Liongard Status

Monitoring: A fix has been implemented and we are monitoring the results.

Identified: We are continuing to work on a fix for this issue.

Identified: --Executive Summary

Liongard recently deployed an update to the Liongard Agent that unintentionally introduced instability in some partner environments. The update included a new Nmap-based enhancement for Network Discovery, but the way this capability was packaged and distributed resulted in several endpoint protection platforms—most notably SentinelOne—flagging legitimate components as malicious.

This issue was not due to a security compromise, but rather to how the Nmap integration was implemented in the agent. Some security solutions interpreted the bundled Nmap installer as a threat, leading to quarantines and—in more severe cases—temporary loss of network connectivity on protected endpoints.

Liongard takes full responsibility for the disruption this caused.

To immediately mitigate partner impact, we are releasing Agent version 5.1.1, which removes the Nmap integration entirely and clears existing Nmap files from the Liongard Agent directory. This rollback will temporarily pause Network Discovery functionality until it is reintroduced with a more compatible, rigorously validated design in version 5.1.2.

--Detailed Technical Analysis

--What Happened

Agent versions 5.0.4 through 5.1.0 introduced Nmap to expand Network Discovery capabilities. Although secure and intentional, the method of bundling this tool resulted in some EDR/AV vendors misidentifying it as a “Hacking Tool.”

Because of this misalignment between our packaging approach and security vendor expectations, certain policies responded aggressively, quarantining files or disabling network adapters entirely.

--Root Cause

The issue originated from how the Nmap installer was included and delivered within the Liongard Agent. While Nmap itself is widely used and trusted, our deployment approach triggered behavior- and signature-based detections in several protection platforms.

This was a preventable integration challenge on our part, and we are taking action to ensure it does not recur.

--Immediate Remediation: Agent 5.1.1

To stabilize partner environments, Agent 5.1.1 will:

· Fully remove the Nmap installer from the agent

· Remove any existing Nmap files from previously installed versions

· Prevent further EDR false positives related to this release

· Temporarily suspend Network Discovery Inspector functionality

Work is already underway on Agent 5.1.2, which will restore Network Discovery using an approach that aligns with modern EDR expectations and vendor security criteria.

--Moving Forward: Improvements & Preventive Measures

Liongard is committed to learning from this event and improving both our release processes and our diligence around security vendor compatibility.

1. Strengthened Pre-Release Testing With Security Vendors

We are expanding testing and validation across multiple EDR/AV vendors—including SentinelOne, CrowdStrike, and Microsoft Defender—to ensure future changes are recognized as safe before release.

1. Enhanced Packaging & Architecture Review

Before introducing utilities or scanning tools like Nmap, our engineering teams will now perform deeper compatibility reviews tailored to how EDRs evaluate installers, command-line utilities, and network-scanning behaviors.

1. Earlier & More Detailed Partner Communication

Future architectural updates will be accompanied by:

· Clear technical preparation steps

· Updated EDR allowlisting guidance

· Early communication for partners with strict security postures

1. Expanded Internal Validation

We are enhancing our release pipeline to include:

· Multi-vendor false-positive testing

· Behavior-based security scanning

These steps are designed to prevent similar disruptions and ensure future enhancements are introduced with the necessary rigor and validation.

--Closing Statement

We acknowledge the disruption this incident caused and take responsibility for the impact on your operations. Our team is fully committed to resolving the issue, restoring full functionality, and implementing the improvements needed to prevent this from happening again.

Thank you for your continued partnership and patience as we work through this with urgency and care. If you have any questions or need support with affected endpoints, please reach out to Liongard Support.

https://support.liongard.com/en/articles/12936905-incident-review-liongard-agent-update-sentinelone-false-positive

Monitoring: A fix has been implemented and we are monitoring the results.

Identified: We are continuing to work on a fix for this issue.

Identified: --Executive Summary

Liongard recently deployed an update to the Liongard Agent that unintentionally introduced instability in some partner environments. The update included a new Nmap-based enhancement for Network Discovery, but the way this capability was packaged and distributed resulted in several endpoint protection platforms—most notably SentinelOne—flagging legitimate components as malicious.

This issue was not due to a security compromise, but rather to how the Nmap integration was implemented in the agent. Some security solutions interpreted the bundled Nmap installer as a threat, leading to quarantines and—in more severe cases—temporary loss of network connectivity on protected endpoints.

Liongard takes full responsibility for the disruption this caused.

To immediately mitigate partner impact, we are releasing Agent version 5.1.1, which removes the Nmap integration entirely and clears existing Nmap files from the Liongard Agent directory. This rollback will temporarily pause Network Discovery functionality until it is reintroduced with a more compatible, rigorously validated design in version 5.1.2.

--Detailed Technical Analysis

--What Happened

Agent versions 5.0.4 through 5.1.0 introduced Nmap to expand Network Discovery capabilities. Although secure and intentional, the method of bundling this tool resulted in some EDR/AV vendors misidentifying it as a “Hacking Tool.”

Because of this misalignment between our packaging approach and security vendor expectations, certain policies responded aggressively, quarantining files or disabling network adapters entirely.

--Root Cause

The issue originated from how the Nmap installer was included and delivered within the Liongard Agent. While Nmap itself is widely used and trusted, our deployment approach triggered behavior- and signature-based detections in several protection platforms.

This was a preventable integration challenge on our part, and we are taking action to ensure it does not recur.

--Immediate Remediation: Agent 5.1.1

To stabilize partner environments, Agent 5.1.1 will:

· Fully remove the Nmap installer from the agent

· Remove any existing Nmap files from previously installed versions

· Prevent further EDR false positives related to this release

· Temporarily suspend Network Discovery Inspector functionality

Work is already underway on Agent 5.1.2, which will restore Network Discovery using an approach that aligns with modern EDR expectations and vendor security criteria.

--Moving Forward: Improvements & Preventive Measures

Liongard is committed to learning from this event and improving both our release processes and our diligence around security vendor compatibility.

1. Strengthened Pre-Release Testing With Security Vendors

We are expanding testing and validation across multiple EDR/AV vendors—including SentinelOne, CrowdStrike, and Microsoft Defender—to ensure future changes are recognized as safe before release.

1. Enhanced Packaging & Architecture Review

Before introducing utilities or scanning tools like Nmap, our engineering teams will now perform deeper compatibility reviews tailored to how EDRs evaluate installers, command-line utilities, and network-scanning behaviors.

1. Earlier & More Detailed Partner Communication

Future architectural updates will be accompanied by:

· Clear technical preparation steps

· Updated EDR allowlisting guidance

· Early communication for partners with strict security postures

1. Expanded Internal Validation

We are enhancing our release pipeline to include:

· Multi-vendor false-positive testing

· Behavior-based security scanning

These steps are designed to prevent similar disruptions and ensure future enhancements are introduced with the necessary rigor and validation.

--Closing Statement

We acknowledge the disruption this incident caused and take responsibility for the impact on your operations. Our team is fully committed to resolving the issue, restoring full functionality, and implementing the improvements needed to prevent this from happening again.

Thank you for your continued partnership and patience as we work through this with urgency and care. If you have any questions or need support with affected endpoints, please reach out to Liongard Support.

https://support.liongard.com/en/articles/12936905-incident-review-liongard-agent-update-sentinelone-false-positive

Monitoring: A fix has been implemented and we are monitoring the results.

Identified: We are continuing to work on a fix for this issue.

Identified: --Executive Summary

Liongard recently deployed an update to the Liongard Agent that unintentionally introduced instability in some partner environments. The update included a new Nmap-based enhancement for Network Discovery, but the way this capability was packaged and distributed resulted in several endpoint protection platforms—most notably SentinelOne—flagging legitimate components as malicious.

This issue was not due to a security compromise, but rather to how the Nmap integration was implemented in the agent. Some security solutions interpreted the bundled Nmap installer as a threat, leading to quarantines and—in more severe cases—temporary loss of network connectivity on protected endpoints.

Liongard takes full responsibility for the disruption this caused.

To immediately mitigate partner impact, we are releasing Agent version 5.1.1, which removes the Nmap integration entirely and clears existing Nmap files from the Liongard Agent directory. This rollback will temporarily pause Network Discovery functionality until it is reintroduced with a more compatible, rigorously validated design in version 5.1.2.

--Detailed Technical Analysis

--What Happened

Agent versions 5.0.4 through 5.1.0 introduced Nmap to expand Network Discovery capabilities. Although secure and intentional, the method of bundling this tool resulted in some EDR/AV vendors misidentifying it as a “Hacking Tool.”

Because of this misalignment between our packaging approach and security vendor expectations, certain policies responded aggressively, quarantining files or disabling network adapters entirely.

--Root Cause

The issue originated from how the Nmap installer was included and delivered within the Liongard Agent. While Nmap itself is widely used and trusted, our deployment approach triggered behavior- and signature-based detections in several protection platforms.

This was a preventable integration challenge on our part, and we are taking action to ensure it does not recur.

--Immediate Remediation: Agent 5.1.1

To stabilize partner environments, Agent 5.1.1 will:

· Fully remove the Nmap installer from the agent

· Remove any existing Nmap files from previously installed versions

· Prevent further EDR false positives related to this release

· Temporarily suspend Network Discovery Inspector functionality

Work is already underway on Agent 5.1.2, which will restore Network Discovery using an approach that aligns with modern EDR expectations and vendor security criteria.

--Moving Forward: Improvements & Preventive Measures

Liongard is committed to learning from this event and improving both our release processes and our diligence around security vendor compatibility.

1. Strengthened Pre-Release Testing With Security Vendors

We are expanding testing and validation across multiple EDR/AV vendors—including SentinelOne, CrowdStrike, and Microsoft Defender—to ensure future changes are recognized as safe before release.

1. Enhanced Packaging & Architecture Review

Before introducing utilities or scanning tools like Nmap, our engineering teams will now perform deeper compatibility reviews tailored to how EDRs evaluate installers, command-line utilities, and network-scanning behaviors.

1. Earlier & More Detailed Partner Communication

Future architectural updates will be accompanied by:

· Clear technical preparation steps

· Updated EDR allowlisting guidance

· Early communication for partners with strict security postures

1. Expanded Internal Validation

We are enhancing our release pipeline to include:

· Multi-vendor false-positive testing

· Behavior-based security scanning

These steps are designed to prevent similar disruptions and ensure future enhancements are introduced with the necessary rigor and validation.

--Closing Statement

We acknowledge the disruption this incident caused and take responsibility for the impact on your operations. Our team is fully committed to resolving the issue, restoring full functionality, and implementing the improvements needed to prevent this from happening again.

Thank you for your continued partnership and patience as we work through this with urgency and care. If you have any questions or need support with affected endpoints, please reach out to Liongard Support.

https://support.liongard.com/en/articles/12936905-incident-review-liongard-agent-update-sentinelone-false-positive

Monitoring: A fix has been implemented and we are monitoring the results.

Identified: We are continuing to work on a fix for this issue.

Identified: --Executive Summary

Liongard recently deployed an update to the Liongard Agent that unintentionally introduced instability in some partner environments. The update included a new Nmap-based enhancement for Network Discovery, but the way this capability was packaged and distributed resulted in several endpoint protection platforms—most notably SentinelOne—flagging legitimate components as malicious.

This issue was not due to a security compromise, but rather to how the Nmap integration was implemented in the agent. Some security solutions interpreted the bundled Nmap installer as a threat, leading to quarantines and—in more severe cases—temporary loss of network connectivity on protected endpoints.

Liongard takes full responsibility for the disruption this caused.

To immediately mitigate partner impact, we are releasing Agent version 5.1.1, which removes the Nmap integration entirely and clears existing Nmap files from the Liongard Agent directory. This rollback will temporarily pause Network Discovery functionality until it is reintroduced with a more compatible, rigorously validated design in version 5.1.2.

--Detailed Technical Analysis

--What Happened

Agent versions 5.0.4 through 5.1.0 introduced Nmap to expand Network Discovery capabilities. Although secure and intentional, the method of bundling this tool resulted in some EDR/AV vendors misidentifying it as a “Hacking Tool.”

Because of this misalignment between our packaging approach and security vendor expectations, certain policies responded aggressively, quarantining files or disabling network adapters entirely.

--Root Cause

The issue originated from how the Nmap installer was included and delivered within the Liongard Agent. While Nmap itself is widely used and trusted, our deployment approach triggered behavior- and signature-based detections in several protection platforms.

This was a preventable integration challenge on our part, and we are taking action to ensure it does not recur.

--Immediate Remediation: Agent 5.1.1

To stabilize partner environments, Agent 5.1.1 will:

· Fully remove the Nmap installer from the agent

· Remove any existing Nmap files from previously installed versions

· Prevent further EDR false positives related to this release

· Temporarily suspend Network Discovery Inspector functionality

Work is already underway on Agent 5.1.2, which will restore Network Discovery using an approach that aligns with modern EDR expectations and vendor security criteria.

--Moving Forward: Improvements & Preventive Measures

Liongard is committed to learning from this event and improving both our release processes and our diligence around security vendor compatibility.

1. Strengthened Pre-Release Testing With Security Vendors

We are expanding testing and validation across multiple EDR/AV vendors—including SentinelOne, CrowdStrike, and Microsoft Defender—to ensure future changes are recognized as safe before release.

1. Enhanced Packaging & Architecture Review

Before introducing utilities or scanning tools like Nmap, our engineering teams will now perform deeper compatibility reviews tailored to how EDRs evaluate installers, command-line utilities, and network-scanning behaviors.

1. Earlier & More Detailed Partner Communication

Future architectural updates will be accompanied by:

· Clear technical preparation steps

· Updated EDR allowlisting guidance

· Early communication for partners with strict security postures

1. Expanded Internal Validation

We are enhancing our release pipeline to include:

· Multi-vendor false-positive testing

· Behavior-based security scanning

These steps are designed to prevent similar disruptions and ensure future enhancements are introduced with the necessary rigor and validation.

--Closing Statement

We acknowledge the disruption this incident caused and take responsibility for the impact on your operations. Our team is fully committed to resolving the issue, restoring full functionality, and implementing the improvements needed to prevent this from happening again.

Thank you for your continued partnership and patience as we work through this with urgency and care. If you have any questions or need support with affected endpoints, please reach out to Liongard Support.

https://support.liongard.com/en/articles/12936905-incident-review-liongard-agent-update-sentinelone-false-positive

Monitoring: A fix has been implemented and we are monitoring the results.

Identified: We are continuing to work on a fix for this issue.

Identified: --Executive Summary

Liongard recently deployed an update to the Liongard Agent that unintentionally introduced instability in some partner environments. The update included a new Nmap-based enhancement for Network Discovery, but the way this capability was packaged and distributed resulted in several endpoint protection platforms—most notably SentinelOne—flagging legitimate components as malicious.

This issue was not due to a security compromise, but rather to how the Nmap integration was implemented in the agent. Some security solutions interpreted the bundled Nmap installer as a threat, leading to quarantines and—in more severe cases—temporary loss of network connectivity on protected endpoints.

Liongard takes full responsibility for the disruption this caused.

To immediately mitigate partner impact, we are releasing Agent version 5.1.1, which removes the Nmap integration entirely and clears existing Nmap files from the Liongard Agent directory. This rollback will temporarily pause Network Discovery functionality until it is reintroduced with a more compatible, rigorously validated design in version 5.1.2.

--Detailed Technical Analysis

--What Happened

Agent versions 5.0.4 through 5.1.0 introduced Nmap to expand Network Discovery capabilities. Although secure and intentional, the method of bundling this tool resulted in some EDR/AV vendors misidentifying it as a “Hacking Tool.”

Because of this misalignment between our packaging approach and security vendor expectations, certain policies responded aggressively, quarantining files or disabling network adapters entirely.

--Root Cause

The issue originated from how the Nmap installer was included and delivered within the Liongard Agent. While Nmap itself is widely used and trusted, our deployment approach triggered behavior- and signature-based detections in several protection platforms.

This was a preventable integration challenge on our part, and we are taking action to ensure it does not recur.

--Immediate Remediation: Agent 5.1.1

To stabilize partner environments, Agent 5.1.1 will:

· Fully remove the Nmap installer from the agent

· Remove any existing Nmap files from previously installed versions

· Prevent further EDR false positives related to this release

· Temporarily suspend Network Discovery Inspector functionality

Work is already underway on Agent 5.1.2, which will restore Network Discovery using an approach that aligns with modern EDR expectations and vendor security criteria.

--Moving Forward: Improvements & Preventive Measures

Liongard is committed to learning from this event and improving both our release processes and our diligence around security vendor compatibility.

1. Strengthened Pre-Release Testing With Security Vendors

We are expanding testing and validation across multiple EDR/AV vendors—including SentinelOne, CrowdStrike, and Microsoft Defender—to ensure future changes are recognized as safe before release.

1. Enhanced Packaging & Architecture Review

Before introducing utilities or scanning tools like Nmap, our engineering teams will now perform deeper compatibility reviews tailored to how EDRs evaluate installers, command-line utilities, and network-scanning behaviors.

1. Earlier & More Detailed Partner Communication

Future architectural updates will be accompanied by:

· Clear technical preparation steps

· Updated EDR allowlisting guidance

· Early communication for partners with strict security postures

1. Expanded Internal Validation

We are enhancing our release pipeline to include:

· Multi-vendor false-positive testing

· Behavior-based security scanning

These steps are designed to prevent similar disruptions and ensure future enhancements are introduced with the necessary rigor and validation.

--Closing Statement

We acknowledge the disruption this incident caused and take responsibility for the impact on your operations. Our team is fully committed to resolving the issue, restoring full functionality, and implementing the improvements needed to prevent this from happening again.

Thank you for your continued partnership and patience as we work through this with urgency and care. If you have any questions or need support with affected endpoints, please reach out to Liongard Support.

https://support.liongard.com/en/articles/12936905-incident-review-liongard-agent-update-sentinelone-false-positive

Monitoring: A fix has been implemented and we are monitoring the results.

Identified: We are continuing to work on a fix for this issue.

Identified: --Executive Summary

Liongard recently deployed an update to the Liongard Agent that unintentionally introduced instability in some partner environments. The update included a new Nmap-based enhancement for Network Discovery, but the way this capability was packaged and distributed resulted in several endpoint protection platforms—most notably SentinelOne—flagging legitimate components as malicious.

This issue was not due to a security compromise, but rather to how the Nmap integration was implemented in the agent. Some security solutions interpreted the bundled Nmap installer as a threat, leading to quarantines and—in more severe cases—temporary loss of network connectivity on protected endpoints.

Liongard takes full responsibility for the disruption this caused.

To immediately mitigate partner impact, we are releasing Agent version 5.1.1, which removes the Nmap integration entirely and clears existing Nmap files from the Liongard Agent directory. This rollback will temporarily pause Network Discovery functionality until it is reintroduced with a more compatible, rigorously validated design in version 5.1.2.

--Detailed Technical Analysis

--What Happened

Agent versions 5.0.4 through 5.1.0 introduced Nmap to expand Network Discovery capabilities. Although secure and intentional, the method of bundling this tool resulted in some EDR/AV vendors misidentifying it as a “Hacking Tool.”

Because of this misalignment between our packaging approach and security vendor expectations, certain policies responded aggressively, quarantining files or disabling network adapters entirely.

--Root Cause

The issue originated from how the Nmap installer was included and delivered within the Liongard Agent. While Nmap itself is widely used and trusted, our deployment approach triggered behavior- and signature-based detections in several protection platforms.

This was a preventable integration challenge on our part, and we are taking action to ensure it does not recur.

--Immediate Remediation: Agent 5.1.1

To stabilize partner environments, Agent 5.1.1 will:

· Fully remove the Nmap installer from the agent

· Remove any existing Nmap files from previously installed versions

· Prevent further EDR false positives related to this release

· Temporarily suspend Network Discovery Inspector functionality

Work is already underway on Agent 5.1.2, which will restore Network Discovery using an approach that aligns with modern EDR expectations and vendor security criteria.

--Moving Forward: Improvements & Preventive Measures

Liongard is committed to learning from this event and improving both our release processes and our diligence around security vendor compatibility.

1. Strengthened Pre-Release Testing With Security Vendors

We are expanding testing and validation across multiple EDR/AV vendors—including SentinelOne, CrowdStrike, and Microsoft Defender—to ensure future changes are recognized as safe before release.

1. Enhanced Packaging & Architecture Review

Before introducing utilities or scanning tools like Nmap, our engineering teams will now perform deeper compatibility reviews tailored to how EDRs evaluate installers, command-line utilities, and network-scanning behaviors.

1. Earlier & More Detailed Partner Communication

Future architectural updates will be accompanied by:

· Clear technical preparation steps

· Updated EDR allowlisting guidance

· Early communication for partners with strict security postures

1. Expanded Internal Validation

We are enhancing our release pipeline to include:

· Multi-vendor false-positive testing

· Behavior-based security scanning

These steps are designed to prevent similar disruptions and ensure future enhancements are introduced with the necessary rigor and validation.

--Closing Statement

We acknowledge the disruption this incident caused and take responsibility for the impact on your operations. Our team is fully committed to resolving the issue, restoring full functionality, and implementing the improvements needed to prevent this from happening again.

Thank you for your continued partnership and patience as we work through this with urgency and care. If you have any questions or need support with affected endpoints, please reach out to Liongard Support.

https://support.liongard.com/en/articles/12936905-incident-review-liongard-agent-update-sentinelone-false-positive

Monitoring: A fix has been implemented and we are monitoring the results.

Identified: We are continuing to work on a fix for this issue.

Identified: --Executive Summary

Liongard recently deployed an update to the Liongard Agent that unintentionally introduced instability in some partner environments. The update included a new Nmap-based enhancement for Network Discovery, but the way this capability was packaged and distributed resulted in several endpoint protection platforms—most notably SentinelOne—flagging legitimate components as malicious.

This issue was not due to a security compromise, but rather to how the Nmap integration was implemented in the agent. Some security solutions interpreted the bundled Nmap installer as a threat, leading to quarantines and—in more severe cases—temporary loss of network connectivity on protected endpoints.

Liongard takes full responsibility for the disruption this caused.

To immediately mitigate partner impact, we are releasing Agent version 5.1.1, which removes the Nmap integration entirely and clears existing Nmap files from the Liongard Agent directory. This rollback will temporarily pause Network Discovery functionality until it is reintroduced with a more compatible, rigorously validated design in version 5.1.2.

--Detailed Technical Analysis

--What Happened

Agent versions 5.0.4 through 5.1.0 introduced Nmap to expand Network Discovery capabilities. Although secure and intentional, the method of bundling this tool resulted in some EDR/AV vendors misidentifying it as a “Hacking Tool.”

Because of this misalignment between our packaging approach and security vendor expectations, certain policies responded aggressively, quarantining files or disabling network adapters entirely.

--Root Cause

The issue originated from how the Nmap installer was included and delivered within the Liongard Agent. While Nmap itself is widely used and trusted, our deployment approach triggered behavior- and signature-based detections in several protection platforms.

This was a preventable integration challenge on our part, and we are taking action to ensure it does not recur.

--Immediate Remediation: Agent 5.1.1

To stabilize partner environments, Agent 5.1.1 will:

· Fully remove the Nmap installer from the agent

· Remove any existing Nmap files from previously installed versions

· Prevent further EDR false positives related to this release

· Temporarily suspend Network Discovery Inspector functionality

Work is already underway on Agent 5.1.2, which will restore Network Discovery using an approach that aligns with modern EDR expectations and vendor security criteria.

--Moving Forward: Improvements & Preventive Measures

Liongard is committed to learning from this event and improving both our release processes and our diligence around security vendor compatibility.

1. Strengthened Pre-Release Testing With Security Vendors

We are expanding testing and validation across multiple EDR/AV vendors—including SentinelOne, CrowdStrike, and Microsoft Defender—to ensure future changes are recognized as safe before release.

1. Enhanced Packaging & Architecture Review

Before introducing utilities or scanning tools like Nmap, our engineering teams will now perform deeper compatibility reviews tailored to how EDRs evaluate installers, command-line utilities, and network-scanning behaviors.

1. Earlier & More Detailed Partner Communication

Future architectural updates will be accompanied by:

· Clear technical preparation steps

· Updated EDR allowlisting guidance

· Early communication for partners with strict security postures

1. Expanded Internal Validation

We are enhancing our release pipeline to include:

· Multi-vendor false-positive testing

· Behavior-based security scanning

These steps are designed to prevent similar disruptions and ensure future enhancements are introduced with the necessary rigor and validation.

--Closing Statement

We acknowledge the disruption this incident caused and take responsibility for the impact on your operations. Our team is fully committed to resolving the issue, restoring full functionality, and implementing the improvements needed to prevent this from happening again.

Thank you for your continued partnership and patience as we work through this with urgency and care. If you have any questions or need support with affected endpoints, please reach out to Liongard Support.

https://support.liongard.com/en/articles/12936905-incident-review-liongard-agent-update-sentinelone-false-positive

Monitoring: A fix has been implemented and we are monitoring the results.

Identified: We are continuing to work on a fix for this issue.

Identified: --Executive Summary

Liongard recently deployed an update to the Liongard Agent that unintentionally introduced instability in some partner environments. The update included a new Nmap-based enhancement for Network Discovery, but the way this capability was packaged and distributed resulted in several endpoint protection platforms—most notably SentinelOne—flagging legitimate components as malicious.

This issue was not due to a security compromise, but rather to how the Nmap integration was implemented in the agent. Some security solutions interpreted the bundled Nmap installer as a threat, leading to quarantines and—in more severe cases—temporary loss of network connectivity on protected endpoints.

Liongard takes full responsibility for the disruption this caused.

To immediately mitigate partner impact, we are releasing Agent version 5.1.1, which removes the Nmap integration entirely and clears existing Nmap files from the Liongard Agent directory. This rollback will temporarily pause Network Discovery functionality until it is reintroduced with a more compatible, rigorously validated design in version 5.1.2.

--Detailed Technical Analysis

--What Happened

Agent versions 5.0.4 through 5.1.0 introduced Nmap to expand Network Discovery capabilities. Although secure and intentional, the method of bundling this tool resulted in some EDR/AV vendors misidentifying it as a “Hacking Tool.”

Because of this misalignment between our packaging approach and security vendor expectations, certain policies responded aggressively, quarantining files or disabling network adapters entirely.

--Root Cause

The issue originated from how the Nmap installer was included and delivered within the Liongard Agent. While Nmap itself is widely used and trusted, our deployment approach triggered behavior- and signature-based detections in several protection platforms.

This was a preventable integration challenge on our part, and we are taking action to ensure it does not recur.

--Immediate Remediation: Agent 5.1.1

To stabilize partner environments, Agent 5.1.1 will:

· Fully remove the Nmap installer from the agent

· Remove any existing Nmap files from previously installed versions

· Prevent further EDR false positives related to this release

· Temporarily suspend Network Discovery Inspector functionality

Work is already underway on Agent 5.1.2, which will restore Network Discovery using an approach that aligns with modern EDR expectations and vendor security criteria.

--Moving Forward: Improvements & Preventive Measures

Liongard is committed to learning from this event and improving both our release processes and our diligence around security vendor compatibility.

1. Strengthened Pre-Release Testing With Security Vendors

We are expanding testing and validation across multiple EDR/AV vendors—including SentinelOne, CrowdStrike, and Microsoft Defender—to ensure future changes are recognized as safe before release.

1. Enhanced Packaging & Architecture Review

Before introducing utilities or scanning tools like Nmap, our engineering teams will now perform deeper compatibility reviews tailored to how EDRs evaluate installers, command-line utilities, and network-scanning behaviors.

1. Earlier & More Detailed Partner Communication

Future architectural updates will be accompanied by:

· Clear technical preparation steps

· Updated EDR allowlisting guidance

· Early communication for partners with strict security postures

1. Expanded Internal Validation

We are enhancing our release pipeline to include:

· Multi-vendor false-positive testing

· Behavior-based security scanning

These steps are designed to prevent similar disruptions and ensure future enhancements are introduced with the necessary rigor and validation.

--Closing Statement

We acknowledge the disruption this incident caused and take responsibility for the impact on your operations. Our team is fully committed to resolving the issue, restoring full functionality, and implementing the improvements needed to prevent this from happening again.

Thank you for your continued partnership and patience as we work through this with urgency and care. If you have any questions or need support with affected endpoints, please reach out to Liongard Support.

https://support.liongard.com/en/articles/12936905-incident-review-liongard-agent-update-sentinelone-false-positive

Monitoring: A fix has been implemented and we are monitoring the results.

Identified: We are continuing to work on a fix for this issue.

Identified: --Executive Summary

Liongard recently deployed an update to the Liongard Agent that unintentionally introduced instability in some partner environments. The update included a new Nmap-based enhancement for Network Discovery, but the way this capability was packaged and distributed resulted in several endpoint protection platforms—most notably SentinelOne—flagging legitimate components as malicious.

This issue was not due to a security compromise, but rather to how the Nmap integration was implemented in the agent. Some security solutions interpreted the bundled Nmap installer as a threat, leading to quarantines and—in more severe cases—temporary loss of network connectivity on protected endpoints.

Liongard takes full responsibility for the disruption this caused.

To immediately mitigate partner impact, we are releasing Agent version 5.1.1, which removes the Nmap integration entirely and clears existing Nmap files from the Liongard Agent directory. This rollback will temporarily pause Network Discovery functionality until it is reintroduced with a more compatible, rigorously validated design in version 5.1.2.

--Detailed Technical Analysis

--What Happened

Agent versions 5.0.4 through 5.1.0 introduced Nmap to expand Network Discovery capabilities. Although secure and intentional, the method of bundling this tool resulted in some EDR/AV vendors misidentifying it as a “Hacking Tool.”

Because of this misalignment between our packaging approach and security vendor expectations, certain policies responded aggressively, quarantining files or disabling network adapters entirely.

--Root Cause

The issue originated from how the Nmap installer was included and delivered within the Liongard Agent. While Nmap itself is widely used and trusted, our deployment approach triggered behavior- and signature-based detections in several protection platforms.

This was a preventable integration challenge on our part, and we are taking action to ensure it does not recur.

--Immediate Remediation: Agent 5.1.1

To stabilize partner environments, Agent 5.1.1 will:

· Fully remove the Nmap installer from the agent

· Remove any existing Nmap files from previously installed versions

· Prevent further EDR false positives related to this release

· Temporarily suspend Network Discovery Inspector functionality

Work is already underway on Agent 5.1.2, which will restore Network Discovery using an approach that aligns with modern EDR expectations and vendor security criteria.

--Moving Forward: Improvements & Preventive Measures

Liongard is committed to learning from this event and improving both our release processes and our diligence around security vendor compatibility.

1. Strengthened Pre-Release Testing With Security Vendors

We are expanding testing and validation across multiple EDR/AV vendors—including SentinelOne, CrowdStrike, and Microsoft Defender—to ensure future changes are recognized as safe before release.

1. Enhanced Packaging & Architecture Review

Before introducing utilities or scanning tools like Nmap, our engineering teams will now perform deeper compatibility reviews tailored to how EDRs evaluate installers, command-line utilities, and network-scanning behaviors.

1. Earlier & More Detailed Partner Communication

Future architectural updates will be accompanied by:

· Clear technical preparation steps

· Updated EDR allowlisting guidance

· Early communication for partners with strict security postures

1. Expanded Internal Validation

We are enhancing our release pipeline to include:

· Multi-vendor false-positive testing

· Behavior-based security scanning

These steps are designed to prevent similar disruptions and ensure future enhancements are introduced with the necessary rigor and validation.

--Closing Statement

We acknowledge the disruption this incident caused and take responsibility for the impact on your operations. Our team is fully committed to resolving the issue, restoring full functionality, and implementing the improvements needed to prevent this from happening again.

Thank you for your continued partnership and patience as we work through this with urgency and care. If you have any questions or need support with affected endpoints, please reach out to Liongard Support.

https://support.liongard.com/en/articles/12936905-incident-review-liongard-agent-update-sentinelone-false-positive

Monitoring: A fix has been implemented and we are monitoring the results.

Identified: We are continuing to work on a fix for this issue.

Identified: --Executive Summary

Liongard recently deployed an update to the Liongard Agent that unintentionally introduced instability in some partner environments. The update included a new Nmap-based enhancement for Network Discovery, but the way this capability was packaged and distributed resulted in several endpoint protection platforms—most notably SentinelOne—flagging legitimate components as malicious.

This issue was not due to a security compromise, but rather to how the Nmap integration was implemented in the agent. Some security solutions interpreted the bundled Nmap installer as a threat, leading to quarantines and—in more severe cases—temporary loss of network connectivity on protected endpoints.

Liongard takes full responsibility for the disruption this caused.

To immediately mitigate partner impact, we are releasing Agent version 5.1.1, which removes the Nmap integration entirely and clears existing Nmap files from the Liongard Agent directory. This rollback will temporarily pause Network Discovery functionality until it is reintroduced with a more compatible, rigorously validated design in version 5.1.2.

--Detailed Technical Analysis

--What Happened

Agent versions 5.0.4 through 5.1.0 introduced Nmap to expand Network Discovery capabilities. Although secure and intentional, the method of bundling this tool resulted in some EDR/AV vendors misidentifying it as a “Hacking Tool.”

Because of this misalignment between our packaging approach and security vendor expectations, certain policies responded aggressively, quarantining files or disabling network adapters entirely.

--Root Cause

The issue originated from how the Nmap installer was included and delivered within the Liongard Agent. While Nmap itself is widely used and trusted, our deployment approach triggered behavior- and signature-based detections in several protection platforms.

This was a preventable integration challenge on our part, and we are taking action to ensure it does not recur.

--Immediate Remediation: Agent 5.1.1

To stabilize partner environments, Agent 5.1.1 will:

· Fully remove the Nmap installer from the agent

· Remove any existing Nmap files from previously installed versions

· Prevent further EDR false positives related to this release

· Temporarily suspend Network Discovery Inspector functionality

Work is already underway on Agent 5.1.2, which will restore Network Discovery using an approach that aligns with modern EDR expectations and vendor security criteria.

--Moving Forward: Improvements & Preventive Measures

Liongard is committed to learning from this event and improving both our release processes and our diligence around security vendor compatibility.

1. Strengthened Pre-Release Testing With Security Vendors

We are expanding testing and validation across multiple EDR/AV vendors—including SentinelOne, CrowdStrike, and Microsoft Defender—to ensure future changes are recognized as safe before release.

1. Enhanced Packaging & Architecture Review

Before introducing utilities or scanning tools like Nmap, our engineering teams will now perform deeper compatibility reviews tailored to how EDRs evaluate installers, command-line utilities, and network-scanning behaviors.

1. Earlier & More Detailed Partner Communication

Future architectural updates will be accompanied by:

· Clear technical preparation steps

· Updated EDR allowlisting guidance

· Early communication for partners with strict security postures

1. Expanded Internal Validation

We are enhancing our release pipeline to include:

· Multi-vendor false-positive testing

· Behavior-based security scanning

These steps are designed to prevent similar disruptions and ensure future enhancements are introduced with the necessary rigor and validation.

--Closing Statement

We acknowledge the disruption this incident caused and take responsibility for the impact on your operations. Our team is fully committed to resolving the issue, restoring full functionality, and implementing the improvements needed to prevent this from happening again.

Thank you for your continued partnership and patience as we work through this with urgency and care. If you have any questions or need support with affected endpoints, please reach out to Liongard Support.

https://support.liongard.com/en/articles/12936905-incident-review-liongard-agent-update-sentinelone-false-positive

Monitoring: A fix has been implemented and we are monitoring the results.

Identified: We are continuing to work on a fix for this issue.

Identified: --Executive Summary

Liongard recently deployed an update to the Liongard Agent that unintentionally introduced instability in some partner environments. The update included a new Nmap-based enhancement for Network Discovery, but the way this capability was packaged and distributed resulted in several endpoint protection platforms—most notably SentinelOne—flagging legitimate components as malicious.

This issue was not due to a security compromise, but rather to how the Nmap integration was implemented in the agent. Some security solutions interpreted the bundled Nmap installer as a threat, leading to quarantines and—in more severe cases—temporary loss of network connectivity on protected endpoints.

Liongard takes full responsibility for the disruption this caused.

To immediately mitigate partner impact, we are releasing Agent version 5.1.1, which removes the Nmap integration entirely and clears existing Nmap files from the Liongard Agent directory. This rollback will temporarily pause Network Discovery functionality until it is reintroduced with a more compatible, rigorously validated design in version 5.1.2.

--Detailed Technical Analysis

--What Happened

Agent versions 5.0.4 through 5.1.0 introduced Nmap to expand Network Discovery capabilities. Although secure and intentional, the method of bundling this tool resulted in some EDR/AV vendors misidentifying it as a “Hacking Tool.”

Because of this misalignment between our packaging approach and security vendor expectations, certain policies responded aggressively, quarantining files or disabling network adapters entirely.

--Root Cause

The issue originated from how the Nmap installer was included and delivered within the Liongard Agent. While Nmap itself is widely used and trusted, our deployment approach triggered behavior- and signature-based detections in several protection platforms.

This was a preventable integration challenge on our part, and we are taking action to ensure it does not recur.

--Immediate Remediation: Agent 5.1.1

To stabilize partner environments, Agent 5.1.1 will:

· Fully remove the Nmap installer from the agent

· Remove any existing Nmap files from previously installed versions

· Prevent further EDR false positives related to this release

· Temporarily suspend Network Discovery Inspector functionality

Work is already underway on Agent 5.1.2, which will restore Network Discovery using an approach that aligns with modern EDR expectations and vendor security criteria.

--Moving Forward: Improvements & Preventive Measures

Liongard is committed to learning from this event and improving both our release processes and our diligence around security vendor compatibility.

1. Strengthened Pre-Release Testing With Security Vendors

We are expanding testing and validation across multiple EDR/AV vendors—including SentinelOne, CrowdStrike, and Microsoft Defender—to ensure future changes are recognized as safe before release.

1. Enhanced Packaging & Architecture Review

Before introducing utilities or scanning tools like Nmap, our engineering teams will now perform deeper compatibility reviews tailored to how EDRs evaluate installers, command-line utilities, and network-scanning behaviors.

1. Earlier & More Detailed Partner Communication

Future architectural updates will be accompanied by:

· Clear technical preparation steps

· Updated EDR allowlisting guidance

· Early communication for partners with strict security postures

1. Expanded Internal Validation

We are enhancing our release pipeline to include:

· Multi-vendor false-positive testing

· Behavior-based security scanning

These steps are designed to prevent similar disruptions and ensure future enhancements are introduced with the necessary rigor and validation.

--Closing Statement

We acknowledge the disruption this incident caused and take responsibility for the impact on your operations. Our team is fully committed to resolving the issue, restoring full functionality, and implementing the improvements needed to prevent this from happening again.

Thank you for your continued partnership and patience as we work through this with urgency and care. If you have any questions or need support with affected endpoints, please reach out to Liongard Support.

https://support.liongard.com/en/articles/12936905-incident-review-liongard-agent-update-sentinelone-false-positive

Monitoring: A fix has been implemented and we are monitoring the results.

Identified: We are continuing to work on a fix for this issue.

Identified: --Executive Summary

Liongard recently deployed an update to the Liongard Agent that unintentionally introduced instability in some partner environments. The update included a new Nmap-based enhancement for Network Discovery, but the way this capability was packaged and distributed resulted in several endpoint protection platforms—most notably SentinelOne—flagging legitimate components as malicious.

This issue was not due to a security compromise, but rather to how the Nmap integration was implemented in the agent. Some security solutions interpreted the bundled Nmap installer as a threat, leading to quarantines and—in more severe cases—temporary loss of network connectivity on protected endpoints.

Liongard takes full responsibility for the disruption this caused.

To immediately mitigate partner impact, we are releasing Agent version 5.1.1, which removes the Nmap integration entirely and clears existing Nmap files from the Liongard Agent directory. This rollback will temporarily pause Network Discovery functionality until it is reintroduced with a more compatible, rigorously validated design in version 5.1.2.

--Detailed Technical Analysis

--What Happened

Agent versions 5.0.4 through 5.1.0 introduced Nmap to expand Network Discovery capabilities. Although secure and intentional, the method of bundling this tool resulted in some EDR/AV vendors misidentifying it as a “Hacking Tool.”

Because of this misalignment between our packaging approach and security vendor expectations, certain policies responded aggressively, quarantining files or disabling network adapters entirely.

--Root Cause

The issue originated from how the Nmap installer was included and delivered within the Liongard Agent. While Nmap itself is widely used and trusted, our deployment approach triggered behavior- and signature-based detections in several protection platforms.

This was a preventable integration challenge on our part, and we are taking action to ensure it does not recur.

--Immediate Remediation: Agent 5.1.1

To stabilize partner environments, Agent 5.1.1 will:

· Fully remove the Nmap installer from the agent

· Remove any existing Nmap files from previously installed versions

· Prevent further EDR false positives related to this release

· Temporarily suspend Network Discovery Inspector functionality

Work is already underway on Agent 5.1.2, which will restore Network Discovery using an approach that aligns with modern EDR expectations and vendor security criteria.

--Moving Forward: Improvements & Preventive Measures

Liongard is committed to learning from this event and improving both our release processes and our diligence around security vendor compatibility.

1. Strengthened Pre-Release Testing With Security Vendors

We are expanding testing and validation across multiple EDR/AV vendors—including SentinelOne, CrowdStrike, and Microsoft Defender—to ensure future changes are recognized as safe before release.

1. Enhanced Packaging & Architecture Review

Before introducing utilities or scanning tools like Nmap, our engineering teams will now perform deeper compatibility reviews tailored to how EDRs evaluate installers, command-line utilities, and network-scanning behaviors.

1. Earlier & More Detailed Partner Communication

Future architectural updates will be accompanied by:

· Clear technical preparation steps

· Updated EDR allowlisting guidance

· Early communication for partners with strict security postures

1. Expanded Internal Validation

We are enhancing our release pipeline to include:

· Multi-vendor false-positive testing

· Behavior-based security scanning

These steps are designed to prevent similar disruptions and ensure future enhancements are introduced with the necessary rigor and validation.

--Closing Statement

We acknowledge the disruption this incident caused and take responsibility for the impact on your operations. Our team is fully committed to resolving the issue, restoring full functionality, and implementing the improvements needed to prevent this from happening again.

Thank you for your continued partnership and patience as we work through this with urgency and care. If you have any questions or need support with affected endpoints, please reach out to Liongard Support.

https://support.liongard.com/en/articles/12936905-incident-review-liongard-agent-update-sentinelone-false-positive

Monitoring: A fix has been implemented and we are monitoring the results.

Identified: We are continuing to work on a fix for this issue.

Identified: --Executive Summary

Liongard recently deployed an update to the Liongard Agent that unintentionally introduced instability in some partner environments. The update included a new Nmap-based enhancement for Network Discovery, but the way this capability was packaged and distributed resulted in several endpoint protection platforms—most notably SentinelOne—flagging legitimate components as malicious.

This issue was not due to a security compromise, but rather to how the Nmap integration was implemented in the agent. Some security solutions interpreted the bundled Nmap installer as a threat, leading to quarantines and—in more severe cases—temporary loss of network connectivity on protected endpoints.

Liongard takes full responsibility for the disruption this caused.

To immediately mitigate partner impact, we are releasing Agent version 5.1.1, which removes the Nmap integration entirely and clears existing Nmap files from the Liongard Agent directory. This rollback will temporarily pause Network Discovery functionality until it is reintroduced with a more compatible, rigorously validated design in version 5.1.2.

--Detailed Technical Analysis

--What Happened

Agent versions 5.0.4 through 5.1.0 introduced Nmap to expand Network Discovery capabilities. Although secure and intentional, the method of bundling this tool resulted in some EDR/AV vendors misidentifying it as a “Hacking Tool.”

Because of this misalignment between our packaging approach and security vendor expectations, certain policies responded aggressively, quarantining files or disabling network adapters entirely.

--Root Cause

The issue originated from how the Nmap installer was included and delivered within the Liongard Agent. While Nmap itself is widely used and trusted, our deployment approach triggered behavior- and signature-based detections in several protection platforms.

This was a preventable integration challenge on our part, and we are taking action to ensure it does not recur.

--Immediate Remediation: Agent 5.1.1

To stabilize partner environments, Agent 5.1.1 will:

· Fully remove the Nmap installer from the agent

· Remove any existing Nmap files from previously installed versions

· Prevent further EDR false positives related to this release

· Temporarily suspend Network Discovery Inspector functionality

Work is already underway on Agent 5.1.2, which will restore Network Discovery using an approach that aligns with modern EDR expectations and vendor security criteria.

--Moving Forward: Improvements & Preventive Measures

Liongard is committed to learning from this event and improving both our release processes and our diligence around security vendor compatibility.

1. Strengthened Pre-Release Testing With Security Vendors

We are expanding testing and validation across multiple EDR/AV vendors—including SentinelOne, CrowdStrike, and Microsoft Defender—to ensure future changes are recognized as safe before release.

1. Enhanced Packaging & Architecture Review

Before introducing utilities or scanning tools like Nmap, our engineering teams will now perform deeper compatibility reviews tailored to how EDRs evaluate installers, command-line utilities, and network-scanning behaviors.

1. Earlier & More Detailed Partner Communication

Future architectural updates will be accompanied by:

· Clear technical preparation steps

· Updated EDR allowlisting guidance

· Early communication for partners with strict security postures

1. Expanded Internal Validation

We are enhancing our release pipeline to include:

· Multi-vendor false-positive testing

· Behavior-based security scanning

These steps are designed to prevent similar disruptions and ensure future enhancements are introduced with the necessary rigor and validation.

--Closing Statement

We acknowledge the disruption this incident caused and take responsibility for the impact on your operations. Our team is fully committed to resolving the issue, restoring full functionality, and implementing the improvements needed to prevent this from happening again.

Thank you for your continued partnership and patience as we work through this with urgency and care. If you have any questions or need support with affected endpoints, please reach out to Liongard Support.

https://support.liongard.com/en/articles/12936905-incident-review-liongard-agent-update-sentinelone-false-positive

Monitoring: A fix has been implemented and we are monitoring the results.

Identified: We are continuing to work on a fix for this issue.

Identified: --Executive Summary

Liongard recently deployed an update to the Liongard Agent that unintentionally introduced instability in some partner environments. The update included a new Nmap-based enhancement for Network Discovery, but the way this capability was packaged and distributed resulted in several endpoint protection platforms—most notably SentinelOne—flagging legitimate components as malicious.

This issue was not due to a security compromise, but rather to how the Nmap integration was implemented in the agent. Some security solutions interpreted the bundled Nmap installer as a threat, leading to quarantines and—in more severe cases—temporary loss of network connectivity on protected endpoints.

Liongard takes full responsibility for the disruption this caused.

To immediately mitigate partner impact, we are releasing Agent version 5.1.1, which removes the Nmap integration entirely and clears existing Nmap files from the Liongard Agent directory. This rollback will temporarily pause Network Discovery functionality until it is reintroduced with a more compatible, rigorously validated design in version 5.1.2.

--Detailed Technical Analysis

--What Happened

Agent versions 5.0.4 through 5.1.0 introduced Nmap to expand Network Discovery capabilities. Although secure and intentional, the method of bundling this tool resulted in some EDR/AV vendors misidentifying it as a “Hacking Tool.”

Because of this misalignment between our packaging approach and security vendor expectations, certain policies responded aggressively, quarantining files or disabling network adapters entirely.

--Root Cause

The issue originated from how the Nmap installer was included and delivered within the Liongard Agent. While Nmap itself is widely used and trusted, our deployment approach triggered behavior- and signature-based detections in several protection platforms.

This was a preventable integration challenge on our part, and we are taking action to ensure it does not recur.

--Immediate Remediation: Agent 5.1.1

To stabilize partner environments, Agent 5.1.1 will:

· Fully remove the Nmap installer from the agent

· Remove any existing Nmap files from previously installed versions

· Prevent further EDR false positives related to this release

· Temporarily suspend Network Discovery Inspector functionality

Work is already underway on Agent 5.1.2, which will restore Network Discovery using an approach that aligns with modern EDR expectations and vendor security criteria.

--Moving Forward: Improvements & Preventive Measures

Liongard is committed to learning from this event and improving both our release processes and our diligence around security vendor compatibility.

1. Strengthened Pre-Release Testing With Security Vendors

We are expanding testing and validation across multiple EDR/AV vendors—including SentinelOne, CrowdStrike, and Microsoft Defender—to ensure future changes are recognized as safe before release.

1. Enhanced Packaging & Architecture Review

Before introducing utilities or scanning tools like Nmap, our engineering teams will now perform deeper compatibility reviews tailored to how EDRs evaluate installers, command-line utilities, and network-scanning behaviors.

1. Earlier & More Detailed Partner Communication

Future architectural updates will be accompanied by:

· Clear technical preparation steps

· Updated EDR allowlisting guidance

· Early communication for partners with strict security postures

1. Expanded Internal Validation

We are enhancing our release pipeline to include:

· Multi-vendor false-positive testing

· Behavior-based security scanning

These steps are designed to prevent similar disruptions and ensure future enhancements are introduced with the necessary rigor and validation.

--Closing Statement

We acknowledge the disruption this incident caused and take responsibility for the impact on your operations. Our team is fully committed to resolving the issue, restoring full functionality, and implementing the improvements needed to prevent this from happening again.

Thank you for your continued partnership and patience as we work through this with urgency and care. If you have any questions or need support with affected endpoints, please reach out to Liongard Support.

https://support.liongard.com/en/articles/12936905-incident-review-liongard-agent-update-sentinelone-false-positive

Monitoring: A fix has been implemented and we are monitoring the results.

Identified: We are continuing to work on a fix for this issue.

Identified: --Executive Summary

Liongard recently deployed an update to the Liongard Agent that unintentionally introduced instability in some partner environments. The update included a new Nmap-based enhancement for Network Discovery, but the way this capability was packaged and distributed resulted in several endpoint protection platforms—most notably SentinelOne—flagging legitimate components as malicious.

This issue was not due to a security compromise, but rather to how the Nmap integration was implemented in the agent. Some security solutions interpreted the bundled Nmap installer as a threat, leading to quarantines and—in more severe cases—temporary loss of network connectivity on protected endpoints.

Liongard takes full responsibility for the disruption this caused.

To immediately mitigate partner impact, we are releasing Agent version 5.1.1, which removes the Nmap integration entirely and clears existing Nmap files from the Liongard Agent directory. This rollback will temporarily pause Network Discovery functionality until it is reintroduced with a more compatible, rigorously validated design in version 5.1.2.

--Detailed Technical Analysis

--What Happened

Agent versions 5.0.4 through 5.1.0 introduced Nmap to expand Network Discovery capabilities. Although secure and intentional, the method of bundling this tool resulted in some EDR/AV vendors misidentifying it as a “Hacking Tool.”

Because of this misalignment between our packaging approach and security vendor expectations, certain policies responded aggressively, quarantining files or disabling network adapters entirely.

--Root Cause

The issue originated from how the Nmap installer was included and delivered within the Liongard Agent. While Nmap itself is widely used and trusted, our deployment approach triggered behavior- and signature-based detections in several protection platforms.

This was a preventable integration challenge on our part, and we are taking action to ensure it does not recur.

--Immediate Remediation: Agent 5.1.1

To stabilize partner environments, Agent 5.1.1 will:

· Fully remove the Nmap installer from the agent

· Remove any existing Nmap files from previously installed versions

· Prevent further EDR false positives related to this release

· Temporarily suspend Network Discovery Inspector functionality

Work is already underway on Agent 5.1.2, which will restore Network Discovery using an approach that aligns with modern EDR expectations and vendor security criteria.

--Moving Forward: Improvements & Preventive Measures

Liongard is committed to learning from this event and improving both our release processes and our diligence around security vendor compatibility.

1. Strengthened Pre-Release Testing With Security Vendors

We are expanding testing and validation across multiple EDR/AV vendors—including SentinelOne, CrowdStrike, and Microsoft Defender—to ensure future changes are recognized as safe before release.

1. Enhanced Packaging & Architecture Review

Before introducing utilities or scanning tools like Nmap, our engineering teams will now perform deeper compatibility reviews tailored to how EDRs evaluate installers, command-line utilities, and network-scanning behaviors.

1. Earlier & More Detailed Partner Communication

Future architectural updates will be accompanied by:

· Clear technical preparation steps

· Updated EDR allowlisting guidance

· Early communication for partners with strict security postures

1. Expanded Internal Validation

We are enhancing our release pipeline to include:

· Multi-vendor false-positive testing

· Behavior-based security scanning

These steps are designed to prevent similar disruptions and ensure future enhancements are introduced with the necessary rigor and validation.

--Closing Statement

We acknowledge the disruption this incident caused and take responsibility for the impact on your operations. Our team is fully committed to resolving the issue, restoring full functionality, and implementing the improvements needed to prevent this from happening again.

Thank you for your continued partnership and patience as we work through this with urgency and care. If you have any questions or need support with affected endpoints, please reach out to Liongard Support.

https://support.liongard.com/en/articles/12936905-incident-review-liongard-agent-update-sentinelone-false-positive

Monitoring: A fix has been implemented and we are monitoring the results.

Identified: We are continuing to work on a fix for this issue.

Identified: --Executive Summary

Liongard recently deployed an update to the Liongard Agent that unintentionally introduced instability in some partner environments. The update included a new Nmap-based enhancement for Network Discovery, but the way this capability was packaged and distributed resulted in several endpoint protection platforms—most notably SentinelOne—flagging legitimate components as malicious.

This issue was not due to a security compromise, but rather to how the Nmap integration was implemented in the agent. Some security solutions interpreted the bundled Nmap installer as a threat, leading to quarantines and—in more severe cases—temporary loss of network connectivity on protected endpoints.

Liongard takes full responsibility for the disruption this caused.

To immediately mitigate partner impact, we are releasing Agent version 5.1.1, which removes the Nmap integration entirely and clears existing Nmap files from the Liongard Agent directory. This rollback will temporarily pause Network Discovery functionality until it is reintroduced with a more compatible, rigorously validated design in version 5.1.2.

--Detailed Technical Analysis

--What Happened

Agent versions 5.0.4 through 5.1.0 introduced Nmap to expand Network Discovery capabilities. Although secure and intentional, the method of bundling this tool resulted in some EDR/AV vendors misidentifying it as a “Hacking Tool.”

Because of this misalignment between our packaging approach and security vendor expectations, certain policies responded aggressively, quarantining files or disabling network adapters entirely.

--Root Cause

The issue originated from how the Nmap installer was included and delivered within the Liongard Agent. While Nmap itself is widely used and trusted, our deployment approach triggered behavior- and signature-based detections in several protection platforms.

This was a preventable integration challenge on our part, and we are taking action to ensure it does not recur.

--Immediate Remediation: Agent 5.1.1

To stabilize partner environments, Agent 5.1.1 will:

· Fully remove the Nmap installer from the agent

· Remove any existing Nmap files from previously installed versions

· Prevent further EDR false positives related to this release

· Temporarily suspend Network Discovery Inspector functionality

Work is already underway on Agent 5.1.2, which will restore Network Discovery using an approach that aligns with modern EDR expectations and vendor security criteria.

--Moving Forward: Improvements & Preventive Measures

Liongard is committed to learning from this event and improving both our release processes and our diligence around security vendor compatibility.

1. Strengthened Pre-Release Testing With Security Vendors

We are expanding testing and validation across multiple EDR/AV vendors—including SentinelOne, CrowdStrike, and Microsoft Defender—to ensure future changes are recognized as safe before release.

1. Enhanced Packaging & Architecture Review

Before introducing utilities or scanning tools like Nmap, our engineering teams will now perform deeper compatibility reviews tailored to how EDRs evaluate installers, command-line utilities, and network-scanning behaviors.

1. Earlier & More Detailed Partner Communication

Future architectural updates will be accompanied by:

· Clear technical preparation steps

· Updated EDR allowlisting guidance

· Early communication for partners with strict security postures

1. Expanded Internal Validation

We are enhancing our release pipeline to include:

· Multi-vendor false-positive testing

· Behavior-based security scanning

These steps are designed to prevent similar disruptions and ensure future enhancements are introduced with the necessary rigor and validation.

--Closing Statement

We acknowledge the disruption this incident caused and take responsibility for the impact on your operations. Our team is fully committed to resolving the issue, restoring full functionality, and implementing the improvements needed to prevent this from happening again.

Thank you for your continued partnership and patience as we work through this with urgency and care. If you have any questions or need support with affected endpoints, please reach out to Liongard Support.

https://support.liongard.com/en/articles/12936905-incident-review-liongard-agent-update-sentinelone-false-positive

Monitoring: A fix has been implemented and we are monitoring the results.

Identified: We are continuing to work on a fix for this issue.

Identified: --Executive Summary

Liongard recently deployed an update to the Liongard Agent that unintentionally introduced instability in some partner environments. The update included a new Nmap-based enhancement for Network Discovery, but the way this capability was packaged and distributed resulted in several endpoint protection platforms—most notably SentinelOne—flagging legitimate components as malicious.

This issue was not due to a security compromise, but rather to how the Nmap integration was implemented in the agent. Some security solutions interpreted the bundled Nmap installer as a threat, leading to quarantines and—in more severe cases—temporary loss of network connectivity on protected endpoints.

Liongard takes full responsibility for the disruption this caused.

To immediately mitigate partner impact, we are releasing Agent version 5.1.1, which removes the Nmap integration entirely and clears existing Nmap files from the Liongard Agent directory. This rollback will temporarily pause Network Discovery functionality until it is reintroduced with a more compatible, rigorously validated design in version 5.1.2.

--Detailed Technical Analysis

--What Happened

Agent versions 5.0.4 through 5.1.0 introduced Nmap to expand Network Discovery capabilities. Although secure and intentional, the method of bundling this tool resulted in some EDR/AV vendors misidentifying it as a “Hacking Tool.”

Because of this misalignment between our packaging approach and security vendor expectations, certain policies responded aggressively, quarantining files or disabling network adapters entirely.

--Root Cause

The issue originated from how the Nmap installer was included and delivered within the Liongard Agent. While Nmap itself is widely used and trusted, our deployment approach triggered behavior- and signature-based detections in several protection platforms.

This was a preventable integration challenge on our part, and we are taking action to ensure it does not recur.

--Immediate Remediation: Agent 5.1.1

To stabilize partner environments, Agent 5.1.1 will:

· Fully remove the Nmap installer from the agent

· Remove any existing Nmap files from previously installed versions

· Prevent further EDR false positives related to this release

· Temporarily suspend Network Discovery Inspector functionality

Work is already underway on Agent 5.1.2, which will restore Network Discovery using an approach that aligns with modern EDR expectations and vendor security criteria.

--Moving Forward: Improvements & Preventive Measures

Liongard is committed to learning from this event and improving both our release processes and our diligence around security vendor compatibility.

1. Strengthened Pre-Release Testing With Security Vendors

We are expanding testing and validation across multiple EDR/AV vendors—including SentinelOne, CrowdStrike, and Microsoft Defender—to ensure future changes are recognized as safe before release.

1. Enhanced Packaging & Architecture Review

Before introducing utilities or scanning tools like Nmap, our engineering teams will now perform deeper compatibility reviews tailored to how EDRs evaluate installers, command-line utilities, and network-scanning behaviors.

1. Earlier & More Detailed Partner Communication

Future architectural updates will be accompanied by:

· Clear technical preparation steps

· Updated EDR allowlisting guidance

· Early communication for partners with strict security postures

1. Expanded Internal Validation

We are enhancing our release pipeline to include:

· Multi-vendor false-positive testing

· Behavior-based security scanning

These steps are designed to prevent similar disruptions and ensure future enhancements are introduced with the necessary rigor and validation.

--Closing Statement

We acknowledge the disruption this incident caused and take responsibility for the impact on your operations. Our team is fully committed to resolving the issue, restoring full functionality, and implementing the improvements needed to prevent this from happening again.

Thank you for your continued partnership and patience as we work through this with urgency and care. If you have any questions or need support with affected endpoints, please reach out to Liongard Support.

https://support.liongard.com/en/articles/12936905-incident-review-liongard-agent-update-sentinelone-false-positive

Monitoring: A fix has been implemented and we are monitoring the results.

Identified: We are continuing to work on a fix for this issue.

Identified: --Executive Summary

Liongard recently deployed an update to the Liongard Agent that unintentionally introduced instability in some partner environments. The update included a new Nmap-based enhancement for Network Discovery, but the way this capability was packaged and distributed resulted in several endpoint protection platforms—most notably SentinelOne—flagging legitimate components as malicious.

This issue was not due to a security compromise, but rather to how the Nmap integration was implemented in the agent. Some security solutions interpreted the bundled Nmap installer as a threat, leading to quarantines and—in more severe cases—temporary loss of network connectivity on protected endpoints.

Liongard takes full responsibility for the disruption this caused.

To immediately mitigate partner impact, we are releasing Agent version 5.1.1, which removes the Nmap integration entirely and clears existing Nmap files from the Liongard Agent directory. This rollback will temporarily pause Network Discovery functionality until it is reintroduced with a more compatible, rigorously validated design in version 5.1.2.

--Detailed Technical Analysis

--What Happened

Agent versions 5.0.4 through 5.1.0 introduced Nmap to expand Network Discovery capabilities. Although secure and intentional, the method of bundling this tool resulted in some EDR/AV vendors misidentifying it as a “Hacking Tool.”

Because of this misalignment between our packaging approach and security vendor expectations, certain policies responded aggressively, quarantining files or disabling network adapters entirely.

--Root Cause

The issue originated from how the Nmap installer was included and delivered within the Liongard Agent. While Nmap itself is widely used and trusted, our deployment approach triggered behavior- and signature-based detections in several protection platforms.

This was a preventable integration challenge on our part, and we are taking action to ensure it does not recur.

--Immediate Remediation: Agent 5.1.1

To stabilize partner environments, Agent 5.1.1 will:

· Fully remove the Nmap installer from the agent

· Remove any existing Nmap files from previously installed versions

· Prevent further EDR false positives related to this release

· Temporarily suspend Network Discovery Inspector functionality

Work is already underway on Agent 5.1.2, which will restore Network Discovery using an approach that aligns with modern EDR expectations and vendor security criteria.

--Moving Forward: Improvements & Preventive Measures

Liongard is committed to learning from this event and improving both our release processes and our diligence around security vendor compatibility.

1. Strengthened Pre-Release Testing With Security Vendors

We are expanding testing and validation across multiple EDR/AV vendors—including SentinelOne, CrowdStrike, and Microsoft Defender—to ensure future changes are recognized as safe before release.

1. Enhanced Packaging & Architecture Review

Before introducing utilities or scanning tools like Nmap, our engineering teams will now perform deeper compatibility reviews tailored to how EDRs evaluate installers, command-line utilities, and network-scanning behaviors.

1. Earlier & More Detailed Partner Communication

Future architectural updates will be accompanied by:

· Clear technical preparation steps

· Updated EDR allowlisting guidance

· Early communication for partners with strict security postures

1. Expanded Internal Validation

We are enhancing our release pipeline to include:

· Multi-vendor false-positive testing

· Behavior-based security scanning

These steps are designed to prevent similar disruptions and ensure future enhancements are introduced with the necessary rigor and validation.

--Closing Statement

We acknowledge the disruption this incident caused and take responsibility for the impact on your operations. Our team is fully committed to resolving the issue, restoring full functionality, and implementing the improvements needed to prevent this from happening again.

Thank you for your continued partnership and patience as we work through this with urgency and care. If you have any questions or need support with affected endpoints, please reach out to Liongard Support.

https://support.liongard.com/en/articles/12936905-incident-review-liongard-agent-update-sentinelone-false-positive