What is SentinelOne?
SentinelOne is an AI-powered cybersecurity platform (Singularity XDR) used to protect organizational endpoints, cloud workloads, and identity surfaces from malware, ransomware, and advanced threats. It provides autonomous, real-time prevention, detection, and automated response capabilities—including file rollback in the event of ransomware—across network, windows, and mobile systems.
What can SentinelOne access on an UNBC computer asset?
SentinelOne can see:
- The name of the computer
- The last logged on user
- If the endpoint is connected to the SentinelOne console and is the agent healthy
- The IP of the device
- The operating system and the version running
- The type of CPU the endpoint has
- The amount of spare disk space on the hard drive
- Any alerts or exposures
- The applications on the endpoint and what version of the applications (for patch management and for vulnerability management)
What SentinelOne cannot access on an UNBC computer asset:
SentinelOne cannot see:
- Your browser history
- Your physical location
- Any data or information on a device (files, folders or directories)
Which computers are required to have the SentinelOne agent installed?
Every UNBC computer with an asset tag on it will have the SentinelOne agent installed.
The SentinelOne agent has been installed on every server in our ITS environment and to date the SentinelOne agent has been successfully deployed to over 450 Windows, macOS and Linux endpoints in our environment. The end users of the original test groups, were advised in advance that their devices would be enrolled in SentinelOne, but were not aware of when the agent would be pushed to their computers. The agent quietly installed and the end users have found there to be no noticeable change to their computer.
When is this happening?
We have completed our testing phase and currently all new devices are being automatically enrolled in SentinelOne as part of the deployment process. We will be moving to a full rollout across our environment mid-April.
I have questions, who do I contact?
Please reach out to the InfoSec office by email at infosec@unbc.ca. If you would like to have a conversation with us in person, please reach out to book an appointment.
What are the temporary files on my computer’s hard drive or in OneDrive site after the SentinelOne agent is installed?
These files are decoy files that are lures for malware and ransomware. The SentinelOne agent monitors the decoys and raises an alert for any malicious behaviour. The decoys are in specific folders with open read/write permissions and are usually hidden from users. From agent version 25.2 and later, decoy files are not hidden from certain applications to improve ransomware protection.
How does file rollback work, is SentinelOne recording what I am doing?
File rollback isolates a compromised device and reverses malicious modifications. It is not recording what you are doing; it can reverse system changes made by a malicious actor or piece of software.
What is network discovery?
Network discovery is a real-time network attack surface control solution, that finds and fingerprints all IP-enabled devices on our network, for globally visibility.
For example, if SentinelOne detects a device that does not have a SentinelOne agent installed on the endpoint, it tags it as “unknown” or “unsupported” and will have zero-trust with that device. It would be like putting up a wall between the UNBC asset with SentinelOne installed and the unknown device. SentinelOne sees even less information on an “unknown” or “unsupported” endpoint. It cannot see the owner’s name or any applications on the device. It can see the IP address that it was fingerprinted with at the time, the time it was first seen on the network and the manufacturer of the device.
Glossary
- Compromised device
- A device—such as a computer, phone, or server—that has been accessed or controlled by an unauthorized individual, often through malware, stolen credentials, or security vulnerabilities. A compromised device may be used to steal data, spread malware, or launch further attacks.
- CPU
- The primary component of a computer that performs calculations and executes instructions. Often called the “brain” of the computer, the CPU processes data, runs programs, and manages most operations by interpreting and executing commands from hardware and software.
- File rollback
- A security feature that restores files on a device to a previous, known‑good state after an attack—typically after ransomware or malware encryption. Rollback helps undo damage by retrieving clean versions of files from secure backups or shadow copies.
- Infrastructure Server
- A server that provides foundational IT services required for an organization’s systems, applications, and networks to operate.
- Malware
- Short for malicious software, malware refers to any software created to harm, exploit, or take unauthorized control of a device, system, or network. Common types include viruses, worms, trojans, spyware, and ransomware.
- Ransomware
- A type of malware that locks, encrypts, or otherwise makes data and systems inaccessible until the victim pays a ransom. Ransomware often spreads through phishing emails, malicious downloads, or exploit kits and can severely disrupt operations.
- XDR (Extended Detection & Response)
- An integrated security approach that collects and correlates data across multiple security layers—such as endpoints, email, identity, network, and cloud—to detect, investigate, and respond to threats more effectively. XDR provides broader visibility and automated remediation compared to traditional, siloed tools.
- Zero-trust
- A cybersecurity model based on the principle “never trust, always verify.” Instead of assuming systems or users inside a network are safe, zero‑trust continuously validates identity, device health, and access permissions for every request. It minimizes risk by enforcing least‑privilege access and constant monitoring.