I have a long history shitting on CrowdStrike – and well, with their past it’s pretty warranted – but antivirus software is general does bother the hell out of me. You’re essentially installing something that interrogates everything on your system and injects itself everywhere hoping it stops a known issue but generally ends up causing more issues. Everything from causing downtime by interrogating all of your IO to making sure you can’t restore databases quickly, or at all, breaking the most basic of Windows APIs and of course the major industry disruption of 2024… but yeah, let’s keeping running this crap, after all perceived safety is more important than… running the services you’re supposed to provide… I guess… especially in a time where the largest companies that have all of this stuff configured are still having the worst break ins from various actors (:cough: AT&T, Comcast, etc. :cough:). BuT MuH SeKuRiTaH!
Well I’m here today to tell you Sentinel One threw its hat in the ring for worst antivirus product! I’ve worked on a multitude of Windows Clusters that get completely and utter hosed due to this software, which, for whatever reason, decides it really, really, just absolutely hates the Windows Cluster Database and corrupts the hell out of it. Maybe there’s some type of November 5th personal vendetta against it, I don’t know, the owners of the company might have had Windows be mean to them in the past. The point is that running this software seems to have some fun outcomes. Apparently, I’m not the only person noticing these issues as Mike Walsh has a great write up at Straight Path SQL about similar issues.
- May corrupt the cluster database
- Kills cluster communications (mostly UDP from what I’ve observed)
- Kills SQL mirroring endpoint communications (TCP)
- May corrupt SQL cluster registry keys (I’ve only had this happen once)
If you’re looking for some type of AV/HIPS/IPS please don’t use these, though honestly there aren’t really any great ones out there. If you’re forced to use them because the wizard of CSO got high fives from their friends at CSO monthly for joining in the “one of us” chant group, then please make sure you’re putting in the proper exclusions for SQL, Windows, any other features, and not allowing it to inject itself into the process space (kernel space is bad enough).
SentinalOne also will break SQL backup log chains with the app aware backup that uses SQL’s VSS service. There is no option last I checked to set copy only backups, so we have an exclusion setup for SQL boxes. I have seen issues with a SQL cluster with a corrupted clusterDB (never proved it was S1).
100% Blogged about it here – https://straightpathsql.com/archives/2025/03/bizarre-love-triangle-sysadmins-av-tools-and-dbas/ awhile ago also. Whenever we hear of a client that has a cluster DB corrupt we first ask “Do you have Sentinel One” – Then we pray that they have an AG instead of an FCI – way easier to fix the AG.
There’s a setting we show in that blog post that can stop the stupid cluster DB corruption. It’s the “snapshot” they do of the Cluster DB. And then there are exceptions the sysadmins can add. It’s insane. We’ve gone from AVs causing issues all the time to that being fixed with better filter drivers to now the new gen XDR/EDR tools breaking crap all the time in the name of ransomware protection.
Great post as always, Sean.
Mike,
Mind if I a link to your post from here? Yeah these seem to come in waves, I’ll get a bunch of people all asking me what’s going on and I’ve also started asking if they are using this or Crowd Strike (both cause different issues). I never played with Sentinel One so that’s great to know there are way to have it break less things, I still wish it was 0 things.
but antivirus software is general
should be
but antivirus software in general
Is this because during implementation they haven’t taken to the time to implement the product correctly. Set up exclusions etc? Or is it really that bad a product that isn’t suitable for SQL servers at all?
Even with AG’s this would bother me. Those that use the windows cluster to underpin the HA regardless of AG or WFC could be both at risk if that windows cluster db is impacted.
Scary stuff.
That’s a fair call out and I completely agree that if you’re going to implement something new, then it should be implemented correctly. Having said that, I’ve had some of these be implemented with the help of Sentinel One and even _after_ exclusions things still break. It does make you wonder, though, if you have to exclude everything to get it to work… what is it really doing for you? I also had a recent one where the people implementing Sentinel One said that SQL Server should “fix it’s code to work with Sentinel One so that Sentinel One doesn’t keep breaking it” and I thought to myself, WTAF?
I also find it hard to believe in 2025 that no one knows what application profiles are or how to use similar ideas. Mind boggling.
Today , we had a issue with S1 agent messing our SSAS services on a SQL 2022 WSFC with SQL FCI . We recently migrated to SQL 2022 and last night SSAS service does not come up online , plus , we use lots of CLR and they do not work. Since we recently migrated to 2022 , initial triage was focused on it and were focused on , if we missed something with during the migration.
Later , as part of narrowing down the issue , our sysadmin disabled S1 agent on the cluster and everything started working fine again.
I read read thru the article couple of weeks back , when it was sent out by Brent Ozar’s daily SQL updates email . We spoke to our sysadmins then , and as a precaution , S1 was running at a very minimal scanning levels for SQL nodes with exclusions related to .mdf , .ndf and , ldf files . As luck would have it , it started messing with CLR’s and SSAS