Skip to main content
Microsoft Sentinelintermediate

SentinelOne Singularity exclusions for SQL Server

Configure SentinelOne SQL Server exclusions for MDF, LDF, tempdb, backups, and SQL services without disabling endpoint protection.

12 min readUpdated April 2026

What needs to be excluded and why

SentinelOne Singularity can run safely on SQL Server hosts, but real-time endpoint monitoring must be tuned around SQL Server's high-write, lock-sensitive files. Microsoft specifically calls out SQL Server database files, log files, backup files, full-text catalogs, trace files, Extended Events, SQL audit files, FILESTREAM containers, and SQL service processes as candidates for antivirus exclusions because scanning can lock files or add I/O latency.

The goal is not to disable SentinelOne on the server. The right approach is to create narrow SentinelOne Singularity exclusions for SQL Server paths and processes that match where the instance actually stores data. This reduces MDF and LDF lock contention, tempdb churn, Agent job failures, backup delays, and query latency while preserving endpoint visibility for the rest of the system.

Where to add the exclusions in the SentinelOne Management Console

Choose the right scope

Sign in to the SentinelOne Management Console with an account that can manage policy exclusions. Apply the exclusions at the smallest practical scope, usually the Site or Group that contains production SQL Server hosts. Avoid account-wide exclusions unless every endpoint in that scope is a SQL Server.

In current and recent console layouts, exclusions are usually managed from policy or global settings. Look for a path similar to Policy Settings, Global Settings, or Settings, then Exclusions, Agent Interoperability, or SentinelOne Exclusions. SentinelOne has changed labels across console versions, so use the panel that creates endpoint exclusions by path, file type, process, hash, certificate, or browser.

Add SQL Server entries

Use Add Exclusion, Create Exclusion, or the plus button in the exclusions panel. Select Windows as the operating system, then choose the relevant exclusion type, commonly Path, File Type, or Process.

For database folders and SQL binaries, use an interoperability or performance-focused path exclusion when available, not a broad suppress-alert-only rule. Include subfolders where the SQL Server directory contains nested data, log, full-text, or FILESTREAM content. Save the change, confirm the policy target, then allow several minutes for agents to receive the updated policy.

The actual exclusion list

Database Engine processes

Exclude only the SQL Server processes installed on that host:

  • sqlservr.exe, SQL Server Database Engine
  • sqlagent.exe, SQL Server Agent
  • sqlbrowser.exe, SQL Server Browser, if installed
  • %ProgramFiles%\Microsoft SQL Server\1<NN>\Shared\SQLDumper.exe, SQLDumper utility

If the console requires full paths, discover them before entering the exclusion:

powershell Get-Process sqlservr,sqlagent,sqlbrowser -ErrorAction SilentlyContinue | Select-Object ProcessName, Path

Typical examples include:

  • C:\Program Files\Microsoft SQL Server\MSSQL16.MSSQLSERVER\MSSQL\Binn\sqlservr.exe
  • C:\Program Files\Microsoft SQL Server\MSSQL16.MSSQLSERVER\MSSQL\Binn\SQLAGENT.EXE

Do not fabricate instance paths. SQL Server version and instance names change the folder, such as MSSQL15.MSSQLSERVER, MSSQL16.PROD, or a custom installation directory.

Database, log, and tempdb folders

Exclude the directories that contain SQL Server data and log files, including tempdb. Microsoft lists the key database extensions as:

  • .mdf
  • .ndf
  • .ldf

Common default examples are:

  • %ProgramFiles%\Microsoft SQL Server\MSSQL<NN>.MSSQLSERVER\MSSQL\DATA
  • %ProgramFiles%\Microsoft SQL Server\MSSQL<NN>.<InstanceName>\MSSQL\DATA
  • D:\MSSQL\Data
  • E:\MSSQL\Logs
  • the configured tempdb data and log directories

Use SQL Server itself to find the real file locations:

sql SELECT name, physical_name FROM sys.master_files ORDER BY physical_name;

Create folder exclusions for those directories rather than only extension-based exclusions when possible. Folder exclusions are easier to audit and reduce accidental coverage of unrelated .mdf or .ldf files elsewhere on the server.

Backups, full-text, and operational files

Exclude SQL Server backup folders and file types used by scheduled maintenance:

  • .bak, full backup files
  • .trn, transaction log backup files
  • the configured backup directory, such as F:\SQLBackups
  • %ProgramFiles%\Microsoft SQL Server\MSSQL<NN>.MSSQLSERVER\MSSQL\Backup

Also exclude SQL Server operational folders when used:

  • Full-text catalog folder, usually %ProgramFiles%\Microsoft SQL Server\MSSQL<NN>.<InstanceName>\MSSQL\FTDATA
  • SQL trace files, .trc
  • Extended Events files, .xel and .xem
  • SQL audit files, .sqlaudit
  • FILESTREAM containers returned from sys.database_files
  • In-Memory OLTP xtp subfolders under the instance data path
  • Replication snapshot folders, commonly ...\MSSQL\ReplData

If SQL Server Analysis Services, Integration Services, Reporting Services, or PolyBase are installed on the same host, add their documented process and data directories separately. For example, SSAS commonly uses MSMDSrv.exe plus its configured Data, Temp, Backup, and Log directories.

Verification

Confirm policy delivery in SentinelOne

In the SentinelOne console, open the affected endpoint and confirm it is online, assigned to the intended Site or Group, and using the policy where the exclusions were created. In the exclusions panel, verify each entry shows the expected scope, operating system, exclusion type, mode, and enabled status.

If your console shows agent policy revision, last sync, or configuration status, confirm the endpoint has checked in after the exclusion was saved. For production SQL Servers, plan a service restart or maintenance reboot when SentinelOne notes that interoperability or performance exclusions require a process restart to apply fully.

Confirm SQL paths and Windows filter drivers

Run these commands from an elevated PowerShell prompt on the SQL Server:

powershell Get-Process sqlservr,sqlagent -ErrorAction SilentlyContinue | Select ProcessName,Path fltmc instances Get-EventLog -LogName Application -Newest 50 | Where-Object {$_.Source -like 'SQL'}

Use SQL Server to confirm file placement:

sql SELECT name, physical_name FROM sys.master_files; SELECT SERVERPROPERTY('ErrorLogFileName') AS ErrorLogFileName;

Review SQL Server logs for symptoms that should stop after tuning. Useful locations include SQL Server Management Studio under Management > SQL Server Logs, the SQL Server ERRORLOG path returned by SERVERPROPERTY, and Windows Event Viewer > Windows Logs > Application.

Common pitfalls and what to do if the exclusion is not honored

The exclusion is scoped to the wrong group

A correct exclusion in the wrong Site or Group has no effect. Move the SQL Server into the intended policy group or recreate the exclusion at the group that actually owns the endpoint policy.

The path does not match the real SQL location

Many SQL Servers store MDF, LDF, backups, or tempdb on dedicated volumes such as D:, E:, or mount points. Query sys.master_files and compare the result to the SentinelOne entries. Named instances and SQL upgrades often leave paths that do not match the expected MSSQLSERVER default instance pattern.

Subfolders were not included

Full-text catalogs, FILESTREAM containers, In-Memory OLTP files, and replication data may sit below the parent SQL directory. If SentinelOne offers an Include subfolders option, enable it for SQL data trees where the child folders are part of the database workload.

The process was not restarted

Some SentinelOne interoperability and performance exclusions apply cleanly only after the protected process restarts. Restart the SQL Server service during a maintenance window, or reboot the host if SentinelOne support or the console guidance indicates that a reboot is required.

The exclusion is too broad

Do not exclude all of C:\Program Files, all Microsoft-signed files, or the entire drive. That weakens protection and makes incident response harder. Limit exclusions to the SQL Server executable paths and the specific data, log, backup, and operational folders used by that server.

Where to find the vendor's authoritative documentation

Use SentinelOne's official resources library as the canonical starting point for current Singularity guidance: https://www.sentinelone.com/resources/. SentinelOne customers should also check the in-console help, support portal, and release notes for the exact exclusion modes available in their tenant.

For the SQL Server side, use Microsoft's official article, Configure antivirus software to work with SQL Server, on Microsoft Learn. Treat Microsoft as authoritative for which SQL Server files and services need antivirus exclusions, then implement those exclusions in SentinelOne with the narrowest policy scope that solves the production issue.