Managed AV - Alert on Unhealthy/Unmanaged AV Status
complete
Canny AI
Merged in a post:
Alert when Managed AV policies cannot be enforced
J
Joe Pruett
When applying Managed AV policies through the Huntress agent, if the agent attempts to push a policy and is blocked an alert with potentially some error may help. Or potentially some type of Non-Compliant substatus could be created like how there are Defender unheathy substatuses
J
Jason Lang
Thanks all, I came to this request looking for a way to parse out these notifications to our different client's helpdesks. Is it possible to include the client name and possibly the endpoint name in the email notifications that get sent out from these alerts? Currently we get an alert but no specific information is included in the alert, we must login to the Huntress GUI to get any specific info.
Thanks!
T
Taylor Bryant
complete
T
Taylor Bryant
Over the next three days we are rolling out a new Escalation type for Managed Antivirus endpoints that use Microsoft Defender as the primary antivirus. This escalation will trigger for any endpoint that is set to Enforce for Managed Antivirus and the Microsoft Defender Real-time Protection engine has been disabled for longer than 2 hours. There is an ‘Email (Escalations)’ field in the Integration settings in Huntress that determines who is notified when this happens.
Defender has a lot of tools built into it that allow it to self-correct. Based on our research, if the endpoint has the Real-time Protection engine disabled longer than 2 hours, it will most likely need manual intervention to bring it back to a healthy state.
Learn more about Huntress Escalations and get answers to your questions in this article: https://support.huntress.io/hc/en-us/articles/4405464541459-Escalations
Let us know what you think!
R
Rigoberto'la Dickens'la
Taylor Bryant: This is great! It would additionally be great to get a way to tell if the Defender for Endpoint vs Defender free version is enabled. Unfortunately, it doesn't update WMI. We would like to get a Huntress alert if it is only running the free version.
T
Taylor Bryant
in progress
T
Thomas Teitzel
I'd like to see threat detection alerts as well. We had legitimate files quarantined during a script execution that would have been missed until they were required. Just so happened that I checked the Huntress portal and saw the false positives.
T
Taylor Bryant
Merged in a post:
Alerts when Managed AV is Disabled
W
Weldon'la Bauch'la
Today I was in the console reviewing my MSP customers and noticed there was an agent with Defender disabled! This made me wonder why there was no alert when this happens.
T
Taylor Bryant
We're looking at leveraging our existing Escalation flow to alert on enforced endpoints that have Defender Disabled for an extended period of time.
We've done some work behind the scenes to automatically correct endpoints that were unhealthy for other reasons (like scan and signature updates being needed) which has helped a lot there. There isn't much we can do to correct Defender being disabled automatically (AV's don't like external tampering) and it opens the endpoint to the most risk, so that is why we are starting our alerts there.
We want to be able to get this out as soon as possible, so our first iteration won't include PSA integration. These requests specifically called out getting it all the way to a PSA so I just wanted to be transparent on our plan. Just because the first iteration doesn't include PSA integration it doesn't mean we won't get there in the future though.
We're still planning out some details so I won't be able to answer every question at this time, but I just wanted to keep everyone interested in the loop.
Thank you all for your feedback and interest in helping us improve our product!
T
Taylor Bryant
planned
A
Anthony Quaresima
I agree this should be in Halo but we have used our PSA to make sure all defenders are online and if not, raise an alert/ticket as a workaround.
Load More
→