How to Use SentinelOne Rollback to Recover from Ransomware?
Overview
SentinelOne's "Rollback" feature acts as a time machine. If a device is infected with Ransomware, you can reverse the encryption and restore files without needing a backup server.
Prerequisite: The agent must be in "Protect" mode, and VSS (Shadow Copies) must be enabled on Windows.
The Procedure
Identify the Breach: In the Console, go to Incidents. You will see the Ransomware alert.
Select the Threat: Check the box next to the incident.
Click Actions > Mitigation Action.
Select Rollback.
Note: You will also see "Kill" and "Quarantine". Rollback includes these actions automatically.
Apply:
The Agent on the endpoint will kill the malicious process.
It will delete the encrypted files.
It will restore the original files from the local hidden VSS snapshot.
Verify: Ask the user to check their desktop. Their files should reappear instantly.
FAQ
1) What is SentinelOne Rollback used for?
SentinelOne Rollback restores encrypted or damaged files to their original state after ransomware attacks using built-in shadow copy snapshots on the endpoint.
2) What are the prerequisites for SentinelOne Rollback to work?
The SentinelOne agent must be in Protect mode and Windows Volume Shadow Copy Service (VSS) must be enabled before the ransomware incident occurs.
3) Does SentinelOne Rollback require external backups?
No, rollback works using local VSS snapshots created by the SentinelOne agent, allowing recovery even without a separate backup server.
4) What actions are performed automatically during rollback?
Rollback automatically kills malicious processes, quarantines threats, deletes encrypted files, and restores the original files from hidden system snapshots.
5) How can users verify files are restored after rollback?
After rollback completes, users can check their desktop and affected folders to confirm that original files have reappeared and are accessible again.
