Revit 2022 Crashes with pyRevit and SentinelOne

[SinnwellR]

I've seen posts about SentinelOne causing issues with pyRevit and making Revit crash. I was wondering if rather than adding an exclusion to SentinelOne, would it be possible to determine the behavior SentinelOne is classifying as risky and making a change to pyRevit to avoid whatever that behavior is. The issue I'm having is that SentinelOne is not creating any Incidents or Threat Alerts on the issue that we can detect and easily add exclusions for. I could exclude the whole pyRevit directory or Revit directory, but that's using a sledgehammer to hang a picture on the wall.

The behavior we see is Revit loads, shows the splash screen, sits for about two minutes and then closes completely. If we disable the pyRevit addin, Revit loads in just a few seconds without issue.

I have attached the journals from a machine when we have pyRevit enabled (bad) and disabled (good).

OS: Windows 10 Professional v 22H2 pyRevit Version: 4.8.12.22247 pyRevit Environment: cannot figure out where to run this command

Other information: I'm the IT guy and do not deal with these applications at all, just getting pulled in to help troubleshoot. I do not have access to any of the software so I have to remote into the VDC folks' computers when we have some changes to try making. Since SentinelOne doesn't show any threats or alerts, I don't have a great way to know what to add for an exclusion.

[SinnwellR]

Forgot to attach the journals.

journal.0057good.txt journal.0052bad.txt

[jmcouffin]

Hi @SinnwellR, I hear you on that one... Kind of ironic, I managed to close one issue related to Sentinel One just today and another one is popping up right away. I signaled the issue to S1 support, received no answer (a year ago). And did it again just now.

I help maintaining an open source project that is a framework and plugin for Revit from Autodesk. We have had many issues reported to us in the past 1-2 years about the fact that S1 installed at the same time as Revit and pyRevit https://github.com/eirannejad/pyRevit/releases/tag/v4.8.13.23182%2B2215, Revit would not launch and crash after splash screen. No Traceback, no journal entry that makes sense. Uninstalling S1 or pyRevit does the trick. OR making a huge exception on the %appdata%/pyrevit folder and on revit folders seems to do the trick BUT, this kind of defeats the purpose of S1. S1 does not raise any kind of alert making it hard to understand what is being properly blocked. I sent a similar email a year ago I think, got no answer. I would appreciate an answer and would be happy to go through the issue and help you debug it. Thank you

None has got answers for this specific issue on their side. It is kind of like chasing your own tail. If S1 does not raise any kind of alert, then it is nearly impossible to find the real issue behind. It could be so many things.

• I could try updating the dlls shown as conflicting, but this is usually not an issue for Revit.
• It could be a signature stuff
• It could be one fo the dependencies of pyrevit, being python or other dll that are seen as a threat. who knows.

I cannot get my hand on a trial of S1, so I cannot really figure it out on my side. If you are up to it, we could try it for a bit in a remote session. If so, contact me through LinkedIn or a PM on the pyrevit forum

[jmcouffin]

References

• https://www.autodesk.com/support/technical/article/caas/sfdcarticles/sfdcarticles/Autodesk-Licensing-Service-Known-Conflicting-Applications.html
• https://www.autodesk.com/search?qt=sentinel&sn=en_US&us_op=dotcom
• https://www.autodesk.com/support/technical/article/caas/sfdcarticles/sfdcarticles/Are-there-antivirus-exclusions-I-can-implement-to-make-programs-run-better.html
• https://communities.bentley.com/products/building/building_analysis___design/w/building_analysis_and_design__wiki/56961/configuring-sentinel-one-for-openbuildings-designer
• https://forums.autodesk.com/t5/autocad-lt-forum/sentinel-1-blocking-autocad/td-p/9194221
• https://community.spiceworks.com/topic/2358055-ransomware-protection

[SinnwellR]

Jean-Marc, I am going to do some digging through the SentinelOne Deep Visibility tool today to see what we can find from a lot of testing I did with our pyRevit user yesterday afternoon. That is our first step and then we'll escalate our findings to SentinelOne directly. Once we escalate to SentinelOne, if they would be willing to get on a session with all of us, would you be interested in joining to help guide us through how pyRevit should be working and any logging it may create while SentinelOne watches their side to see why it is getting killed off?

[jmcouffin]

Sound good sure, but I think @eirannejad would be the best person for that

[SinnwellR]

I believe we got it working well enough, even though I don't completely love how we had to do it. We added a path based exclusion for Revit.exe in a specific directory, then we told SentinelOne to use "Interoperability - extended" which allows Revit.exe to spawn child processes and those should be allowed. We may come back to tighten this up, but for now pyRevit is loading properly again.

[jmcouffin]

Thanks for the explaination.

[jmcouffin]

I believe we got it working well enough, even though I don't completely love how we had to do it. We added a path based exclusion for Revit.exe in a specific directory, then we told SentinelOne to use "Interoperability - extended" which allows Revit.exe to spawn child processes and those should be allowed. We may come back to tighten this up, but for now pyRevit is loading properly again.

Being loud enough this time I got a call from someone of the sales team at sentinel, very kind, she told me she will try to escalate to her senior support but that it would be more efficiently answered through a support ticket from one of the customers.

@SinnwellR you saw me coming, would you be kind enough to be that one customer (or your it guy obviously ) so that we can get a final fix.