Already a NinjaOne customer? Log in to view more guides and the latest updates.

SentinelOne Troubleshooting: NinjaOne Component Detected as a Threat

  • Last Updated February 18, 2026

Issue

In rare cases, SentinelOne will detect the NinjaOne Patcher or other NinjaOne components (lockhart.exe, Remote, or others) as a threat. 

Environment

  • NinjaOne integrated vendors
  • SentinelOne

Cause

The cause of this issue is currently unknown.

Resolution

NinjaOne recommends creating a Certificate Exclusion in your SentinelOne Web Management portal. If you are using a Unified Exclusion, refer to the section of this article titled Creating Alerts Exclusions in Unified Exclusions Management.

To create the exclusion, perform the following steps:

  1. Sign in to the SentinelOne Web Management console at the account level.
  2. Click Sentinels on the left navigation menu.
  3. Click EXCLUSIONS in the top navigation menu.
  4. Click New ExclusionCreate Exclusion.

S1 new exclusion.png
Figure 1: Create a new exclusion in SentinelOne (click to enlarge)

  1. Enter the data exactly as follows:
    • Exclusion Type: Certificate
    • OS: Windows
    • Signer Identity: NinjaOne LLC
    If the customer is in an environment managed by NinjaOne, both the "NINJARMM, LLC" and "NINJAONE, LLC" signed certificates must be part of the exclusions. New consoles not managed by NinjaOne can allow only "NINJAONE, LLC" signed certificates. The SentinelOne Agent 23.4 SP2 introduces exclusions for the NinjaOne executables.
  2. Click Threats to test if NinjaOne Products will be properly excluded.
  3. Once the information has been entered correctly, click Save.

S1_new exclusion certificate.png
Figure 2: Configure the new exclusion 

Creating Alerts Exclusions in Unified Exclusions Management

To create the alerts exclusion, perform the following steps:

  1. Set the general details for the exclusion: 
    1. Sign in to the SentinelOne Web Management console at the account level.
    2. Click Sentinels on the left navigation menu.
    3. Click EXCLUSIONS in the top navigation menu.
    4. Click New ExclusionCreate Exclusion.
    5. Give the exclusion a unique identifier for Exclusion Name
    6. For Scope, NinjaOne suggests creating the exclusion on the narrowest scope possible. To change the Scope, select Global, an account, site, or group. 
    7. Enter the data exactly as follows:
      • Exclusion type: Alerts
      • Operating System: Select the platform that the exclusion applies to (Windows, macOS, or Linux).
    8. If the Operating System selected is Windows, select the Origin of the alert that you want to suppress:
      • EDR: Suppress alerts related to Endpoint Detection and Response (EDR) engines.
      • Identity: Suppress alerts related to Identity Detection engines.
    9. Click Continue. 

S1 new exclusion_unified exclusion.png
Figure 3: Configure the alert exclusion in SentinelOne (click to enlarge)

A summary of the exclusion details shows with the option to Create Condition and set specific Detection Engines.

  1. Set conditions for the alert exclusion.
    1. On the exclusion details page, click Create Condition

S1 exclusion_condition creation_create condition.png Figure 4: Create a condition for an exclusion (click to enlarge)

To make EDR alerts exclusions more specific, set the agent to suppress alerts from only certain engines.
    1. On the Condition Creation page, click Publisher (also known as "certificate").

S1 condition creation_publisher.png
Figure 5: Select "Publisher" for the condition parameter (click to enlarge)

    1. Enter the value for the parameter, exactly as follows: "NINJAONE LLC."

S1 condition creation_publisher name and specific engines.png
Figure 6: Provide the publisher's name for the condition and optionally specify detection engines (click to enlarge)

    1. Click Save. 

    2. To apply the exclusion, click Publish.

Additional Resources

The following learning content will help you fully utilize the Bitdefender GravityZone feature set.

FAQ

Next Steps