Anti Virus and malware software interactions with Snare

Owned by Steve Challans
Last updated: Jan 28, 2021
2 min read

Most organisations will be running antivirus or malware protection from some vendor. In general Snare agents dont have any known problems with Antivirus software. Some Antivirus software can flag alerts if it is doing network packet monitoring as the Snare agent does send logs regularly and consistently to another systems. Sometimes it may flag this behaviour as being suspicious. Some software can enable filtering platform events in the windows event subsystem if its trying to do IDS/IPS or firewall log monitoring. This can sometimes be problematic as the process of sending a log to a SIEM system will generate another audit event. So it is possible to end up in a race condition with doing this type of monitoring. This has mostly been observed to come from McAfee. But in general it works fine.

Some of the AV and malware vendors that Snare agents have been know to work fine with are:

  • Trend, Deep Security and Apex one

  • Symantec

  • Sophos

  • Clam AV

  • Crowdstrike

  • Palo Alto

  • Microsoft Defender

  • McAfee

The Snare agents should work fine for other platforms. If a customer does experience any issues then they should raise a support ticket so the support or development teams can investigate. https://jsd.prophecyinternational.com/servicedesk/customer/portal/3/user/login?destination=portal%2F3

The Snare agents are also periodically checked on virus total which scans across all the major vendors and does not have any known problems.

The Snare agents are internally scanned for malware during the build and release process. The Snare License and Download Manager (SLDM) portal contains file hash details created from the build process so a customer can validate it from a download. The Snare windows and desktop agents are also digitally signed using a code signing certificate to validate the software.