Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Configure Antivirus Exclusions for SentinelOne

            Created by Brent Henderson, Modified on Wed, 8 Apr at 11:01 AM by Brent Henderson

            What is a SentinelOne AV exclusion?A SentinelOne exclusion tells the agent to skip scanning, behavioral inspection, or both for a specified file path or process. Exclusions are required to prevent SentinelOne from interfering with Tanium Client operations, module scans (Patch, Comply, etc.), and dynamically created action packages.
            Important:Exclude all Tanium Client and Tanium Server folders, subfolders, files, and processes from on-access scanning. This article assumes Tanium is installed in its default locations. If installed to a non-standard path, additional exclusions may be required — refer to the Tanium Core Platform Deployment Reference Guide: Host system security exclusions. For module-specific exclusions (especially Threat Response and Reveal), consult the Security Exclusions section of Tanium documentation.

            Audience

            This article is written for Enterprise Service Engineers, Technical Account Managers, and MSP engineers who manage SentinelOne in Tanium customer environments. It applies to new deployments and to any existing environment where SentinelOne exclusions have not yet been configured or validated.

            Before You Begin

            • Confirm you have administrative access to the SentinelOne management console.
            • Know the Tanium Client installation path on your endpoints — default paths are listed in the exclusion table below.
            • Review any existing SentinelOne exclusion policies to understand current coverage before making changes.
            • For module-specific exclusions (especially Threat Response and Reveal), consult the Tanium Security Exclusions documentation in addition to the paths below.

            Types of SentinelOne Exclusions

            SentinelOne supports five exclusion modes. Each provides a different level of monitoring reduction. Select the mode that resolves the performance issue while retaining as much security coverage as possible.

            #Exclusion ModeDescription
            1Suppress AlertsSuppresses alerts for the excluded path without reducing inspection activity. Monitoring continues; detections are silenced.
            2InteroperabilityReduces some monitoring on the excluded path to improve compatibility with third-party software.
            3Interoperability ExtendedFurther reduces monitoring. Note: this mode has been observed to still block Tanium scripts under certain conditions — see Customer Case Example below.
            4Performance Focus RECOMMENDEDSignificantly reduces resource consumption for the excluded path. Allows Tanium scripts and child processes to run normally. Recommended starting point for Tanium exclusions.
            5Performance Focus Extended RECOMMENDEDMaximum performance reduction. Use when Performance Focus alone does not fully resolve the issue.

            For full details on each mode, see the SentinelOne Path Exclusion documentation.

            Note:The SentinelOne documentation link above is provided for informational purposes and is not vetted or maintained by Tanium.

            Recommended Tanium Exclusion Mode

            Tanium recommends configuring SentinelOne exclusions using Performance Focus or Performance Focus Extended.

            Because Tanium uses both built-in and custom scripts (PowerShell, Python, etc.) to query endpoints and run module operations, SentinelOne can inadvertently block these scripts during Patch or Deploy module scans — and may also prevent Tanium packages from spawning child processes correctly. The Interoperability and Interoperability Extended modes have been observed to be insufficient in some environments.

            Customer Case ExampleOne customer configured SentinelOne with Interoperability Extended as their default exclusion level for Tanium processes. This caused Tanium Patch, Comply, and customer-created PowerShell scripts to stop working entirely.

            Resolution:Setting the SentinelOne exclusion for the Tanium Module Server to Performance Focus restored normal operation of all Tanium modules and customer scripts.

            Exclusion Path Reference

            Apply Performance Focus (or Performance Focus Extended) exclusions to the following paths. Exclude all subfolders and files.

            OSPath to ExcludeNotes
            Windows\Program Files (x86)\Tanium\*
            \Program Files\Tanium\*            		Covers both 32-bit and 64-bit client installs. Include all subfolders.
            Linux/opt/Tanium/TaniumClient/**Include leading forward slash. Covers all subfolders and files.
            macOS/Library/Tanium/TaniumClient/**Include leading forward slash. Covers all subfolders and files.

            Create a Path Exclusion

            All Platforms

            Steps

            1. Log in to the SentinelOne management console and navigate to SentinelsExclusions.
            2. Click New Exclusion and select Path as the exclusion type.
            3. Enter the appropriate path for your platform from the table above.
            4. Set the Exclusion Mode to Performance Focus. Use Performance Focus Extended only if Performance Focus does not resolve the issue.
            5. Select the appropriate Operating System to scope the exclusion.
            6. Add a description — for example: Tanium Client folder – MSP exclusion.
            7. Assign the exclusion to the correct Site or Group scope for your environment.
            8. Click Save to apply.
            9. Repeat for each additional platform (Windows, Linux, macOS) as needed.
            Tip:After adding exclusions, monitor SentinelOne detections and endpoint resource utilization for 24–48 hours to confirm they are taking effect. If Tanium scripts or module scans are still failing, verify path syntax and consider upgrading from Performance Focus to Performance Focus Extended.

            Measurable Benefits of Exclusions

            CPU Usage

            • Without exclusions, SentinelOne has been observed causing frequent CPU usage of 60–80% with sustained peaks up to 100% during Tanium module activity — including Patch and Comply scans that may fail to run entirely.
            • With Performance Focus exclusions in place, a reduction of 30–50% in CPU usage has been consistently observed across affected endpoints.

            Memory Usage

            • SentinelOne kernel mode drivers have been observed consuming 2–6 GB of RAM whenever they actively scan a Tanium module operation such as a Patch or Comply scan. This is particularly impactful on VDIs, web farms, and any endpoint with less than 6 GB of free RAM.
            • Example: On a Windows Server with 8 GB RAM and 6 GB of workload (2 GB free), SentinelOne consumed over 1.7 GB of RAM during a daily Tanium Patch scan — causing significant performance issues multiple times per day. The heavy memory consumption was completely resolved once the required Tanium exclusions were applied.

            Why Folder-Level Exclusions Are Recommended

            Tanium is a platform for sensors and packages. Any script or action can be deployed to endpoints by a customer's Security or Operations team, meaning a deployment can accumulate 20–40 custom packages over time. Each Tanium action also launches from a dynamically named subfolder (Action_####) under the Tanium Downloads directory, making individual process exclusions impractical to maintain at scale.

            Rather than requiring 45–95+ individual AV exclusions for Tanium processes alone, folder-level exclusions covering the paths below represent a balanced, maintainable approach:

            • \Program Files (x86)\Tanium\*
            • \Program Files\Tanium\*
            • /opt/Tanium/TaniumClient/**
            • /Library/Tanium/TaniumClient/**
            Important:In certain implementations, adding these exclusions may reduce the security coverage of your AV product and expose devices to additional risk. Always test exclusions in a lab environment before deploying to production. Use the least permissive exclusion mode that resolves the issue, starting with Performance Focus before moving to Performance Focus Extended.

            Frequently Asked Questions

            Q: How can Tanium be secure if SentinelOne is not actively inspecting it?

            A: Tanium has multiple layers of tamper protection that operate independently of AV scanning:

            • Tanium files are digitally signed — if modified or tampered with in any way, they will not load.
            • Tanium NTFS folder permissions are restricted to Local System only, preventing unauthorized modification by non-administrative processes.
            • All Tanium message traffic is signed. Tampered messages are detected and refused, meaning Tanium cannot be used as a vector for man-in-the-middle attacks.
            • An attacker attempting to exploit Tanium would already need Local Administrator access — at which point they have full control of the endpoint through the OS itself, independent of Tanium.
            • Threat actors are far more likely to target user credentials and sensitive data directly rather than attempting to brute-force security tooling.

            Q: Why are folder-level exclusions recommended instead of individual process exclusions?

            A: Some antivirus software requires excluding the installation directories of the Tanium Client and (for Windows deployments) Tanium Core Platform servers from real-time inspection. Folder exclusions are the recommended best practice for SentinelOne to allow full Tanium functionality.

            Because Tanium actions launch from dynamically named subfolders (Action_####) and because customers commonly deploy their own custom scripts and packages over time, individual process exclusions cannot be maintained at scale. A folder-level exclusion covering the Tanium installation directory is the only practical long-term approach.

            Q: Why does Tanium require so many exclusions?

            A: Tanium is ultimately a platform for sensors and packages. Any script or action a customer's Security or Operations team needs can be pushed to endpoints — custom Python scripts, PowerShell diagnostics, compliance checks, and more. Over time this can result in 20–40 customer-specific packages that must be excluded in addition to Tanium's built-in executables. Folder-level exclusions eliminate the need to maintain an ever-growing list of individual process exclusions in your AV policy.

            Q: What if Tanium scripts are still failing after adding exclusions?

            A: If Tanium Patch, Comply, or custom scripts continue to fail after adding Performance Focus exclusions, first verify the path syntax is correct for the target OS. Then confirm the exclusion is scoped to the correct Site or Group in SentinelOne. If issues persist, upgrade the exclusion mode to Performance Focus Extended and retest. If problems continue, check whether Tamper Protection settings in SentinelOne are blocking Tanium processes independently of path exclusions.

            Related Articles: Tanium Core Platform Deployment Reference Guide  |  How to Configure Exclusions for CrowdStrike Falcon  |  Tanium Support Data Collection Guide

            Last reviewed by: Managed Services Engineering | 2026-04-08

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0