What needs to be excluded and why
SentinelOne Singularity uses an AI-driven engine to monitor file system activity in real time. Commvault backup operations involve high-intensity read and write actions across millions of files. When the security agent intercepts every block-level change during a backup or deduplication process, the resulting latency can cause job timeouts. Proper configuration ensures that these two critical systems do not compete for system resources.
Large scale backups often trigger heuristic alerts if the security software misinterprets mass file reading as a ransomware attack. This leads to quarantined Commvault processes and failed recovery points. Proper exclusions prevent these false positives while maintaining the security perimeter of the backup server. MediaAgents are particularly vulnerable to these performance conflicts because they handle deduplication, data movement, and indexing simultaneously.
Where to add exclusions in the SentinelOne Management Console
Access the Policy Editor
Log in to the SentinelOne Management Console with account or site administrator permissions. Navigate to the Sentinels menu on the left sidebar and select the Policies tab. Locate the specific policy applied to your backup servers or MediaAgents and click on it to open the configuration panel.
Open the Exclusions Tab
Click on the Exclusions sub-tab within the policy settings. You will see several categories including Path, Hash, and Process. Most Commvault configurations require a combination of Path and Process exclusions to function without interference. Click the New Exclusion button to begin adding entries.
Define the Scope
You will be prompted to select a type. For directories, choose the Path option. For service binaries, choose the Process option. Ensure you are applying these changes to the correct Policy Group that contains your backup infrastructure rather than a generic global policy.
The actual exclusion list
Add the following path exclusions using the Interoperability mode to ensure the SentinelOne agent does not hook into Commvault operations. Use the Performance mode for high-volume data directories like deduplication databases to minimize the disk I/O impact.
Directory Path Exclusions
Include the main installation directory for Commvault. This is typically found at C:\Program Files\Commvault\ContentStore*. Ensure the Recursive checkbox is selected so that all sub-folders and binaries within the installation tree are covered by the rule.
Exclude the Job Results directory to prevent conflicts during metadata updates. This path is often C:\Program Files\Commvault\ContentStore\iDataAgent\JobResults*. If you have moved this directory to a separate volume for performance reasons, use that specific drive letter instead.
Exclude the Index Cache directory. This is a high-traffic area where Commvault stores temporary metadata during backup jobs. This is frequently C:\Commvault\IndexCache* or a dedicated high-speed SSD volume. Deduplication Database (DDB) partitions require Performance exclusions. Exclude the root folder of each DDB partition, such as D:\Commvault\DDB* or E:\Commvault\DDB_Part2*.
Process Exclusions
Add these specific process exclusions to prevent the security agent from monitoring the behavior of the backup binaries. Select the Exclude from Monitoring option and enable the Include Children setting for each process:
- cvd.exe (The main Commvault Communications Service)
- ClBackup.exe (The backup process itself)
- Ifind.exe (Used for file system discovery and browsing)
- cvpysdk.exe (The Python SDK used for automation and API calls)
- ClMgrs.exe (The Manager Service for data movement)
Verification
Confirm the configuration is active by checking the policy status in the SentinelOne console. The policy version number should increment after you save the changes. Ensure the endpoints show as Up to date in the Sentinels list with the green checkmark icon. This confirms the agent has received the new instructions.
On the local Windows server, open a PowerShell window with administrative rights. Run the command SentinelCtl.exe status to verify the agent is running with the correct policy ID. This ensures the server has successfully checked in and the local configuration matches the cloud console. If the policy ID does not match, trigger a manual check-in from the console.
Monitor the Commvault cvd.log file for any Access Denied or File Lock errors that occurred before the exclusions were applied. If these errors disappear after the policy update, the configuration is working. You can also use the Windows Resource Monitor to see if SentinelAgent.exe is still consuming high CPU during a backup job. Under normal conditions, the security agent should remain quiet while Commvault is active.
Common pitfalls
A common mistake is forgetting to enable recursive mode for folder exclusions. If recursive is not selected, SentinelOne will only ignore files in the root folder but continue to scan sub-directories. This is particularly problematic for the Content Store directory which has a deep nested structure. Always double check the recursive flag for every path entry.
Another pitfall is using only Process exclusions without Path exclusions. Some file system drivers used by security software can still cause latency even if the process itself is ignored. Always apply both for the best results on MediaAgents handling heavy workloads. This redundancy ensures that both the software behavior and the data movement are optimized.
Verify that there are no conflicting policies at a higher level in the SentinelOne hierarchy. If an Account-level policy is set to Override Site Policies, your site-specific Commvault exclusions might not be applied. Check the Effective Policy view for the specific backup server to see exactly which rules are in place. Trailing spaces in file paths or process names can also cause the exclusion to fail.
Authoritative documentation
SentinelOne and Commvault both maintain updated lists of recommended exclusions for every software release. Visit the SentinelOne Success Portal or the Commvault Documentation site for the most current binary names and path structures. Software updates can sometimes introduce new binaries that require additional entries.
Use the canonical source at https://www.sentinelone.com/resources/ for detailed white papers on agent interoperability and performance tuning. Keeping these exclusions updated is a critical part of your monthly maintenance routine for both cybersecurity and data protection. Regular audits of these lists ensure that your backup infrastructure stays fast and your security stance remains robust.