𧊠Overview
Liongard recently implemented a major security enhancement to the Liongard Agent that introduces daily certificate rotation to strengthen supply-chain trust and align with Zero Trust principles.
During this transition, some environmentsâmost notably those running SentinelOneâexperienced service disruptions where legitimate Liongard binaries were flagged or quarantined due to the new certificate identity being treated as unknown.
At no point was the integrity or security of the Liongard Agent compromised.
This KB outlines why these detections occurred andâmost importantlyâhow to properly allowlist the Liongard Agent in any antivirus/EDR platform using certificate-based exclusions.
âď¸ Executive Summary
Liongard transitioned from long-lived certificates to Microsoft-issued daily rotating certificates to reduce trust risk and eliminate long-term key exposure.
These short-lived certificates significantly improve security but caused certain EDR solutionsâespecially SentinelOneâto treat the signer identity as unfamiliar.
Because the Liongard Agent now changes its certificate and resulting file hash daily, hash-based allowlisting is no longer reliable or sustainable.
Partners must instead configure Certificate / Signer Identity allowlisting to prevent recurrence.
đ Detailed Technical Analysis
1. The Trigger Event: Modernizing Trust
Liongard moved from static, annually renewed certificates to a High-Frequency Certificate Rotation model:
Previous Model | New Model |
Certificate valid for 1â3 years | Daily certificate rotation |
Easier for AV vendors to learn | Strong Zero Trust posture |
Higher long-term key compromise risk | Minimizes certificate-based attack surface |
This transition ensures no single certificate can be abused for long durationsâdramatically improving overall security.
2. The Root Cause: Identity Change & Reputation Reset
Two factors triggered the false positives:
New Signer Identity
Liongard changed its signing provider from SSL.com to Microsoft.
SentinelOne classified the signer as âunknown,â leading to quarantines.
Daily Rotation
The certificateâand therefore the file hashâchanges every 24 hours.
Allowlisting by hash becomes ineffective because:
Yesterdayâs hash becomes invalid
Todayâs agent has a new identity
Tomorrowâs agent will have yet another one
Result: Hash-based exclusions must be avoided.
3. Impacted Components
The following legitimate Liongard files were affected:
LiongardAgent.msiLiongardAgentUpdater.exeLiongardAgent.exe
đ¨ Required Resolution: Certificate-Based Allowlisting
To ensure consistent, future-proof operation:
All partners must configure a Certificate / Signer Identity exclusion.
Hash-based exclusions will break daily and are no longer supported.
This certificate remains stable across all agent updatesâeven with daily rotation.
Required Certificate Details
Field | Value |
Exclusion Type | Certificate / Signer Identity |
Signer Name (Subject) | Liongard, Inc. |
Issuer |
|
Use these values in your AV or EDR platformâs Publisher or Certificate allowlisting configuration.
đ Guidance for Organizations Using SentinelOne
If your organization uses SentinelOne, you may need to adjust your console settings before configuring Certificate / Signer Identity allowlisting for the Liongard Agent.
Exclusion Interface Note
Some partners have reported that the newer SentinelOne interface hides certificate-based exclusion options unless the console is switched to the Legacy Exclusions experience.
To switch:
Click your user dropdown in the upper-right corner of the SentinelOne console.
Locate the âExclusions Experienceâ option.
Change it to âLegacy.â
This reveals the full certificate/signer identity exclusion configuration menu.
After switching to Legacy mode, you can proceed with creating the certificate-based exclusion using the Liongard certificate details provided above.
đ Moving Forward: Liongard Process Improvements
Liongard is implementing several enhancements as part of this transition:
1. Deployment Guide Updates
Deployment KBs will emphasize:
Certificate-based allowlisting as the only supported trust method
Avoiding hash-based allowlisting entirely
2. Pre-Release Vendor Coordination
We are working with:
SentinelOne
CrowdStrike
Microsoft Defender
to ensure global reputation services pre-recognize our new Microsoft-issued certificate chain.
3. Improved Advanced Partner Communication
Major security architecture changes will include:
EDR configuration guidance
Clear migration steps
Expected behavior and remediation notes