Liongard Agent Update & SentinelOne False Positive

Update timeline

1. identified Nov 25, 2025, 11:05 PM UTC

   --Executive Summary Liongard recently deployed an update to the Liongard Agent that unintentionally introduced instability in some partner environments. The update included a new Nmap-based enhancement for Network Discovery, but the way this capability was packaged and distributed resulted in several endpoint protection platforms—most notably SentinelOne—flagging legitimate components as malicious. This issue was not due to a security compromise, but rather to how the Nmap integration was implemented in the agent. Some security solutions interpreted the bundled Nmap installer as a threat, leading to quarantines and—in more severe cases—temporary loss of network connectivity on protected endpoints. Liongard takes full responsibility for the disruption this caused. To immediately mitigate partner impact, we are releasing Agent version 5.1.1, which removes the Nmap integration entirely and clears existing Nmap files from the Liongard Agent directory. This rollback will temporarily pause Network Discovery functionality until it is reintroduced with a more compatible, rigorously validated design in version 5.1.2. --Detailed Technical Analysis --What Happened Agent versions 5.0.4 through 5.1.0 introduced Nmap to expand Network Discovery capabilities. Although secure and intentional, the method of bundling this tool resulted in some EDR/AV vendors misidentifying it as a “Hacking Tool.” Because of this misalignment between our packaging approach and security vendor expectations, certain policies responded aggressively, quarantining files or disabling network adapters entirely. --Root Cause The issue originated from how the Nmap installer was included and delivered within the Liongard Agent. While Nmap itself is widely used and trusted, our deployment approach triggered behavior- and signature-based detections in several protection platforms. This was a preventable integration challenge on our part, and we are taking action to ensure it does not recur. --Immediate Remediation: Agent 5.1.1 To stabilize partner environments, Agent 5.1.1 will: · Fully remove the Nmap installer from the agent · Remove any existing Nmap files from previously installed versions · Prevent further EDR false positives related to this release · Temporarily suspend Network Discovery Inspector functionality Work is already underway on Agent 5.1.2, which will restore Network Discovery using an approach that aligns with modern EDR expectations and vendor security criteria. --Moving Forward: Improvements & Preventive Measures Liongard is committed to learning from this event and improving both our release processes and our diligence around security vendor compatibility. 1. Strengthened Pre-Release Testing With Security Vendors We are expanding testing and validation across multiple EDR/AV vendors—including SentinelOne, CrowdStrike, and Microsoft Defender—to ensure future changes are recognized as safe before release. 2. Enhanced Packaging & Architecture Review Before introducing utilities or scanning tools like Nmap, our engineering teams will now perform deeper compatibility reviews tailored to how EDRs evaluate installers, command-line utilities, and network-scanning behaviors. 3. Earlier & More Detailed Partner Communication Future architectural updates will be accompanied by: · Clear technical preparation steps · Updated EDR allowlisting guidance · Early communication for partners with strict security postures 4. Expanded Internal Validation We are enhancing our release pipeline to include: · Multi-vendor false-positive testing · Behavior-based security scanning These steps are designed to prevent similar disruptions and ensure future enhancements are introduced with the necessary rigor and validation. --Closing Statement We acknowledge the disruption this incident caused and take responsibility for the impact on your operations. Our team is fully committed to resolving the issue, restoring full functionality, and implementing the improvements needed to prevent this from happening again. Thank you for your continued partnership and patience as we work through this with urgency and care. If you have any questions or need support with affected endpoints, please reach out to Liongard Support. https://support.liongard.com/en/articles/12936905-incident-review-liongard-agent-update-sentinelone-false-positive

2. identified Nov 25, 2025, 11:06 PM UTC

   We are continuing to work on a fix for this issue.

3. monitoring Nov 26, 2025, 02:20 PM UTC

   A fix has been implemented and we are monitoring the results.

4. resolved Dec 18, 2025, 06:47 PM UTC

   This incident has been resolved.