NetNXT Logo

How to Unquarantine Files and Create Exclusions in SentinelOne?

January 19, 2026
2 min read
ByNetNXT

Overview

Sometimes SentinelOne marks legitimate software (like custom in-house apps or obscure developer tools) as malicious. This guide explains how to Restore the file and Create an Exclusion to prevent future blocks.

Step 1: Unquarantine a File

If a user reports "My file disappeared," it was likely quarantined.

  1. Log in to the SentinelOne Console.

  2. Navigate to Incidents.

  3. Find the threat (Status will be "Mitigated" or "Quarantined").

  4. Click the threat to open details.

  5. Click Actions > Unquarantine.

    • Result: The file is immediately restored to the user's computer.

Step 2: Creating an Exclusion (The Right Way)

Do not exclude whole folders (like C:\Users\) unless absolutely necessary.

  1. Go to Sentinels > Policy > Exclusions.

  2. Click New Exclusion.

  3. Type:

    • Path: Use for specific folders. Example: C:\Program Files\NetNXT App\

    • Hash: (Best Security) Excludes only that specific version of the .exe.

    • Signer: (Best for Devs) Excludes any app signed by a specific digital certificate.

  4. Mode: Select Interoperability - Extended.

    • Why? This reduces the monitoring hooks SentinelOne places on the app, fixing performance issues or crashes.

FAQ

1) How do you restore a quarantined file in SentinelOne?

Open the SentinelOne console, go to Incidents, select the quarantined threat, and choose Actions > Unquarantine to immediately restore the file to the original location.

2) What is the safest way to create an exclusion in SentinelOne?

The safest method is using a file hash exclusion because it allows only that specific version of the application while keeping full protection against other threats.

3) When should signer-based exclusions be used?

Signer exclusions are best for developer tools or in-house applications that update frequently but are signed with a trusted digital certificate.

4) Why should whole-folder exclusions be avoided in SentinelOne?

Excluding large folders reduces endpoint security visibility and can allow real malware to execute without protection, increasing security risk.

5) What does Interoperability Extended mode do in SentinelOne?

Interoperability Extended mode reduces monitoring hooks on trusted applications to prevent crashes or performance issues while still keeping core security protections active.

Was this article helpful?