Kill, Quarantine, Remediate and Rollback - SentinelOne

Uncovering the difference between SentinelOne's Kill, Quarantine, Remediate and Rollback actions.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Endpoint Security

The mitigation chain for malicious incidents SentinelOne offers are fourfold, and give the flexibility, speed and efficacy required by organisations to limit their Mean Time To Recovery (MTTR).

Each level includes all the actions taken at the previous mitigation level i.e. Quarantine will Kill a threat first.

Preventative measures - These actions stop damage being caused to the Endpoint.

1.Kill

The Kill option stops the attack in it's tracks. All active content in documents, executables, and sub-processes are stopped. The agent enables Kill for processes that act contrary to normal endpoint behaviour, or do not fit the actions of the application the process is hiding in.

2.Quarantine

The Quarantine option encrypts malicious executables, and moves them to a confined path. Quarantined files can be retrieve from the SentinelOne Management console for further analysis i.e. detonation in a sandbox.

Response measures - These measure are used to restore an Endpoint to a pre-attack state.

3.Remediate

The Remediate response measure removes linked libraries, deletes seed files, and restores the configuration of the OS, application, and user settings to the state before an attack began.

4.Rollback (Windows Only)

Rollback is the last level in the mitigation chain and it restores the endpoint to a saved VSS snapshot, undoing the changes made by the malicious process and its associated assets. This option is best for ransomware mitigation and disaster recovery because it undoes all changes made to files, like encryption.

Disconnect from Network

In addition to the 4 mitigation options covered above, SentinelOne offers the option to disconnect an endpoint from the network. This feature enables an administrator to isolate an endpoint from everything except the SentinelOne management console. This preventative measure can stop an incident spreading whilst you investigate an alert. It is advisable that you avoid performing this action on certain critical infrastructure services such as DHCP servers, AD servers, DNS servers etc.

To request a free demo of the SentinelOne solution, please register your interest here.

©2025 Cyber Vigilance

Powered by Disruptive

+44 (0) 1483 948090

info@cybervigilance.uk

Naggs Stable, Old Portsmouth Road, Guildford, Surrey, England, GU3 1LP