Team: Huntress EDR
Product: 3rd Party Antivirus, EDR/MDR (SentinelOne, ESET, BitDefender, Symantec, Sophos, Webroot, ThreatLocker)
Environment: Exclusion list / Allow list
Summary: In order to allow full functionality, the Huntress Agent software may need to be added to the allow list of third party security software
Are Huntress exclusions necessary in third-party security software? The Huntress agent operates in read-only mode so it usually does not get flagged by other security products. However there are occasions where a third-party AV / EDR / MDR is present with alert settings on high, resulting in the Huntress Agent being flagged.
Note on some NGAVs: The Huntress Agent scans auto-runs in read-only mode and hashes the files. This tips off some NGAV products depending on their configuration, please create exclusions if you are experiencing network slow-down, CPU spikes, etc. related to the Huntress Agent.
We have observed unintended behavior when the Huntress Agent is not in the exclusion list (allowlisted/whitelisted) from the following products:
- BitDefender
- ESET
- HP SureSense will also block the installer for the Huntress Agent. See HP SureSense Blocks Huntress Download for more information
- SentinelOne (depends on how strict policies are)
- Sophos (Ransomware Detection/CryptoGuard)
- Symantec Endpoint Security
- ThreatLocker (use learning mode)
- Webroot
- Windows Defender with ASR rules in place (rare)
We recommend adding the Huntress executables to your exclusion list:
C:\Program Files\Huntress\HuntressUpdater.exe
C:\Program Files\Huntress\HuntressAgent.exe
C:\Program Files\Huntress\Rio\Rio.exe
C:\Program Files\Huntress\hUpdate.exe
C:\Windows\System32\Drivers\HuntMon.sys
Additionally you may need the following exclusions in order to install Huntress:
C:\Program Files\Huntress\wyUpdate.exe
$env:temp\HuntressInstaller.exe
C:\Windows\INF\HuntMon.inf
32 bit Windows use "Program Files (x86)" instead of "Program Files"
Comments
0 comments
Please sign in to leave a comment.