Managed EDR

Preliminary investigations are admittedly incredibly frustrating in their current state. Effectively we're being told: "something bad happened on a computer. We'll isolate and tell you more soon". But they take 15-30 minutes to update. During this time you don't know what activity triggered the detection. You don't even know the user that triggered the investigation. But Huntress does. Contact SOC Support? Oh, you can't anymore - not while the investigation is in this state. Probably due to frustrated partners reaching out for status updates. Now the client is calling asking about why their computer is isolated. You tell them you're not sure yet, but we've got to wait for Huntress to update us. So 15-30 minutes later the update comes. It's a false positive for a known good ScreenConnect install that was downloaded from the legit ScreenConnect website and has been used for years in this organization. This needs to stop. Not sure who decided this was a good idea but it's frankly terrible for partners and clients. Either remove these in their current state or update them to provide the bare minimum amount of information (process detection, user, etc.). This way we can at least have information to provide the client and can evaluate potential false positives

Adding credential theft monitoring seems like an easy fit for Huntress and would kill off a competitor service too.

It would be extremely helpful if agents that remain unresponsive for a certain period could automatically transition into a non-billable state. We’ve noticed that in co-managed environments where customers handle their own device refresh cycles - devices are sometimes wiped and shelved when a user leaves, but the Huntress agent isn’t uninstalled. This results in continued billing for inactive devices. Ideally, if an agent remains unresponsive beyond a defined threshold, it would be marked as non-billable. Should the device come back online or re-register, billing and protection could automatically resume.

Perhaps changing the placeholder "Windows 10 Pro" to "Awaiting Survey" for endpoints that haven't been surveyed after installation could help avoid confusion.

We would love to use Huntress as our MEDR but unable to utilize as long as the datacenters are located outside of Canada. Please setup a Canadian datacenter so we can enjoy the use of your product.

A path for submitting an email for analysis and potential integration with the SAT platform if it is a legitimate phishing campaign. This could help validate user training and also provide better feedback for why a message was classified the way it is. However this may be something where an alternative is tapping into the telemetry from Microsoft to capture and visualize if a user is being targeted by phishing more than others and potential escalation to ensure accounts are sufficiently monitored/locked down.

Hi Huntress Support Team, we would like to request the ability to disable the notification that is triggered when an agent is uninstalled due to inactivity. In our environment, this alert generates unnecessary noise for cases where uninstalls are expected or intentional. A toggle to suppress this specific notification type would be very helpful. Could you let us know if this is already configurable, or whether this can be considered as a feature request? Thanks and best regards,

Ability to deploy canaries to network drives/custom locations

The current release notes at https://support.huntress.io/hc/en-us/articles/19223729361939-Huntress-Release-Notes-and-Agent-Version are woefully insufficient for tracking changes and bug fixes in the product. As an example, .14.132 for Windows included changes to the EDR Health API so it is available immediately upon install and no longer dependent on Rio, but this isn't mentioned anywhere in the release notes. So if I was trying to see when this update shipped, I would have no idea. Bug fixes and improvements should be listed in the release notes. They don't have to be extremely detailed, but it would be good to see these details and track specific improvements to the product.

It would be invaluble for huntress to be able to mark a file as tamper-proof/offer tamper protection for various system files. We had a TA bypass DUO by pushing changes to the host file and flooding the API to localhost .