KB N°15: Olfeo SaaS agent integration with EDRs/Antivirus

Published May 30, 2024

Context

The aim of this article is to ensure that the Olfeo SaaS solution gets on well with all EDRs/antiviruses. Indeed, in some cases, they can disrupt the installation phase of the Olfeo SaaS agent, user authentication or the fluidity of Web browsing. To counter these findings, here are the measures that can be implemented on a case-by-case basis.

Installing the Olfeo SaaS workstation agent

To prevent Olfeo SaaS agent installation from being blocked, it may be necessary to exclude the Olfeo SaaS agent installation .msi from the EDR analysis, as well as the directories used by the agent:

  • For Widows :
    • C:\Program Files\trustlane (contains the binary of the agent itself and the systray)
    • C:\ProgramDatatrustlane (contains configuration files)
  • For MacOS :
    • /usr/local/bin (contains agent binary and systray)
    • ~/Library/ (contains configuration files)

Please note: without excluding the directory containing configuration files, some EDRs may also block the user authentication phase.

Example with Kaspersky and directory exclusion C:\ProgramDatatrustlane :

Example with Kaspersky and the exclusion of the .msi Olfeo SaaS agent:

Improve the fluidity of Web browsing

EDRs may need to communicate with their vendor's cloud services for several reasons:

  • Update their threat database
  • Verify authentication or license information
  • Issue reports and alerts
  • Event log storage
  • BDU administration
  • Transfer part of the threat analysis to the cloud in real time

Streams resulting from the real-time offloading of part of the analysis to a third-party cloud can sometimes have poor proxification support, according to the editor. This can have an impact on the fluidity of web browsing. In such cases, we recommend that you direct these flows to the publisher's cloud services. Refer to your EDR editor's documentation to refine the list of FQDNs to exclude.

Example of exclusion of these flows with TrendMicro's EDR: