Identify antivirus software on your hosts

Technical preview

This feature is in technical preview. It may change in the future, and you should exercise caution when using it in production environments. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of GA features.

Third-party antivirus (AV) software installed on your hosts can interfere with Elastic Defend. To mitigate issues with running third-party AV alongside Elastic Defend, you first have to identify which AV is present.

After you’ve installed Elastic Defend on one or more hosts, you can use Endpoint Insights to check whether your endpoints have third-party AV software installed. Using the same kinds of large language model (LLM) connectors as Elastic AI Assistant, Endpoint Insights can analyze file event logs from your hosts to determine whether antivirus software is present. From there, you can address any incompatibilities to make sure your endpoints are protected.

Requirements

To use this feature, you need:

  • A Security Analytics Complete subscription.
  • The Endpoint Insights: Read or Endpoint Insights: All security sub-feature privilege.
  • A working LLM connector for AI Assistant.

Scan your hosts for AV software ¶

  1. Find Endpoints in the navigation menu or use the global search field.
  2. Click on an endpoint to open its details flyout, then under Endpoint Insights, click Endpoint Insights scan.
  3. Select an LLM connector, or add a new one.
  4. Click Scan. After a brief processing period, any detected AV products will appear under Insights.
Endpoint Insights results with the "Create trusted app" button highlighted

Resolve incompatibilities ¶

After a scan has completed, you can click the Create trusted app button to the right of a result to quickly add the associated AV program to Elastic Defend's trusted applications list. If the button is not clickable, you don’t have the required privilege.

Important

If you plan to use Elastic Defend alongside third-party AV software, we recommend you that you both allowlist Elastic Endpoint in your AV and make the AV a trusted application.