Skip to main content
All CollectionsFAQGeneral
AV/EDR False Detections
AV/EDR False Detections

Guide on handling false positive detections of Level by antivirus or EDR software, including exclusion paths and best practices.

Updated yesterday

Handling AV/EDR False Detections

Antivirus (AV) and Endpoint Detection and Response (EDR) software may occasionally flag Level as a potential threat. This is common with Remote Monitoring and Management (RMM) tools due to their ability to manage systems remotely.

Adding Level to the Trust/Exclusion List

To ensure the smooth operation of Level, add the following paths to your security software’s trust or exclusion list:

Windows

C:\Program Files\Level\level.exe

C:\Program Files\Level\level.update

C:\Program Files\Level\.level.exe.new

C:\Program Files\Level\.level.exe.old

macOS

/Applications/Level.app/Contents/MacOS/level

Linux

/usr/local/bin/level

Best Practices for Exclusions

  • Use certificate signature exclusions when possible, rather than path-based exclusions.

  • Exclude only the specific Level executable, not entire folders, to minimize security risks.

  • Regularly review and update exclusions after Level updates, as security software may reclassify new versions.

Certificate Information for Security Exclusions

When configuring certificate-based exclusions in your security software, use the following certificate information for Level:

Publisher Information

  • Publisher: Level Software, Inc.

  • Issuer: DigiCert, Inc.

  • Serial: 0d7a416a2936f4d3ba64975e60ba4067

Certificate Hash Values

  • SHA-1: 3C002DCBBCB603AE08699F4CEF973864AEB16860

  • SHA-256: C88A3F8B7EA59A25C8090B205AE00CCADA22A6F452B202080B4573E347D6354C

How to Use This Information

  1. In your security software, locate the certificate exclusion or allowlisting feature

  2. Add an exclusion based on the publisher name or certificate hash

  3. Verify the exclusion is properly applied by checking your security software's logs

Certificate-based exclusions are more secure than path-based exclusions as they ensure only properly signed Level software will be permitted to run, regardless of installation location.

Why AV/EDRs Flag RMMs

EDRs have begun classifying RMMs as "Potentially Unwanted Programs" (PUPs) by default. This is a security measure designed to prevent unauthorized remote access. While inconvenient, this classification is understandable—any unauthorized RMM running on your network should be flagged immediately.

Our stance: EDRs should block any unapproved RMMs to protect your infrastructure. If you’ve chosen to use Level, it’s reasonable to create an exception for it in your security software.

This makes sense if you think about it. RMMs provide remote access to your endpoint. You can remote control, background management, change settings, run arbitrary scripts, run automations, and more.

If a hacker gained access to your endpoint and installed a random RMM, you would expect that to be blocked.

For a deeper discussion on this topic, check out our blog:
EDRs Distrust RMMs, and That’s OK

Troubleshooting AV-Related Offline Issues

If devices appear offline when they’re actually powered on, the first step is to check for AV/EDR interference. Some security software, like SentinelOne and ESET, may block Level without logging any events. Excluding Level from AV scanning and monitoring for changes can help determine if this is the cause. If the issue persists, running the --check command while the device is online can provide more insight into what’s happening.

Windows Command

& 'C:\Program Files\Level\level.exe' --check

macOS Command

sudo /usr/local/bin/level --check

Linux Command

sudo /usr/local/bin/level --check

Reporting False Positives

If your security software is blocking Level, please contact our support team. We actively work with security vendors to get Level added to their trust lists.

Related Articles
Offline Troubleshooting
Did this answer your question?