Osquery and other Antimalware and AV products

Osquery and other Antimalware and AV products

As a general recommendation, it is a best practice to follow the below exclusions from monitoring by AV and antimalware products :  
Windows - Exclude osquery folder :  " C:\Program Files\Uptycs\osquery 
Linux       - Exclude osqueryd path  :   " /usr/bin/osqueryd  "
Mac         - Exclude osqueryd path  :    " /usr/local/bin/oqueryd  "

  This will prevent false positives that might arise out of osquery caching certain yara signatures or other threat intel locally.

Additionally, customers need to pay attention to these considerations:

1. On MacOS: Cylance ENDPOINT is completely incompatible with Uptycs Protect. If Cylance is installed, the Uptycs Protect extension may become unstable and cause issues such as high CPU usage or network interruptions. With the 5.9.2.x release, Uptycs Protect will refuse to load if Cylance is installed

2. On Windows : Crowdstrike is known to generate false positives when osqueryd process open an handle into other processes to inspect them. Customers are encouraged to either exclude osqueryd from CS completely or add a exception to the rules that detect osqueryd as malicious when it opens a handle to other processes.


    • Related Articles

    • Installing OSQuery using Jamf Pro

      Overview This document outlines the procedure on how to install the Uptycs osquery agent on macOS using Jamf. If you are already familiar with Jamf, please use the attached UptycsOsquery.plist and UptycsOsquery.mobileconfig files to setup Uptycs ...

    • Osquery Upgrade via API

      Introduction Uptycs provides an Osquery upgrade API call (assets/upgradeOsquery) to assist you with upgrading the Osquery agent on your assets along with the GUI functionality. Different Ways To Update Assets: 1.) Updating assets manually: - You can ...

    • Installing Uptycs osquery on Kubernetes

      Copy the your YAML manifest file (uptycs_osq_daemonset_<customer>.yaml) to the kubernetes client machine (a machine with the command: kubectl).   1. Create the daemon set using following command:    kubectl create -f ...

    • Steps to manually install / uninstall osquery on an Ubuntu system

      Overview This document outlines the procedure on how to install / uninstall osquery on an Ubuntu system Procedure Installation sudo dpkg -i osquery-<version>-Uptycs.deb Uninstall sudo service  osqueryd stop sudo apt-get remove osquery # Cleanup ...

    • Steps to manually install/uninstall Osquery on CentOS Linux

      Overview This document outlines the procedure on how to install/uninstall osquery on CentOS-based Linux. Procedure Installation Download the installer. Copy the Ubuntu installer (osquery-<version>-rpm) to the endpoint (to a directory such as /tmp) cp ...