Skip to main content

AV/EDR False Detections

Guide on handling false positive detections of Level by antivirus or EDR software, including exclusion paths and best practices.

Updated over 3 weeks ago

Handling AV/EDR False Detections

Antivirus (AV) and Endpoint Detection and Response (EDR) software may occasionally flag Level as a potential threat. This is common with Remote Monitoring and Management (RMM) tools due to their ability to manage systems remotely.

Adding Level to the Trust/Exclusion List

To ensure the smooth operation of Level, add the following paths to your security software’s trust or exclusion list:

Windows

C:\Program Files\Level\level.exe

C:\Program Files\Level\level.update

C:\Program Files\Level\.level.exe.new

C:\Program Files\Level\.level.exe.old

macOS

/Applications/Level.app/Contents/MacOS/level

Linux

/usr/local/bin/level

Best Practices for Exclusions

  • Consider exclusion type based on your environment:

    • Certificate-based exclusions provide better security as they only allow properly signed Level software

    • Path-based exclusions are more practical with Level's weekly updates as hash-based exclusions would require frequent maintenance

  • Exclude only the specific Level executable, not entire folders, to minimize security risks.

  • Regularly review and update exclusions after Level updates, as security software may reclassify new versions.

Certificate Information for Security Exclusions

When configuring certificate-based exclusions in your security software, use the following certificate information for Level:

Publisher Information

  • Publisher: Level Software, Inc.

  • Issuer: DigiCert, Inc.

  • Serial: 0d7a416a2936f4d3ba64975e60ba4067

Certificate Hash Values

  • SHA-1: 3C002DCBBCB603AE08699F4CEF973864AEB16860

  • SHA-256: C88A3F8B7EA59A25C8090B205AE00CCADA22A6F452B202080B4573E347D6354C

How to Extract and Use Certificate Information

  1. Navigate to the folder: C:\Program Files\Level (on Windows)

  2. Right-click on the level.exe file and select Properties

  3. Click on the Digital Signatures tab

  4. Select the signature labeled "Level Software, Inc." and click Details

  5. Click View Certificate to access the signing certificate details

  6. In your security software, locate the certificate exclusion or allowlisting feature

  7. Add an exclusion based on the publisher name or certificate hash

  8. Verify the exclusion is properly applied by checking your security software's logs

Certificate-based exclusions are more secure than path-based exclusions as they ensure only properly signed Level software will be permitted to run, regardless of installation location. Ensure that the certificate details extracted match the following information to verify its authenticity:

Why AV/EDRs Flag RMMs

EDRs have begun classifying RMMs as "Potentially Unwanted Programs" (PUPs) by default. This is a security measure designed to prevent unauthorized remote access. While inconvenient, this classification is understandable—any unauthorized RMM running on your network should be flagged immediately.

Our stance: EDRs should block any unapproved RMMs to protect your infrastructure. If you’ve chosen to use Level, it’s reasonable to create an exception for it in your security software.

This makes sense if you think about it. RMMs provide remote access to your endpoint. You can remote control, background management, change settings, run arbitrary scripts, run automations, and more.

If a hacker gained access to your endpoint and installed a random RMM, you would expect that to be blocked.

For a deeper discussion on this topic, check out our blog: EDRs Distrust RMMs, and That’s OK Microsoft Defender has historically flagged Level as a PUP, though Microsoft has acknowledged and resolved some false-positive issues in recent definition updates. Nevertheless, maintaining proper exclusions is still necessary to avoid disruptions to Level's functionality.

More Background

The reality is we have had some bad actors use Level as a tool for their bad actions (It turns out even bad actors like good tools). These activities have caused us to be viewed suspiciously by EDR vendors (As they should). We are constantly working with these vendors to make sure we are classified properly. We have also implemented measures to make it much harder for bad actors to use Level in this way.

Windows Defender Exclusions

Below is a PowerShell script that you can leverage to add exclusions for Level in Windows Defender. We've provided links to import the PowerShell script or Automation into your account to add exclusions to your endpoints (as long as they are still manageable).

Automation Import

https://app.level.io/import/automation/Z2lkOi8vbGV2ZWwvQWxsb3dlZEltcG9ydC8xNzM

Script Import

https://app.level.io/import/script/Z2lkOi8vbGV2ZWwvQWxsb3dlZEltcG9ydC8xOTU

PowerShell Script - Windows Defender Exclusion 

<#
This resource is provided as a convenience for Level users. We cannot 
guarantee it will work in all environments. Please test before deploying 
to your production environment. We welcome contributions to our community 
library

Level Library
https://level.io/library
#>

# Define paths to exclude
$paths = @(
    "C:\Program Files\Level\level.exe",
    "C:\Program Files\Level\level.update",
    "C:\Program Files\Level\.level.exe.new",
    "C:\Program Files\Level\.level.exe.old"
)

# Add temporary file paths
$tempInstallPath = Join-Path ([System.IO.Path]::GetTempPath()) "install_level.exe"
$tempWindowsAmd64Path = Join-Path ([System.IO.Path]::GetTempPath()) "level-windows-amd64.exe"
$paths += $tempInstallPath
$paths += $tempWindowsAmd64Path

# Add path exclusions
foreach ($path in $paths) {
    Add-MpPreference -ExclusionPath $path -ErrorAction SilentlyContinue
}

# Add process name exclusion
Add-MpPreference -ExclusionProcess "level.exe" -ErrorAction SilentlyContinue
Add-MpPreference -ExclusionProcess "level.msi" -ErrorAction SilentlyContinue
Add-MpPreference -ExclusionProcess "install_level.exe" -ErrorAction SilentlyContinue
Add-MpPreference -ExclusionProcess "level-windows-amd64.exe" -ErrorAction SilentlyContinue

# Display confirmation
Write-Output "Current Exclusion Paths:"
(Get-MpPreference).ExclusionPath

Write-Output "`nCurrent Exclusion Processes:"
(Get-MpPreference).ExclusionProcess

Troubleshooting AV-Related Offline Issues

If devices appear offline when they’re actually powered on, the first step is to check for AV/EDR interference. Some security software, like SentinelOne and ESET, may block Level without logging any events. Excluding Level from AV scanning and monitoring for changes can help determine if this is the cause. If the issue persists, running the --check command while the device is online can provide more insight into what’s

Common Troubleshooting Questions

  • What if my EDR still detects Level despite adding exclusions? Verify that you've added the appropriate hash, signer, or path correctly. For some EDRs like SentinelOne, path-based exclusions may work better than certificate-based ones.

  • What should I do if the signature details appear different? Double-check the certificate details extracted directly from your Level installation. Certificate details may vary slightly between versions. happening.

Windows Command

& 'C:\Program Files\Level\level.exe' --check

macOS Command

sudo /usr/local/bin/level --check

Linux Command

sudo /usr/local/bin/level --check

Reporting False Positives

If your security software is blocking Level, please contact our support team. We actively work with security vendors to get Level added to their trust lists. For detailed guidance tailored to your AV/EDR configuration, you can schedule one-on-one assistance at: https://level.io/support.

Related Articles
Offline Troubleshooting
Did this answer your question?