Team: Huntress Managed Endpoint Detection and Response (EDR)
Product: 3rd Party Antivirus, EDR/MDR/XDR (SentinelOne, ESET, BitDefender, Symantec, Sophos, Webroot, ThreatLocker, Fortinet, HP SureSense, Defender ASR, Sentinel One)
Environment: Exclusion list / Allow list
Summary: In order to allow full functionality, the Huntress Agent may need to be added to the allow list / Exclusion list of third-party security software such as AV, NGAV or *DR
The Huntress Agent and EDR both scan in read-only mode, however due to the nature of what we are scanning it can definitely cause false positives with other security software. You'll need to create exclusions if you are experiencing network slow-down, CPU spikes, high memory usage, programs not opening or slow to open, Huntress services not running, Huntress unable to install, or Huntress agent not reporting in. This has been observed primarily in Windows environments but the same interference is possible in macOS environments as well.
We have observed unintended behavior when the Huntress Agent is not in the exclusion list (allow listed/whitelisted) from the following products:
- Any AV that has an MS Office monitor (usually Excel)
- BitDefender
- ESET
- Fortinet (especially FortiClient w/Excel monitor)
- HP SureSense will also block the installer for the Huntress Agent. See HP SureSense Blocks Huntress Download for more information
- NGAV (multiple brands) can cause false positives when we hash the files (a read-only operation)
- SentinelOne (if prompted for type of exclusion, choose "Performance Focus - extended")
- Sophos (Ransomware Detection/CryptoGuard)
- Symantec Endpoint Security
- ThreatLocker (use learning mode to fix)
- Webroot
- Windows Defender with ASR rules or CFA in place (rare)
Windows
We recommend adding the Huntress assets to your exclusion list:
C:\Program Files\Huntress\HuntressUpdater.exe
C:\Program Files\Huntress\HuntressAgent.exe
C:\Program Files\Huntress\Rio\Rio.exe
C:\Program Files\Huntress\hUpdate.exe
C:\Windows\System32\Drivers\HuntMon.sys
Additionally, you may need the following exclusions in order to install Huntress:
$env:temp\HuntressInstaller.exe
C:\Windows\INF\HuntMon.inf
32-bit Windows use "Program Files (x86)" instead of "Program Files"
macOS
/Applications/Huntress.app/Contents/MacOS/Huntress
/Applications/Huntress.app/Contents/MacOS/HuntressAgent
/Applications/Huntress.app/Contents/MacOS/HuntressUpdater
/Applications/Huntress.app/Contents/MacOS/HuntressMacUpdate
/Applications/Huntress.app/Contents/Library/SystemExtensions/com.huntress.sysext.systemextension/Contents/MacOS/com.huntress.sysext
/Applications/Huntress.app/Contents/XPCServices/EDRConnection.xpc/Contents/MacOS/EDRConnection