Introduction
Even in environments with strong security tools, unexpected alerts can appear that look alarming at first glance. During a recent support session, multiple endpoints suddenly reported SentinelOne attempting to "uninstall itself" and flagged a remote support installer as malicious. What followed was an investigation that turned out not to be a compromise, but a fascinating example of how endpoint protection reacts to outdated software.
What Happened
While connecting to a customer machine through ScreenConnect, several endpoints simultaneously triggered SentinelOne alerts. The alert details referenced ScreenConnect.ClientSetup.exe and additional obscure file names like f_000083, usually associated with malicious unpacked fragments. SentinelOne also placed several systems into a temporary "Pending Uninstall" state.
Initially, this looked like coordinated malicious behavior. However, digging into logs, installer metadata, and the behavior timeline revealed a different story: the installed ScreenConnect agent on the endpoint was outdated and attempted to auto-update itself the moment a support session began. The update package it tried to pull down was signed with a revoked code-signing certificate, causing SentinelOne to immediately classify it as untrusted.
Technical Details
ScreenConnect's update mechanism extracts new binaries into a temporary system directory before swapping them into place. In this case, the package being downloaded came from a cached set of older ScreenConnect installers stored on the remote support server. These older packages were built before ConnectWise rotated their certificates due to a widely publicized security issue.
Because the certificate had been revoked at the authority level, SentinelOne flagged both the main installer and each internal component extracted during the update process. These components appeared in SentinelOne as files named f_0000xx — not actual malware, but fragments of the blocked installer.
Additionally, ScreenConnect's update routine involves operations like replacing services and writing into protected directories, behavior that strongly resembles tampering. SentinelOne's tamper protection interpreted this as a potential attempt to disable the agent, resulting in "Pending Uninstall" indicators.
Results
The investigation confirmed that:
- No malicious activity occurred
- No successful installer execution took place
- The alerts were triggered solely by a revoked-signed ScreenConnect update package
- SentinelOne appropriately blocked the update and protected the machines
The key lesson was understanding how endpoint protection platforms judge trust, especially around revoked certificates, and how legitimate tools can unintentionally trigger defensive behavior when outdated.
Conclusion
This incident highlights how crucial it is to keep remote support and agent-based tools fully updated. An outdated ScreenConnect client attempted to update using a package signed with a revoked certificate, and SentinelOne reacted exactly as it should: by blocking it. While the alerts initially resembled an active attack, deeper analysis showed that the environment remained fully secure. It's a strong reminder that not every scary alert is a compromise — but every alert is worth understanding.