Sentinel one blocking scan assistant

I’ve been trying to get the scan assistant working and it seems like S1 is blocking some part of the process. We’ve allowed the 21047 port to talk to the agent and allowed the process but I’m still getting the no credentials supplied message on scans. Has anyone else gotten it to work with S1 on the endpoint?

It’s very possible that the scan assistant is actually working but there is an integration issue that is causing the scans to show as “unknown”. If you download the scan log and open the largest file (probably 4.3.0.scan.log or something) and do a find for “assistant” you will most likely find a line that says something to the effect of “updating scan status of credential SUPPLIED_SUCCESS”. If you find that log it’s safe to say that the scan did indeed authenticate but there is still an integration issue. If this is the case, please open a support ticket.

yeah, unfortunately the only credential message in the logs is
2023-01-17T15:07:43 [INFO] [Thread: dce-rpc-log-final-admin-creds-status@] [Site: Ad-Hoc] [] Logging the final credential status NO_CREDS_SUPPLIED for service CIFS.

Ahh ok, that line is referring to port 135 so it’s referring to the CIFS credentials. If you look through your scan log specifically for port 21047 does it say it found it open or dead?

I don’t see it in the logs but it I manually run a nmap from the scan engine i get
21047/tcp filtered unknown

When on the actual endpoint do you see the scan assistant listed under add/remove programs?

yeah, it’s there, if we disable the S1 firewall function i get a good scan.

So we managed to figure it out. We were looking for some sort of process block and it ended up being a firewall port block that wasn’t getting logged.