Resolving CYRISMA Agent Issues with SentinelOne Security
Are you experiencing scanning issues with the CYRISMA Agent while using SentinelOne security? Many organizations have encountered this problem due to SentinelOne blocking PowerShell, which prevents the CYRISMA Agent from performing critical scanning tasks. Luckily, this issue can be resolved with a simple update or policy change.
Written by Liam Downward
Updated at November 27th, 2024
- User Manual
- Self Onboarding Guide
- Agents
- The Cyber Risk Assessment Process
- PSA Integrations
- General Questions and Troubleshooting
- The Cyber Risk Assessment Process (Video Tutorials)
- Sales and Prospecting Articles
- CYRISMA Partner Portal Access
- Glossary
- API Documents
- CYRISMA Change Log
- Support Ticket SLA
- Billing Questions
Table of Contents
How to Identify if You Are Affected
To determine if your CYRISMA Agent is impacted, check the CYRISMA Agent log for the following error:
jsaf.provider.windows.powershell.PowershellException: Cannot find a variable with the name 'AmsiContext'.Cannot find a variable with the name 'AmsiInitFailed'.If this error appears, it indicates that SentinelOne is blocking PowerShell, which is causing the CYRISMA Agent scan failures.
Resolution Steps
To resolve this issue, you can either update your SentinelOne version or apply a temporary policy override.
1. Update SentinelOne
The easiest fix is to update SentinelOne to version 21.7.4 or later. This update resolves the issue where SentinelOne blocks PowerShell, allowing the CYRISMA Agent to function properly.
2. Apply a Policy Override (Optional)
If you’re unable to update SentinelOne right away, you can apply a policy override to disable PowerShell protection temporarily. To do this, use the following policy override within SentinelOne:
{ "powershellProtection": false }3. Restart the CYRISMA Agent Service
After updating SentinelOne or applying the policy override, ensure that all SentinelOne agents have received the new version or policy update. Once confirmed, restart the CYRISMA Agent Service to allow it to resume scanning.
Conclusion
Once the SentinelOne update or policy override is applied and the CYRISMA Agent Service is restarted, scanning should resume without further issues. Your CYRISMA Agent should now function normally.