SentinelOne flags the WinUtil.lnk as suspicious

[jasonnmoss]

Just a funny story... I shared with our IT team this great script utility to reduces services and install software.

Then the very next day, I wanted to run the script on some mini pc's to improve performance so I made the shortcut to put on a thumb drive, but it kept "deleting" automatically.

So I kept trying to create it over and over in different locations. Nothing worked, it would disappear after 1 second. A few hours later I am notified by corp. IT that I could be hacked and to run a manual virus scan.

So I do, nothing shows up, I am clean, so i keep working, at the end of the day, I am told they have over 1000 alerts and emails on something called WinUtil.lnk on my PC and it keeps alerting IT I am infected.

Turns out, because we use folder redirection on the domain, the Windows\CSC folder with the offline cache of the Desktop, still contained the lnk file and it couldn't be deleted by the SentinelOne Agent I assume, so it just kept alerting IT all day that I was infected.

I resolved the issue by using Take Ownership of the CSC folder, then deleting the offline cache of the shortcut.
I won't be adding the shortcut again, as it seems LNK with IEX is something the agent doesn't like.

Great script anyway, I will still enjoy it at home.