 Tom here from Orange Systems, and we're gonna talk about Hunter's Slabs. So I did a review back in May of 2019 and that's actually what led me to meeting the people and becoming even more friendly so to speak with the folks at Hunter's Slabs, which has been a real fun and interesting journey. Now that needs to be said because I started using your product and then I became more friendly with them and someone's gonna say, well, you're just biased and tooting their own horn. That's fine. I like to get that out of the way that yes, I'm biased because while I pay for the privilege of using a product, it is a product that we have included in our stack of security tools, which does include Sentinel-1. I bring that up because people can't figure out sometimes why I would use both products, but that's why they say defense in-depth and layers of security. Hunter's Slabs has become our kind of go-to for onboarding a system, for example. I want to know what's on it. Hunter's Slabs has done a great job of letting me know whether or not that system has, well, some bad stuff on it or some footholds of threats and etc that are on there. It's actually done a great job before we start deploying the tools and sometimes fail to deploy when there's problems with the computer. And if anyone's dealt with onboarding clients, you know exactly what I'm talking about, the mystery of what is there before you put your tools on. It's a lot of discovery work. Hunter's seems to make that a little bit easier for us. I want to get out of the way as well that Hunter's is not targeted just for individuals to buy. It is targeted towards large IT teams that have thousands of end points to manage or manage search providers like ourselves that manage lots of different clients. And we need a dashboard and a central way to get threat intelligence information or if there's been a change to the startup programs or a foothold in one of our client machines, it is a way for us to manage it. Like I said, it's just not something that the individual user can just go by. So I'm not going to cover that. And also, I'm not going to cover pricing. Call the salesperson for that. If I put the price in here, you're just going to get a bunch of people that I know will be angry at Hunter's going, Tom said, and then a bunch of people call them and say, Tom said the price. Your price varies based on when you're watching this video and then making the call to Hunter's, your price varies on how many endpoints. Do you have a thousand, 10,000, 50,000? You're going to get better pricing with higher quantities. And if you blow certain thresholds, sorry, they're probably going to refer you to some other place because, well, they're not there to manage individual users. All right, I've timed index everything down below for those of you that don't want to dive into every piece of this, but just want to know what the dashboard looks like. I got a lot to cover. But let's get started with a little bit of philosophy. And I don't know. I can't help it. But I'll start with this. People don't buy what you do. They buy why you do it and what you do simply proves who you believe. And there are two ways to influence human behavior. You can manipulate it or you can inspire it. And I actually have a lot I think about when I'm looking at different companies. And the way I met Huntress is their blog. They'd actually posted about real security issues and not a sales pitch of this is a security problem. Our tool would have fixed it types blog posts. They have really good threat intelligence. They're not the only people doing this. But this is something I really respect for a lot of companies. As a matter of fact, is how I found out about their product was a blog post about a security breach and a tool that we use in our industry. Their write up was really good. The write up had nothing to do with it. Well, and all related to them solving the problem. They were just diving into the problem. Matter of fact, they are sometimes on the other side reporting the problem, doing the testing and working on raising the bar for security. This is something throughout Huntress throughout all the people I meet there. Their CEO and everyone down that I've met all have the same theory of let's raise the bar for security, get threat intelligence data out there. And it's been a real fun engaging back and forth with them because they had questions on a tool where they seen a compromise. Once again, not a solution they were looking for. They want to know how this compromise happened. And I knew I was a well, well versed in the tool. So I had done some videos, for example, on Screen Connect, one of the tools we use in our MSP stack. And this tool, well, it's really powerful. And they had seen it used in something they were working on, where someone had a lot of systems ransomed and realized that the Screen Connect system had been breached, not because of a flaw in Screen Connect, but because of not properly securing and locking it down. So they contacted me and I went through some things and then I made some videos related to it. This just shows their concern about security. They do their tradecraft Tuesdays, etc. And I'm going to quit ranting about it, but I want to give you that as an idea. So yeah, I am a little biased towards the product, but it's also because they put out a lot of good intelligence reports and things that help you raise the bar for security, including a really big event they did earlier this year to have quite a few people on there for their big online event for teaching and doing playbooks and walking you through what a breach would look like. All right, now enough bragging about all that. Let's talk about a few things in Huntress. But what is Huntress in terms of technical details? Isn't it just another antivirus? And that would be wrong. But does it conflicted by antivirus? That's wrong, too. Huntress is an endpoint detection tool that now offers remediation. And one of the reasons I wanted to update this review is because I said it was notice only in that review, which it still is notice, but not only. They added the button for remediation, not automatically. But this is a change in the way they did things. They kept it very simple. So when Huntress notifies you of something and we'll get into what the notices look like, it gives you remediation instructions. And then someone at Huntress goes, you know, can make a button that just does these really simple instructions, but said delete this file, delete this registry key. And now they give you that option. And it's referred to as a manual remediation because you have to manually go in there and click remediate. It's not like some mass automation. But I knew, though, they have the ability to, if you work with them directly, push it in mass. If there's some incredible, extreme meaning circumstances, but generally speaking, if there's something minor that's found or major, you can click remediate provided you can remediate. Like I said, we'll get into details of what that looks like. One of the things that makes Huntress different, though, is their lack of use of the buzzword AI. And I say that because there's a problem in the marketplace. Everyone thinks machine learning AI is the solution to security. And I live in the real world of 2020. And we know it's really not. And what I mean by that is how many saw the word, I don't know, machine learning AI around because it makes investors really excited. Because if you're an investor looking at a business process, you go, what does your business look like? How do you grow your company? Well, we just need more customers and more people. And then we can scale it because we have this AI machine that we just have to put more and more servers up to handle the workload that this AI will magically figure out and solve all of our security problems. And why is that attractive investors? Because the other way is not where I go, we have to hire a lot of people and investors go, Oh, what kind of people? Just people that can follow a script? No, we need to hire really smart threat intelligence people that can really look at patterns and figure out what's different. And they go, Oh, are those people easy to find? No, they're not. Well, now you have a problem. If you have AI, investors are excited. If you don't, they know there's a challenge there of finding really smart threat intelligence people. And I've got a joke. This is what security researchers are and why it's a challenge. There's not enough of them in the marketplace. It is a high level skill set. It's not them saying anyone can't do it. There's not a lot of people doing it. And it takes a lot of thought and pattern recognition to this. As much as we want to believe the AI systems are absolutely killer smart. Right here is a video I did on how skylight cyber bypass silence AI antivirus with game. They concatenated two files together and bypassed an entire AI learning that was the, you know, dear darling of all the news reports of how they've solved cyber security with AI and all kinds of other crazy claims that were then broken by a game. Now back to the other side of that. I think a lot of it is, you know, you're playing the game of who has the best threat researchers at any given moment. I once again, proven by their blog and proven by their interactions and their position in the market. Huntress has a really great, smart team of threat researchers from the top on down. And this is an incident that happened with Sentinel one. And I won't bore you with this particular video, but I'll leave a link to it for those you want to watch it. And it's an emo tech threat defense with Sentinel one and Huntress. And it's an incident that would have cost us a lot because something got through for a client. And it was weird how just everything from mail filtering everything along the line missed. And Huntress caught it, but Sentinel one kind of said I see something funky on his computer, but I'll let it run. And then things went south really quick. And I have a breakdown I'll show you what how Huntress notified that but I have that in that video as well, diving into that. And that's what I'm saying where you sometimes use layers of security, because well, it got through a couple layers, but then Huntress being a notification system totals, we took the machine offline and nothing bad happened that machine was removed from the network before anything more terrible than that machine happened to be removed from the network happened. And this is why we like it in part of our layers of defense. I really think they do a good job on the intelligence. Now let's dive into looking exactly what their intelligence report looks like before I go into the dashboard. Now the reports and fancy color graphs are cool. And they have some neat features. And the manual investigation leads to what I was talking about not just using AI using actual people to do threat hunting. That's the part I really want to focus on because that's really difficult, but they have figured out a sauce to make this more actionable. And they're really proving themselves on it. So this is what a low severity incident looks like. This is what a report looks like. And I didn't feel like showing you my live dashboard because redacting things post and video is tedious when I scroll the screen. So this part will be slides. But yes, I will get to the dashboard index down below. Like I said, hunters detected following potentially unwanted program pup on one of the managed hosts. And this was you know, notice we got low good. And this was an onboarding. So it just says Windows Defender. We hadn't swapped out Windows Defender yet. And the Windows Defender was on there, but obviously didn't see anything at that time and insert joke about Windows Defender not being good. But I'll argue with you Windows Defender is actually a good antivirus more than that later. But hunters said, Alright, here's the device, they send the link, you can attempt to use the built-in uninstaller often included various pup, blah, blah, blah, you know, the radiation instructions. Then right here is the remediation instructions they give you they're really clear. This comes as an email notice to us, but you can tie this to your RMM tool as well and get notices and tickets created. But this is all just pulled from the email. It gives you instructions how to do it. And of course, a little button at the top out of the screenshot, but it would allow us to remediate this and try removing it. So pretty straightforward. Now one thing I want to highlight here, though, down at the bottom virus total one out of 71, they give you a virus total link for the threat that they found. This is what's interesting. I also have the date up there 5820. On 1220 yesterday, when I grabbed the screenshot, there were still only 16 out of 71 engines identifying this on virus total as a threat. As in on 58, there was only one and now there are 16 of them. This is something I really want to drive home with people asking about how threat hunting works. The fact that they have really good security researchers, they are some of the first reporters of this. So it's early warning and are not relying on just your average signature. They're actually taking apart because this requires that human level of intervention, their system blocks out all the noise to speak by taking and looking at verified things and narrows it down to things that aren't verified and look at the behavior that's going on. And then if the behavior seems out of the norm, this is where the threat researchers actually dig in and determine this. Now this is what a critical event looks like. And I see this is this is actually specifically related to that video that I did. So they found a host and it had emotet foothold. Also, please note Sentinel one is active on this particular system. They recommend wiping the host so they don't just recommend, you know, do this or do that. They said wipe it. And this is exactly the action we took when you see something with a critical severity on there. If if it's absolutely possible at all possible or try to make this possible, wipe and get rid of that system go to full as I like to call it nuke and pave. And we did remove the system off the network. And we found it really weird Q video, but like I said about Sentinel one and how that chained out which they fixed whatever it was. Unfortunately, because of the mess of this system being taken off so quick, the sample files were inconclusive exactly how it got by Sentinel one. Sorry about that. Now this is what the remediation plan looks like. And this is another one that was found recently. That was just one of those driver updates can if you've ever heard about this. This is what a manual semi manual remediation looks like as in you still have to approve it, you can reject this plan, or you can approve it. And it's basically just going to follow those instructions that were sent when there's something to remove to delete this or run the uninstaller. But this crap where it gets on people's computer. Once again, this is from an onboarding order, you know, you don't know what all people have on our network. But you're probably going to find all kinds of interesting things. Huntress helps us shake that out when we're onboarding a new client. Investigations. Now I brought this one up in this particular incident was like the service kernel driver NVIDIA KMS. And Matthew opens the investigation and Matthew close it. Now sometimes the same person opening versus closing. These are some of the behind the scenes quiet things, but you can get all these reports through the dashboard where Huntress goes through and sees something on the computer. That was unusual. That goes, I don't know why it's doing that. That is, you know, messing with the kernel level. And that's what it said. Result investigation, auto run was reclassified as reputable. The persistence mechanism was reclassified to reputable. The binary was reclassified to reputable. And the auto run category was set to good where generic. And this is related to software licensing. Now the way they work internally is they're going to go through and they see something like this. They're going to classify it. And that way, once the binary hash is built for this, if it's found on this system, it's not going to be found on any other ones that also are loading those same drivers. Specifically, this one is the NVIDIA KMS tool, which is part of some DRM system on there. But when that NVIDIA update happened, this what helps them really find these threats. For example, there's a new version of QuickBooks. We have tons of clients using it. Once they understand that that new version get the binary, make sure it's proper, it's working, it's validated, the certificate signed. You know, all the things that can be verified. And like I said, human level of intervention occasionally happening here. They go, all right, we know this isn't a threat and now we can white list it and keep this from being noisy. By the way, Huntress is not noisy. If we get notices, even for a pup, that's really false positives are just really not a problem with Huntress. They keep their word about being quiet. You know, this is relevant because we all know everyone says it. Not everybody doesn't practice. Now, this feature here, more on Microsoft Defender. I'll take all the hate and the comments down below. Defender is actually a pretty good tool. And this is a new feature that they have added over at Huntress, which was EV monitor beta. This is a beta feature, of course, like it says, but I really think this is neat. And this allows you to get statuses on Microsoft Defender. The anti-mayware, anti-spyware behavior analysis. Defender, shockingly, finds a lot of things in pair with other high-end antivirus. Look at the scoring on it. You'll actually find Microsoft's done a reasonably good job of, well, I'd probably see even better than reasonable, a good job of building a better AV system than they used to have. I'm kind of fascinated by that. Who would have thought Microsoft had a good AV product? 2020 is weird. But it will check and determine if it's enabled. I can adjust some policies on here. And just one thing about Microsoft and Windows Defender is the interface is not wonderful for managing it. And someone's going to point out, well, they have these tools. I know Microsoft has them. If you've looked at the dashboard for some of the ATP tools, they're, well, not as good as I think they could be. We'll just leave it at that for now. But I do like that they're starting to get in here and notify you what the statuses of Defender. Once again, this is also handy because it will tell us what Defender may have found. It'll actually give us some polls, some registry information and some intel on Defender and its status. If it found some files in the past, once again, when we're onboarding, it's nice to go look, especially if the client was just using Defender and start pulling that information out. It will recognize a few other antiviruses and at least pull some status information there. But I just want to mention it's a pretty neat feature. Now let's take a look at the dashboard. This is the demo account I set up just for this particular video. And it can give you an idea of what it looks like. And I only have one system in here. And we'll go through a couple of features. So here's the lack of active incidents because the one system I loaded, good news doesn't have any problems, which is my gaming computer, my staff named Peasant PC when they built it, where I helped build it I guess, off topic for this. But here is the Peasant PC. Here is the internal IP address. Here is my external IP address of my house where this lives. Here are the auto runs that it finds that are malicious, suspicious, monitored. And here's all the different things it's taking a look at and monitoring a few pages of stuff here. So we'll scroll through it. All right. And these are all the things that are indexed. And I can also dive into the details of each of these. If I'm curious myself, there's the binary, there's the persistence mechanism that keeps it there, etc, etc. And these are just where you can keep drilling down. And I really like this feature where I can look at the virus total result 0.72. You can dive into binaries and kind of go through and really have a good understanding of what this particular file is, and all the persistence levels to it. Go back over here to agents. One of the other things they have down here, or is the active instance of foothold, these are where you're going to get your reports, diagnostics, and you can have these emailed to you, or as I said, integrated with whatever RMM tool you're using for management and opening tickets. This is really cool. It's the canaries. This is another feature they added that, well, cost nothing extra. This was exciting when they put these in their ransomware canaries. And what canaries are canary and a coal mine, if you're not familiar with the term, it's to send something in to see if something is happening. Kind of like that early warning notice, they set up these ransomware canaries and they are there looking for something to touch them. If something touches them an alert sent because they're not part of the normal files. There are specifically generated files by Huntress to turn the canaries on. And like I said, this is not a upsell. This was a feature they added, which I think is cool. I like this one right here. And because of one agent, there's only one external IP address. There's a lot in our main dashboard. What this does is sums up all the external IP addresses and then lets us know when there's changes, like a port opened up on one of these networks. And this may be an interesting way to discover things. One of the things that actually happened a lot here in 2020 with people taking their computers home is when they wander around to other networks, it pops up quite a bit because they wander to a network that has open ports that wasn't the network that we set up because they're working, you know, from home and we find out that home routers frequently have open ports that really shouldn't be open. And but it's kind of an interesting threat intelligence report, basically, it automatically scans if there's a port open and it summarizes it all right here on any of the endpoints and the public IP address that they're behind. This is just a new feature they add once again, there's no upsell. It was something they turned on for me. Now reports and analytics, there's not going to be much in here, but they do a solid job of reporting and giving you summaries and cool graphics and things like that for those of you that really like that kind of thing. And unfortunately, I can't do the demo, but they have some of the managed antivirus and what they're doing here for the Microsoft Defender antivirus beta and overview and some ideas of what it looks like, which are pretty cool. So you can look through and see, here's the status, here's where it's disabled on these computers, unsupported operating system type, etc, etc. It gives you some pretty good intelligence. This is like I said, a beta feature, including creating exclusions, extensions and doing this all from a dashboard. So from the Hunter's dashboard being able to manage certain easy AV aspects of Microsoft Defender, including, you know, creating like a global exclusion and pushing it. That's some some pretty neat features and they're working on more and more features related to that. Now some final thoughts. I have been using Huntress for a while. I've been engaging with the Huntress team for a while, but I plan to also keep using Huntress and for the foreseeable features Longshore product keeps working as good as it does. And I will of course make an updated video for some reason, something happens where they are not doing a good job. And this is what is so hard to evaluate in our industry. I'm so far been happy with Sentinel One and Huntress combined as on an endpoint protection as of right now, December of 2020, I would have had a different answer in previous years. And if you go back too long before I was on YouTube, that answer would have been different again. It's really difficult trying to pick a security product. I'm just adding my voice to the course of opinions. I know I feel as though someone who works in its industry and manages a lot of endpoints, I like to throw, you know this out there because I think some people may find value in it. And I'm not saying they're the only solution out there. Also, I don't have time because it's such a difficult challenge to review every potential solution. This is something that is asking me all the time, Hey, Tom, you reviewed Huntress, can you review this competing product over here? I'm like, Oh, sure, let's just throw this on all these endpoints massively change it all the work related to doing it and see if something happens. By the way, something could happen that could get by. And then does that mean that product's bad or would have it gotten by the other thing as well? This is a really hard question to answer. And it's even harder when you talk about doing threat intelligence with malware because once malware is known and I can get a known sample, the name itself implies that it's a known sample that many things will find. Therefore, sure, I can throw it at the system and maybe it finds it because it's known maybe they have an updated database or do we snapshot things in time and go, here's the known for today when we had a snapshot of before they had the known and can we apply it against there but then is that really a fair test because you're really trying to see how soon they understood something or in the fact that the way a lot of these work, they're more watching for behaviors that also adds another component to making these really, really difficult to be highly subjective or objective. I should say when testing as opposed to subjective testing, it's a real challenge and I don't have an easy answer for that. So I'm throwing my thoughts out there for Huntress, but I'm not downplaying the fact that you may have one that you claim is better. It may be better. I don't know. Like I said, it's really hard to be objective about it. So I'm just sharing out there what I use, why we use it and my whole thoughts on that whole process. All right, and thanks. And thank you for making it to the end of the video. If you like this video, please give it a thumbs up. If you'd like to see more content from the channel, hit the subscribe button and hit the bell icon. If you like YouTube to notify you when new videos come out. If you'd like to hire us, head over to LawrenceSystems.com fill out our contact page and let us know what we can help you with and what projects you'd like us to work together on. If you want to carry on the discussion, head over to forums.laurancesystems.com where we can carry on the discussion about this video, other videos or other tech topics in general, even suggestions for new videos. They're accepted right there on our forums, which are free. Also, if you'd like to help the channel in other ways, head over to our affiliate page. We have a lot of great tech offers for you. And once again, thanks for watching and see you next time.