Antivirus Whitelist Recommendations

Good Morning,
running into an issue, which seems to be turning into a game of whack-a-mole. Our org uses SentinelOne for server antivirus, and it keeps flagging various python scripts, which I know are valid scripts for the modules that are running at that time they get flagged. I didn’t see any whitelisting recommendations for Antivirus software, so was just curious if anyone has run into this and how you got around it. I was thinking of just having whitelist anything that has AnsiballZ*.py but I am not sure if this will cover everything or not.

Any guidance folks have would be greatly appreciated.

–John

Hi,

I faced the same problem although with a different Antivirus solution.

The key here is to identify the task that the AV solution is flagging as malicious inside a playbook.

To give you an example, in my case a task was flagged where I was trying to access registry values in Windows. So I tried to get the same information through powershell commands instead of querying the registry.

In your case you may need to rewrite the playbook to sort of fly under the radar of your AV solution.