SentinelOne and OpenVPN connect

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
georgeRFCU
OpenVpn Newbie
Posts: 1
Joined: Fri Jan 14, 2022 9:23 pm

SentinelOne and OpenVPN connect

Post by georgeRFCU » Fri Jan 14, 2022 9:27 pm

Does anyone here use SentinelOne for their AV/EDR solution? We are having an issue where SentinelOne is detecting OpenVPN Connect as a threat and killing it. The odd thing is that it's after a few days of usage and not immediate. I can whitelist it, but I am just wondering if anyone else had this experience and any more information on why this may be.

I'm pasting the threat indicators below, which sound scary but could also just be what the OpenVPN software does:

Evasion

Internal process resource was manipulated in memory
MITRE : Defense Evasion
Indirect command was executed
MITRE : Defense Evasion [T1218][T1202]
Code injection to other process memory space during the target process' initialization
MITRE : Defense Evasion [T1055.012]
MITRE : Privilege Escalation [T1055.012]

Exploitation

Shellcode execution was detected
MITRE : Execution [T1106][T1059]

General

Process started from shortcut file
MITRE : Execution [T1204]

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1332
Joined: Tue Feb 16, 2021 10:41 am

Re: SentinelOne and OpenVPN connect

Post by openvpn_inc » Wed Jan 19, 2022 6:49 pm

Hi George,

I'd suggest talking to SentinelOne support about this. We can definitely vouch for our software. Can they vouch for theirs? ;)

regards, rob0
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Post Reply