Skip to main content

SentinelOne Flagging Liongard Agent and Components

Updated over 2 weeks ago

šŸ§© Important Status Note

A permanent fix is in progress.
Our development team is actively working on a platform-level change that will prevent SentinelOne from incorrectly classifying the Liongard Agent installer or its embedded components as threats.

We will update this article once the fix is released.

šŸ” Root Cause

SentinelOne is currently flagging the Nmap component packaged with the Liongard Agent installer.

What SentinelOne Is Detecting

SentinelOne identifies the following file as malicious and quarantines it:

C:\Program Files (x86)\LiongardInc\LiongardAgent\nmap\nmap-7.97-oem-setup.exe

In some cases, SentinelOne may also flag temporary installation-related files, such as:

C:\Config.Msi\<random>.rbf

ā“Why This Happens

  • Liongard includes a lightweight, embedded version of Nmap for network discovery functions.

  • Some antivirus products classify Nmap packages as ā€œhacking toolsā€ by default, even when bundled legitimately inside trusted software.

  • SentinelOneā€™s heuristic engine is prematurely terminating the installer and quarantining the affected files.

šŸ› ļø Impact

When the Nmap component is quarantined:

  • The Liongard Agent installer may fail or complete only partially.

  • Subsequent updates or inspections that rely on Nmap may not run correctly.

  • RMM or endpoint logs may show blocked/quarantined events related to the Liongard Agent.

šŸ§© Agents Not Checking In After SentinelOne Quarantine

In some environments, SentinelOne not only flags the embedded Nmap installer, but also temporary rollback files created by the Windows Installer during the Liongard Agent setup. When this happens, the Liongard Agent service may be prevented from running, and affected agents will stop checking in.

What .rbf Rollback Files Are

During installation of the Liongard Agent MSI, Windows Installer may create files such as:

C:\Config.Msi\<random>.rbf

These files:

  • Are rollback files used by Windows Installer to track the current state of the install.

  • Allow the installer to resume or roll back changes if the installation is paused or fails.

  • Are not required for the Liongard Agent to function in normal day-to-day operation once the installation has completed.

How SentinelOne Can Affect the Agent

When SentinelOne quarantines these rollback files, it may also associate the quarantine event with the Liongard Agent service. In practice, this can result in:

  • The Liongard Agent service being blocked or held in a stopped state.

  • Agents no longer checking in with the Liongard platform.

  • Attempts to manually start the service failing while the quarantine remains active.

The Liongard Agent service is designed to:

  • Attempt to restart twice immediately after a failure.

  • If those attempts fail, continue attempting to restart every 5 minutes indefinitely.

However, as long as SentinelOne maintains an active quarantine related to the Agentā€™s installer/rollback files, these restart attempts may not succeed.

Recovery Steps When Agents Stop Checking In

If you see Liongard Agents go offline around the same time SentinelOne starts flagging Liongard-related files:

  1. Identify the SentinelOne detections

    • In the SentinelOne console, locate detections/quarantines associated with:

      • The Liongard Agent installer or its embedded Nmap component.

      • Temporary MSI rollback files (for example C:\Config.Msi\<random>.rbf).

  2. Unquarantine the affected files

    • Restore any Liongard-related .rbf rollback files and associated installer components from quarantine.

    • This action may require higher-level SentinelOne permissions (for example, assistance from your security team or SentinelOne administrators).

  3. Allow the Liongard Agent service to restart

    • Once the quarantine is cleared, the Liongard Agent service should:

      • Either restart automatically on its next retry attempt, or

      • Start successfully when restarted manually from services.msc.

    • After the service is running, the agent should resume checking in to Liongard.

  4. Verify recovery in Liongard

    • In the Liongard portal, confirm that:

      • The previously affected agents are now checking in.

      • Any inspectors depending on those agents are again returning fresh data.

Prevention and Best Practices

To reduce the likelihood of this issue recurring:

  • Review and apply the allowlisting guidance in our Allowlisting Liongard article, ensuring:

    • The Liongard Agent binaries and installer are trusted within SentinelOne.

    • Any install-time rollback artifacts created as part of the Agent MSI are not incorrectly classified as malicious, in accordance with your organizationā€™s security policies.

  • Coordinate with your security team to ensure SentinelOne operators have a clear playbook for:

    • Identifying Liongard-related detections.

    • Restoring necessary files if a false positive quarantine occurs.

    • Confirming that the Liongard Agent service restarts successfully afterward.

āš” Short-Term Mitigation

Allowlist the Liongard Agent and installer within SentinelOne.

Recommended Actions

Follow the allowlisting guidance in our official documentation:


šŸ‘‰ https://docs.liongard.com/docs/allowlisting-liongard-kb#third-party-security-tools

Allowlisting prevents the quarantining of the Nmap component and ensures normal installation and operation of the Agent.

šŸ“Œ Additional Notes

  • This behavior is limited to SentinelOne and does not indicate an actual security threat.

  • The Nmap package shipped with the Agent is vendor-signed, safe, and used exclusively for inspection purposes within the Liongard platform.

Did this answer your question?