![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi Lazy Admin
Welcome to Microsoft Community.
Based on your description, I understand that you are running Sentinel as an EDR, but the syslog server keeps prompting errors, and I understand very well how you feel!
I carefully analyzed the detailed error you gave, generally speaking the code integrity function is used to verify the integrity of a driver or file when it is loaded into memory. And it is mainly used to detect whether the driver or file has a legal signature or not.
If I just look at the error message you provided, the generalization is that when “svchost.exe” tries to load the “SentinelAmsi64.dll” file from the SentinelOne agent, the file does not meet the Windows signature level requirements.
I understand the situation bro, I had a similar problem when I was monitoring services and devices with zabbix. Don't worry though, sometimes this type of error is benign. And actually the signature issue needs some tweaking or patching by the developer for code integrity GPOs & other stuff & it will go away.
Personally, I have the following two suggestions:
- If you find it troublesome that this error message appears frequently, you can force disable digital signature authentication via command line.
1)Click “Windows Logo Key” to open the search bar -> Type “cmd” in the search bar and open it with administrator privileges -> Please enter the following command
bcdedit.exe /set nointegritychecks on
bcdedit /set {current} testsigning on
- Disable Driver Signature Enforcement (Advanced Startup) (turn it off briefly, it will be automatic after the next reboot)
(1) First press Win+I to open Settings.
(2) Click on “Update & Security” and then “Recovery”.
(3) In the “Advanced Boot” section, click “Restart Now”.
(4) The computer will be taken to the advanced startup options. Here, select “Troubleshooting”.
(5) Next, select “Advanced Options”.
(6) In the advanced options, select “Startup Settings”.
(7) In Startup Settings, click on Restart.
(8) The computer will restart and display the startup settings. Here, find the option “Disable Driver Signature Enforcement” and press the corresponding number key (usually 7).
(9) The computer will continue to boot and driver signature enforcement will be disabled.
But personally I don't really recommend it from a technical point of view with my own situation. Because the digital signature verification can sometimes help us to understand that some may not meet the requirements of the process or file into the kernel, and sometimes even help us to see the signs of hacking although the probability of this is relatively small.
Assuming that there are times when we have to adjust services, pull away data, and other operations, we can use Method 2 to briefly disable it once.
- I would recommend ignoring this benign information for now and setting up some filters on the syslog server to filter this information or place it in several places.
Filtering keywords should be specific to prevent other similar messages from being filtered or placed together.
I sincerely hope that the above solution will solve your problem. Please feel free to contact me if you have any problems or still can't solve them. (Photos related to the question would be great!).
I look forward to hearing back from you.
Best Regards
Arthur Sheng | Microsoft Community Support Specialist