE
    3. Copy that passphrase
      How To Disable SentinelOne Actions Show Passphrase
  2. On the machine in question, right click on the START button and select CMD (AS AN ADMIN) or POWERSHELL (AS AN ADMIN)
  3. Change directory to C:\Program Files\SentinelOne\Sentinel Agent <version>
  4. Enter the command: sentinelctl unload -a -H -s -m -k "<passphrase>

When you are done testing you can re-enable the SentinalOne agent with the command: sentinelctl load -a -H -s -m

.

Questions or Comments?