Date: November 25, 2025
​Status: In Progress

Liongard recently deployed an update to the Liongard Agent that unintentionally introduced instability in some partner environments. The update included a new Nmap-based enhancement for Network Discovery, but the way this capability was packaged and distributed resulted in several endpoint protection platforms—most notably SentinelOne—flagging legitimate components as malicious.

This issue was not due to a security compromise, but rather to how the Nmap integration was implemented in the agent. Some security solutions interpreted the bundled Nmap installer as a threat, leading to quarantines and—in more severe cases—temporary loss of network connectivity on protected endpoints.

Liongard takes full responsibility for the disruption this caused.

To immediately mitigate partner impact, we are releasing Agent version 5.1.1, which removes the Nmap integration entirely and clears existing Nmap files from the Liongard Agent directory. This rollback will temporarily pause Network Discovery functionality until it is reintroduced with a more compatible, rigorously validated design in version 5.1.2.

Agent versions 5.0.4 through 5.1.0 introduced Nmap to expand Network Discovery capabilities. Although secure and intentional, the method of bundling this tool resulted in some EDR/AV vendors misidentifying it as a “Hacking Tool.”

Because of this misalignment between our packaging approach and security vendor expectations, certain policies responded aggressively, quarantining files or disabling network adapters entirely.

The issue originated from how the Nmap installer was included and delivered within the Liongard Agent. While Nmap itself is widely used and trusted, our deployment approach triggered behavior- and signature-based detections in several protection platforms.

This was a preventable integration challenge on our part, and we are taking action to ensure it does not recur.

To stabilize partner environments, Agent 5.1.1 will:

Work is already underway on Agent 5.1.2, which will restore Network Discovery using an approach that aligns with modern EDR expectations and vendor security criteria.

Liongard is committed to learning from this event and improving both our release processes and our diligence around security vendor compatibility.

We are expanding testing and validation across multiple EDR/AV vendors—including SentinelOne, CrowdStrike, and Microsoft Defender—to ensure future changes are recognized as safe before release.

Before introducing utilities or scanning tools like Nmap, our engineering teams will now perform deeper compatibility reviews tailored to how EDRs evaluate installers, command-line utilities, and network-scanning behaviors.

Future architectural updates will be accompanied by:

We are enhancing our release pipeline to include:

These steps are designed to prevent similar disruptions and ensure future enhancements are introduced with the necessary rigor and validation.

We acknowledge the disruption this incident caused and take responsibility for the impact on your operations. Our team is fully committed to resolving the issue, restoring full functionality, and implementing the improvements needed to prevent this from happening again.

Thank you for your continued partnership and patience as we work through this with urgency and care. If you have any questions or need support with affected endpoints, please reach out to Liongard Support.