Skip to main content

Who is this article for?

Incydr Professional, Enterprise, Horizon, and Gov F2
Incydr Basic, Advanced, and Gov F1

Find your product plan in the Code42 console on the Account menu.

Instructor, no.

Incydr Professional, Enterprise, Horizon, and Gov F2, yes.

Incydr Basic, Advanced, and Gov F1, yes.

CrashPlan Cloud, no.

Retired product plans, no.

CrashPlan for Small Business, no.

HOME
GETTING STARTED
RELEASE NOTES
FAQs
APIs
SYSTEM STATUS
Code42 Support

Best practices for using Code42 with EDR software

Overview

Code42 complements the functionality of many security endpoint detection and response (EDR) applications. Typically these applications work seamlessly with Code42 and do not require any configuration changes.

However, if an EDR application generates a false positive alert that appears to be caused by Code42's software, use this article to determine whether you need to create any exceptions in your EDR. 

Third-party applications
Example endpoint detection and response (EDR) applications include: Carbon Black, CrowdStrike, ESET, Kaspersky, McAfee, SentinelOne, Sophos, and Symantec. For consistency, the term EDR tools is used throughout this article to describe these types of applications, and includes antivirus applications. 
Non-Code42 products
​Information about products from other manufacturers is intended as a resource to help you get the most out of Code42 products. However, our Customer Champions cannot provide direct assistance for these products. For assistance with products not developed by Code42, contact the product's manufacturer.
Need help?
For assistance, contact your Customer Success Manager (CSM) to engage the Code42 Professional Services team. If you don't know who your CSM is, contact our Customer Champions for support.

Considerations

  • The exact set of Code42 paths and files will change from release to release.
  • The user detection execution during Code42 app deployment can trigger an alert for some systems (due to a shell execution in PowerShell or batch script). User detection only occurs during deployment and has several mitigations that do not require setting global exceptions. For help with Code42 app deployment, contact your CSM to engage our Professional Services team. 

Code42's EDR support policy

The Code42 app does not require specific exceptions or configuration in EDR tools in order to function. Your best practice is to:

  • Inform your security and endpoint management teams about the Code42 app at deployment time. Tell them to refer to this article if they have questions.
  • Do not proactively create exclusions for the Code42 app.

If you encounter false positive alerts that appear to occur because of the Code42 app, use this article to identify Code42 file paths and executable names. Then use that information to help you decide if you need to create any exceptions based on the specific event in your environment. Avoid adding wholesale exceptions for all Code42 folders.

EDR policies, practices, and configurations are very complex and subjective to each organization's goals, objectives and risk tolerance. While Code42 is the expert on how our Code42 app is packaged, distributed, and how it operates at runtime, we cannot advise on other solutions. We can assist in diagnosing legitimate behavior, but it is not Code42's goal to dictate how to manage other vendors' products.

Why might Code42 generate EDR false positive alerts?

The Code42 app requires full disk access, reads many files, and auto-updates itself. These are all valuable features that enable Code42 to provide continuous monitoring. However, these activities may initially be identified as suspicious behavior by EDR tools that use heuristics and machine learning to augment content definitions and policy. 

In most cases, EDR tools don't necessarily categorize the Code42 app as malware or a virus, but Code42 activity without context may appear suspicious enough to generate an alert the first time it occurs. Depending on how your EDR tool is configured and how you respond to the initial alert, the tool may learn to correctly categorize Code42 activity as approved and trusted behavior, or it may incorrectly generate more alerts.

False positive alerts are not unique to the Code42 app. Many other endpoint applications are subject to this same scrutiny by EDR tools and may require administrator action upon initial installation or after an upgrade. If other endpoint applications in your environment require similar permissions as Code42, you may be able to use them as a template for responding to alerts and applying exceptions for the Code42 app.

Add EDR exceptions

If you decide to create exceptions in your EDR applications, use the following guidelines.

Incydr Professional, Enterprise, Horizon, and Gov F2

Incydr Basic, Advanced, and Gov F1

  • Was this article helpful?