Handling AV/EDR False Detections
Antivirus (AV) and Endpoint Detection and Response (EDR) software may occasionally flag Level as a potential threat. This is common with Remote Monitoring and Management (RMM) tools due to their ability to manage systems remotely.
Adding Level to the Trust/Exclusion List
To ensure the smooth operation of Level, add the following paths to your security software’s trust or exclusion list:
Windows |
|
macOS |
|
Linux |
|
Best Practices for Exclusions
Consider exclusion type based on your environment:
Certificate-based exclusions provide better security as they only allow properly signed Level software
Path-based exclusions are more practical with Level's weekly updates as hash-based exclusions would require frequent maintenance
Exclude only the specific Level executable, not entire folders, to minimize security risks.
Regularly review and update exclusions after Level updates, as security software may reclassify new versions.
Certificate Information for Security Exclusions
When configuring certificate-based exclusions in your security software, use the following certificate information for Level:
Publisher Information
Publisher: Level Software, Inc.
Issuer: DigiCert, Inc.
Serial: 0d7a416a2936f4d3ba64975e60ba4067
Certificate Hash Values
SHA-1: 3C002DCBBCB603AE08699F4CEF973864AEB16860
SHA-256: C88A3F8B7EA59A25C8090B205AE00CCADA22A6F452B202080B4573E347D6354C
How to Extract and Use Certificate Information
Navigate to the folder:
C:\Program Files\Level
(on Windows)Right-click on the
level.exe
file and select PropertiesClick on the Digital Signatures tab
Select the signature labeled "Level Software, Inc." and click Details
Click View Certificate to access the signing certificate details
In your security software, locate the certificate exclusion or allowlisting feature
Add an exclusion based on the publisher name or certificate hash
Verify the exclusion is properly applied by checking your security software's logs
Certificate-based exclusions are more secure than path-based exclusions as they ensure only properly signed Level software will be permitted to run, regardless of installation location. Ensure that the certificate details extracted match the following information to verify its authenticity:
Why AV/EDRs Flag RMMs
EDRs have begun classifying RMMs as "Potentially Unwanted Programs" (PUPs) by default. This is a security measure designed to prevent unauthorized remote access. While inconvenient, this classification is understandable—any unauthorized RMM running on your network should be flagged immediately.
Our stance: EDRs should block any unapproved RMMs to protect your infrastructure. If you’ve chosen to use Level, it’s reasonable to create an exception for it in your security software.
This makes sense if you think about it. RMMs provide remote access to your endpoint. You can remote control, background management, change settings, run arbitrary scripts, run automations, and more.
If a hacker gained access to your endpoint and installed a random RMM, you would expect that to be blocked.
For a deeper discussion on this topic, check out our blog: EDRs Distrust RMMs, and That’s OK Microsoft Defender has historically flagged Level as a PUP, though Microsoft has acknowledged and resolved some false-positive issues in recent definition updates. Nevertheless, maintaining proper exclusions is still necessary to avoid disruptions to Level's functionality.
More Background
The reality is we have had some bad actors use Level as a tool for their bad actions (It turns out even bad actors like good tools). These activities have caused us to be viewed suspiciously by EDR vendors (As they should). We are constantly working with these vendors to make sure we are classified properly. We have also implemented measures to make it much harder for bad actors to use Level in this way.
Windows Defender Exclusions
Below is a PowerShell script that you can leverage to add exclusions for Level in Windows Defender. We've provided links to import the PowerShell script or Automation into your account to add exclusions to your endpoints (as long as they are still manageable).
Automation Import
Script Import
PowerShell Script - Windows Defender Exclusion
<#
This resource is provided as a convenience for Level users. We cannot
guarantee it will work in all environments. Please test before deploying
to your production environment. We welcome contributions to our community
library
Level Library
https://level.io/library
#>
# Define paths to exclude
$paths = @(
"C:\Program Files\Level\level.exe",
"C:\Program Files\Level\level.update",
"C:\Program Files\Level\.level.exe.new",
"C:\Program Files\Level\.level.exe.old"
)
# Add temporary file paths
$tempInstallPath = Join-Path ([System.IO.Path]::GetTempPath()) "install_level.exe"
$tempWindowsAmd64Path = Join-Path ([System.IO.Path]::GetTempPath()) "level-windows-amd64.exe"
$paths += $tempInstallPath
$paths += $tempWindowsAmd64Path
# Add path exclusions
foreach ($path in $paths) {
Add-MpPreference -ExclusionPath $path -ErrorAction SilentlyContinue
}
# Add process name exclusion
Add-MpPreference -ExclusionProcess "level.exe" -ErrorAction SilentlyContinue
Add-MpPreference -ExclusionProcess "level.msi" -ErrorAction SilentlyContinue
Add-MpPreference -ExclusionProcess "install_level.exe" -ErrorAction SilentlyContinue
Add-MpPreference -ExclusionProcess "level-windows-amd64.exe" -ErrorAction SilentlyContinue
# Display confirmation
Write-Output "Current Exclusion Paths:"
(Get-MpPreference).ExclusionPath
Write-Output "`nCurrent Exclusion Processes:"
(Get-MpPreference).ExclusionProcess
Troubleshooting AV-Related Offline Issues
If devices appear offline when they’re actually powered on, the first step is to check for AV/EDR interference. Some security software, like SentinelOne and ESET, may block Level without logging any events. Excluding Level from AV scanning and monitoring for changes can help determine if this is the cause. If the issue persists, running the --check
command while the device is online can provide more insight into what’s
Common Troubleshooting Questions
What if my EDR still detects Level despite adding exclusions? Verify that you've added the appropriate hash, signer, or path correctly. For some EDRs like SentinelOne, path-based exclusions may work better than certificate-based ones.
What should I do if the signature details appear different? Double-check the certificate details extracted directly from your Level installation. Certificate details may vary slightly between versions. happening.
Windows Command |
|
macOS Command | |
Linux Command | |
Reporting False Positives
If your security software is blocking Level, please contact our support team. We actively work with security vendors to get Level added to their trust lists. For detailed guidance tailored to your AV/EDR configuration, you can schedule one-on-one assistance at: https://level.io/support.