Team: Huntress Managed Endpoint Detection and Response (EDR)
Product: 3rd Party security software like SentinelOne, ESET, BitDefender, Symantec, Sophos, Webroot, ThreatLocker, Fortinet, HP SureSense, Defender ASR, and Sentinel One. Desired State Configuration (DSC) and Backup software can also cause issues if they are not properly configured to exclude Huntress.
Environment: Exclusion list / Allow list
Summary: In order to allow full functionality, the Huntress Agent will need to be added to the allow list / Exclusion list of third-party security software such as AV, NGAV, and most *DR products.
The Huntress Agent and EDR both scan in read-only mode, however due to the nature of what we are scanning it can definitely cause false positives with other security software (and in some cases, the interference will not be apparent in your security software). You'll need to create exclusions if you are experiencing network slow-down, CPU spikes, high memory usage, programs not opening or slow to open, Huntress services not running, Huntress unable to install, or Huntress agent not reporting in. This has been observed primarily in Windows environments but the same interference is possible in macOS and Linux environments as well.
We have observed unintended behavior when the Huntress Agent is not in the exclusion list (allow listed/whitelisted) from the following products. This is not an exhaustive list, just confirmed cases of interference.
- Any AV that has an MS Office monitor (usually Excel)
- BitDefender
- ESET
- Fortinet (especially FortiClient w/Excel monitor)
- HP SureSense will also block the installer for the Huntress Agent. See HP SureSense Blocks Huntress Download for more information
- NGAV (multiple brands) can cause false positives when we hash the files (a read-only operation)
- SentinelOne - if prompted for type of exclusion, choose "Performance Focus - extended" (if not available it may be called "Performance")
- Sophos (Ransomware Detection/CryptoGuard)
- Symantec Endpoint Security
- ThreatLocker (use learning mode to fix, allow/exclusion list is insufficient in most cases)
- If installing via GPO, make sure to excluded our URL's in the Powershell policy to prevent "silent" Ringfence denies
- Webroot
- Windows Defender with ASR rules or CFA in place (both rare)
Interfering behavior has also been observed from:
- Desired State Configuration software, like Immybot, you must exclude Huntress from any DSC software.
- Backup software, you must exclude the Huntress folder from being backed up; otherwise, Huntress Tamper Protection may interfere. This includes backup devices that can spin up an OS image.
Applications that utilize the Microsoft Volume Shadow Copy Service (VSS) may produce CAPI2 (EventID: 513) errors if the software attempts to snapshot the Huntress application or any of it's services.
- Installing SQL can sometimes be blocked by Huntress Tamper Protection when SQL attempts to scan the Huntress folder. Creating a temporary Tamper Protection exclusion for that end point should allow for a SQL install.
Windows
We recommend adding the Huntress assets to your exclusion list:
C:\Program Files\Huntress\HuntressUpdater.exe
C:\Program Files\Huntress\HuntressAgent.exe
C:\Program Files\Huntress\Rio\Rio.exe
C:\Program Files\Huntress\hUpdate.exe (legacy installs, not used by all agents)
C:\Windows\System32\Drivers\HuntMon.sys
Additionally, you may need the following exclusions in order to install Huntress:
$env:temp\HuntressInstaller.exe
C:\Windows\INF\HuntMon.inf
32-bit Windows use "Program Files (x86)" instead of "Program Files"
macOS
/Applications/Huntress.app/Contents/MacOS/Huntress
/Applications/Huntress.app/Contents/MacOS/HuntressAgent
/Applications/Huntress.app/Contents/MacOS/HuntressUpdater
/Applications/Huntress.app/Contents/MacOS/HuntressMacUpdate
/Applications/Huntress.app/Contents/Library/SystemExtensions/com.huntress.sysext.systemextension/Contents/MacOS/com.huntress.sysext
/Applications/Huntress.app/Contents/XPCServices/EDRConnection.xpc/Contents/MacOS/EDRConnection
Linux
/usr/share/huntress/huntress-agent
/usr/share/huntress/huntress-updater
/usr/share/huntress/rio/rio