SentinelOne VSS Shadow Copies

A Server with Sentinal One had 60GB of data in C:\System Volume Information.

Originally thought this was Veeam not cleaning up snapshots but eventually realised it was Sentinel One’s ransomware protection, which by default takes a snapshot at 4 hourly intervals.

The reason it was taking up so much space on this server was the maximum shadow copy storage space for the disk was set to “unbounded”.

To check this run vssadmin list shadowstorage in an elevated command prompt:

Confirmed the standard is to set this to 10%, but to do this we needed to temporarily disable the Sentinel One policy as it protects shadow copies and storage settings from being tampered with.

Once disabled you can run the following command to set the max size: vssadmin Resize ShadowStorage /For=C: /On=C: /MaxSize=10%

Sentinel One policy will need to be enabled again once complete.

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 1.00 out of 5)
Loading...