Team: Huntress EDR
Product: Managed AV
Environment: Windows, Huntress.io portal
Summary: Migrate from 3rd party AV to Defender.
Moving to Huntress Managed AV is a pretty straightforward process, but removing the previous antivirus can come with some hiccups along the way if you're unprepared.
Here is the process that we recommend to our partners when making the transition to Huntress Managed AV:
- Select a smaller client with minimal agents to test your removal process. We recommend this for two reasons, the first is so that you can test that the actual removal method is functioning properly, and the second is to ensure that you’ve ironed out any issues before creating a large headache for your team.
- In your antivirus Console, review any current exclusion for that client for validity. Once all are confirmed you should set all the valid exclusions under Huntress Managed AV.
-
- Currently, these are the only valid exclusions you can make:
- File/Path exclusions - type out the file you want to exclude (i.e., C:\Program Files\Huntress\HuntressAgent.exe). Path exclusions are never recommended but can be done in the same fashion.
- Extension exclusions - type the extension name of extensions you'd like to exclude from scanning (i.e. *.txt )
- Process exclusions - type the full path of programs you'd like to exclude (i.e., C:\tester.exe)
- For guidance on how to set exclusions: Huntress Managed AV Exclusions
- Currently, these are the only valid exclusions you can make:
-
- While in the Huntress Dashboard under Managed Antivirus, set the Organization’s Antivirus configuration Mode from Audit to Enforce.
- Once you have your test client chosen, exclusions in place and your Organization Antivirus Configuration set to Enforce, follow your Antivirus’s Knowledge Base for removing agents
- Once uninstalled, Microsoft Defender Antivirus will turn back on automatically, the Huntress Agent will observe this and report back to the Huntress Dashboard. The Huntress Dashboard takes two check-ins to update the Managed Antivirus status. This process can take around 30 minutes but could take up to several hours.
- Review your Huntress portal for the client that you chose and confirm that you see the green shield on the agents that you removed the anti-virus
Agents with the purple padlock icon have another AV installed, reporting that it's running properly and Defender is Disabled:
Agents with the green shield icon have Defender enabled, running properly and within guidelines for definition updates and recent scan: - Once the process is complete with the smaller test client, note any steps that were taken to remediate issues, so they can be scripted for future clients. We recommend you then follow the same process with any of the remediation steps previously documented to complete the remainder of your clients.
Final Caveat:
If you see more than 1 registered AV on each machine you may need to go through this article: Troubleshooting the Removal of Previous Antivirus
Related Articles
Comments
0 comments
Please sign in to leave a comment.