Skip to main content

Who is this article for?

Incydr
Code42 for Enterprise
CrashPlan for Enterprise
CrashPlan for Small Business

Incydr, yes.

CrashPlan for Enterprise, yes.

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

Other available versions:

On-premises

HOME
GETTING STARTED
RELEASE NOTES
FAQS
SYSTEM STATUS
Code42 Support

Best practices for using Code42 with antivirus or EDR software

Who is this article for?

Incydr
Code42 for Enterprise
CrashPlan for Enterprise
CrashPlan for Small Business

Incydr, yes.

CrashPlan for Enterprise, yes.

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

Other available versions:

On-premises

Overview

Code42 complements the functionality of many security, antivirus, and endpoint detection and response (EDR) applications. Most of these applications work seamlessly with Code42 and do not require any configuration changes.

However, some applications may require you to add exceptions to ensure Code42 security monitoring, software updates, and backup activity operate efficiently, without interruption, and without generating unnecessary false positive alerts. Adding exceptions for Code42 also reduces resource contention and helps prevent heavy CPU usage caused by Code42 and other applications competing for locked files and system resources. 

This article describes several methods for:

  • Adding exceptions to allow Code42 activity
  • Reducing potential Code42 conflicts with other applications
Third-party applications
Example security, antivirus, and endpoint detection and response (EDR) applications include: Carbon Black, CrowdStrike, ESET, Kaspersky, McAfee, SentinelOne, and Sophos.

For consistency, the term EDR tools is used throughout this article to describe these types of applications. 

Why might Code42 generate EDR false positive alerts?

The Code42 app requires full disk access, reads many files, and auto-updates itself. These are all valuable features that enable Code42 to provide continuous security monitoring. However, these activities may initially be identified as suspicious behavior by EDR tools that use heuristics and machine learning to augment content definitions and policy. 

In most cases, EDR tools don't necessarily categorize the Code42 app as malware or a virus, but Code42 activity without context may appear suspicious enough to generate an alert the first time it occurs. Depending on how your EDR tool is configured and how you respond to the initial alert, the tool may learn to correctly categorize Code42 activity as approved and trusted behavior, or it may incorrectly generate more alerts.

See below for options to manually configure your EDR tool to allow Code42 activity.

Review other applications
False positive alerts are not unique to the Code42 app. Many other endpoint applications are subject to this same scrutiny by EDR tools and may require administrator action upon initial installation or after an upgrade.

If other endpoint applications in your environment require similar permissions as Code42, you may be able to use them as a template for responding to alerts and applying exceptions for the Code42 app.

Add EDR exceptions for Code42

Non-Code42 products
​Information about products from other manufacturers is intended as a resource to help you get the most out of Code42 products. However, our Customer Champions cannot provide direct assistance for these products. For assistance with products not developed by Code42, contact the product's manufacturer.

Most EDR tools allow you to create proactive exception policies to suppress alerts for specific behaviors or trusted applications. Common criteria for defining exception policies include:

  • File hash: Uses the hash value of the Code42 app executable file. This is generally the most secure and restrictive approach, because it uses a file hash for a specific instance of an executable file. However, since the hash changes with each new Code42 app patch or update, this method requires ongoing maintenance.
  • Digital signer: Uses the thumbprint, hash, or common name of the signing certificate for the Code42 app bundle or executable. This method cryptographically proves Code42 built and signed the application, regardless of its file name, version number, or file path location on the endpoint. The digital signature changes each time a certificate is renewed, which can be as long as 36 months, but often occurs more frequently.
    Note: The Code42 app uses documented best practices for signing our application that are consistent with Gatekeeper and AppLocker requirements, such as app notarization and Authenticode digital signing.
  • File path or pattern: Uses the Code42 app file path, directory, or related pattern. This is less likely to change with each Code42 app release, but still may change as new functionality, branding, or operating system changes occur. This method presents the greatest security risk, because trusting an entire directory or a file name without specifying a digital signature or hash provides the potential for untrusted applications to also be launched from that location. Code42-specific file paths are listed below.

Your EDR tool may provide additional or different options for creating exception policies; consult with your EDR vendor and your own security team to construct appropriate policy and configuration to avoid excessive alerting.  

Depending on your risk tolerance, we recommend creating policies based on the most long-lived attributes you are willing to accept.

Test new Code42 app versions
The criteria used for each type of exception above can change when a new Code42 app version is released. To help you prepare for upcoming changes, Code42's delayed client upgrade settings allow you to test new Code42 app versions on a small group of devices to make sure your exception policies are up-to-date.

By testing a small group of devices first, you can respond to alerts and adjust your EDR policies as necessary before updating all users in your Code42 environment.

Code42 file paths

To create exceptions based on file paths or directories, allow activity from these locations: 

Code42 app files

Windows

Mac

Linux

Code42 configuration files

  • Windows: C:\ProgramData\CrashPlan\conf
    To view this hidden folder, open a file browser and paste the path in the address bar. If you installed per user, see the file and folder hierarchy for file locations.
  • Mac: /Library/Application Support/CrashPlan/conf/
    If you installed per user, see the file and folder hierarchy for file locations.
  • Linux: /usr/local/crashplan/conf

Additional considerations for Code42 backup activity

Add EDR exceptions for Code42 backup archives and caches

We recommend excluding Code42 archive and cache files from antivirus and EDR monitoring. It's not useful to include these files because:

  • Backup archives are compressed and encrypted. Even if a backup archive contains a malicious file, antivirus or EDR software cannot inspect the contents of an archive. Furthermore, malicious files cannot activate or spread while in a compressed and encrypted form. Most importantly, backup archives only contain data that is already stored elsewhere. To detect malicious files, scan the source, not the backup archive.
  • Cache files are benign records of Code42 operations. They only contain information about Code42 activity, and therefore they can be ignored by scans.

Add Code42 backup exclusions for EDR cache files

As EDR tools scan user devices, they create cache files. Depending on your backup file selection, Code42 may attempt to back up these cache files. We recommend excluding these caches from your file selection for several reasons:

  • The need to restore these cache files is very unlikely.
  • EDR tools might attempt to scan Code42's cache files of their cache, which causes an endless loop.

To exclude the cache from your backup:

  1. Consult your EDR tool's documentation to find the app's cache location.
  2. Sign in to the Code42 console.
  3. Go to Organizations > Active
  4. Verify that the Use device defaults from parent setting is enabled for all of the organizations under the parent.  
  5. Select the parent organization.
  6. Click the action menu, and choose edit.
  7. Click the Backup tab. 
  8. Use the File Selection settings to exclude the cache location for all devices in your Code42 environment.
  9. Click Save.

Restore considerations

Restoring a large number of files might cause your antivirus or EDR program to examine each file as Code42 restores it. This causes your restore job to take longer than usual. To speed up the restore, consider temporarily pausing the antivirus or EDR application.