⚠️ Important Status Update
✅ This issue is resolved in newer Liongard Agent versions.
The SentinelOne false-positive behavior related to the Liongard Agent installer and embedded components has been addressed starting with Agent version 5.1.1.
Agent version 5.1.2 and later inherit this fix and do not reintroduce the issue.
Partners running the latest supported Agent version should no longer experience SentinelOne quarantining Liongard Agent components during installation or normal operation.
‼️ Environments still running older Agent versions may continue to encounter the behavior described below and should follow the mitigation steps outlined in this article.
Root Cause ✨
In earlier Liongard Agent versions, SentinelOne could incorrectly flag certain components packaged within the Liongard Agent installer—most commonly the embedded Nmap utility—as suspicious or malicious.
Liongard includes a lightweight, embedded version of Nmap as part of the Agent installation to support legitimate inspection and discovery functionality. Nmap is a widely used, industry-standard network scanning tool; however, many endpoint protection platforms classify Nmap-based binaries as dual-use tools because they can also be used in penetration testing scenarios.
SentinelOne’s behavioral and heuristic detection engine evaluates binaries not only by signature, but also by:
File behavior during installation
Process execution patterns
Embedded utilities commonly associated with network enumeration
In earlier Agent versions, this analysis could result in SentinelOne:
Flagging the embedded Nmap installer as a potential threat
Quarantining the file during or immediately after installation
Interrupting the MSI install or update process
In some cases, SentinelOne also quarantined temporary Windows Installer rollback files (.rbf) created during the installation process. When these files were quarantined, the Liongard Agent service could be prevented from starting or recovering successfully, causing agents to stop checking in to the Liongard platform.
This behavior represented a false positive detection and did not indicate malicious activity. The embedded Nmap component is vendor-signed, safely bundled, and used exclusively by the Liongard Agent for authorized inspection purposes.
What SentinelOne Was Detecting 🤔
SentinelOne identified and quarantined the following file during or after installation:
C:\Program Files (x86)\LiongardInc\LiongardAgent\nmap\nmap-7.97-oem-setup.exe
In some cases, SentinelOne also flagged temporary Windows Installer rollback files such as:
C:\Config.Msi\<random>.rbf
Impact on the Liongard Agent 🧐
When SentinelOne quarantined installer components:
The Liongard Agent installation could fail or complete only partially
Agent updates could be interrupted
Inspectors relying on the affected agent could stop running
The Agent might stop checking in to the Liongard platform
Agents Not Checking In After SentinelOne Quarantine 🛜
In some environments, SentinelOne quarantined not only the Nmap component but also Windows Installer rollback (.rbf) files created during installation.
What .rbf Files Are
During MSI installations, Windows may create files like:
C:\Config.Msi\<random>.rbf
These files:
Track installation state for rollback or recovery
Are temporary and install-related
Are not required for day-to-day Agent operation once installation completes
How Quarantining These Files Affected the Agent
When SentinelOne quarantined these files, it could also interfere with the Liongard Agent service, resulting in:
The Agent service failing to start
Agents no longer checking in
Manual service restarts failing while quarantine remained active
The Liongard Agent service:
Attempts two immediate restarts on failure
Continues retrying every 5 minutes indefinitely
However, active quarantine prevented successful recovery.
Recovery Steps (If Agents Stop Checking In) 🧑🏫
If Liongard Agents went offline around the same time SentinelOne detections occurred:
1. Identify SentinelOne Detections
In the SentinelOne console, look for detections involving:
Liongard Agent installer files
Embedded Nmap components
Temporary MSI rollback files (
C:\Config.Msi\*.rbf)
2. Restore Quarantined Files
Restore any Liongard-related files from quarantine
This may require SentinelOne admin or security team involvement
3. Restart the Liongard Agent Service
Once quarantine is cleared:
The service should restart automatically on its next retry
Or can be restarted manually via
services.msc
4. Verify Recovery
In the Liongard platform:
Confirm agents are checking in
Validate inspectors are returning fresh data
Short-Term Mitigation (For Older Agent Versions) 👨🔧
If upgrading immediately is not possible:
Allowlist the Liongard Agent and installer components in SentinelOne
Ensure SentinelOne does not block:
Agent binaries
Installer-related temporary files
Prevention & Best Practices 🚀
✅ Recommended Action (Strongly Advised)
Upgrade to the latest supported Liongard Agent version.
Newer Agent versions include improvements that prevent SentinelOne from misclassifying embedded components.
Staying current ensures compatibility with modern endpoint security tools and includes the latest security enhancements.
Additional Best Practices
Review and apply allowlisting guidance if required by organizational policy
Coordinate with security teams so SentinelOne operators:
Recognize Liongard-related detections
Know how to restore false positives
Verify Agent service recovery
Allowlisting Guidance 👨💻
If allowlisting is required, follow the official documentation:
Additional Notes 🗒️
This issue was specific to SentinelOne and certain earlier Agent versions
It does not represent a real security threat
The embedded Nmap component is vendor-signed and used exclusively for legitimate inspection functionality within Liongard
When to Contact Support 🦁
Contact Liongard Support if:
You are running a current Agent version and still see quarantining
Agents remain offline after restoring files
You need guidance validating Agent version or upgrade paths
Please Include:
Agent version
SentinelOne detection details (screenshots/logs)
Whether the Agent was upgraded or newly installed
Any relevant event or security logs