A taxonomy of computer agents, from EDR to accessibility-based automation
Huntress Agent is not malware. It is also not the only kind of agent on your computer.
If you searched this, you saw a process called something like HuntressAgent.exe in Task Manager (or huntmon in Activity Monitor on Mac) and wondered what it is doing there. Short answer: it is a managed detection and response service installed by whoever owns the machine. Long answer: the word "agent" on a modern computer means at least four very different things, and knowing which kind you are looking at tells you everything about whether to worry, whether to file an IT ticket, or whether to just leave it alone. This guide walks the taxonomy, then drops into the one layer most guides never reach: how a well-behaved Mac accessibility agent actually verifies its own permission, in code, using the same four-probe architecture Fazm ships.
The plain answer, first
Huntress Agent is the client-side component of Huntress Managed ITDR / EDR, a security product from Huntress Labs, Inc. It gets installed by an IT administrator or a managed service provider (MSP) onto endpoints they are responsible for. Once installed, it streams process, file, registry, and identity events to the Huntress cloud, where a SOC analyst pipeline looks for indicators of compromise.
It runs as a pair of Windows services, signed by Huntress Labs, living in C:\Program Files\Huntress\. On macOS the equivalent uses Apple's Endpoint Security framework and registers a signed System Extension. In both cases it is legitimate, signed, and deliberately hard to uninstall without the organization key.
If you bought the machine new, installed a clean OS, and never joined a corporate environment, Huntress Agent should not be on it. If it is, that is worth investigating. If you are on a work laptop or a machine your company provisioned, Huntress Agent being there is normal and expected, the same way Defender, CrowdStrike Falcon, or SentinelOne would be.
“The word 'agent' on a modern computer is overloaded. Huntress is one kind. Fazm is another. They share a name, nothing else.”
Fazm Desktop/Sources/AppState.swift, accessibility architecture
The four kinds of "agent" you see on modern machines
Every SERP result for this query talks about Huntress specifically. None of them step back and tell you that the word "agent" is doing a lot of work. Here are the four categories actually in use, and where each one lives.
EDR / MDR agents
Huntress, CrowdStrike Falcon, SentinelOne, Sophos, Defender ATP. Purpose: continuous security telemetry. Permission layer: Windows filter drivers or macOS System Extensions (Endpoint Security framework). Installed by: IT / MSP. Visible to the user as a system service.
RMM agents
NinjaRMM, ConnectWise Automate, Kaseya, Datto RMM. Purpose: remote management, patching, remote shell. Permission layer: privileged background service with LaunchDaemon (Mac) or SYSTEM service (Windows). Installed by: IT / MSP.
AI assistants
Native chat apps from model vendors, Copilot sidebars, cloud-first IDE plugins. Purpose: answer questions, write code. Permission layer: per-app sandbox, network egress to the vendor's API. No special OS hooks.
Automation agents
Fazm, Shortcuts, Rectangle, Keyboard Maestro. Purpose: drive other apps on the user's behalf. Permission layer: macOS Accessibility TCC + optional Screen Recording. User-space, signed, sandboxed by TCC.
Where each agent actually runs
The visible name in Activity Monitor or Task Manager tells you almost nothing. What matters is which OS-level permission the process holds. Four layers, four categories.
agent type → permission layer
Huntress vs Fazm, in one table
People sometimes conflate the two because both are called "agents" and both can potentially observe what you are doing on the machine. They are actually nothing alike.
| Feature | Huntress | Fazm |
|---|---|---|
| Category | EDR / MDR security | macOS automation / AI |
| Installed by | IT admin or MSP, via deployment tool | End user, downloads signed .app from fazm.ai |
| Permission layer | Windows filter driver / macOS Endpoint Security | macOS Accessibility TCC + optional Screen Recording |
| Runs as | Privileged service / LaunchDaemon | Regular signed .app in user space, no root |
| Kernel extension | Yes, via Endpoint Security on macOS | No |
| Can be uninstalled by user | No, requires organization key | Yes, drag to Trash + tccutil reset |
| Network destination | Huntress cloud SOC | Claude (Anthropic) via your own seat |
| Observes your screen via | OS telemetry events below the UI layer | macOS Accessibility tree (labeled elements) |
| Why it exists | Defend the machine | Let you automate your work |
How to triage any unfamiliar "agent" process, in five steps
This is the generic version of the thing you actually wanted when you searched. Works for Huntress, Fazm, and anything else.
Check the code signature
Every legitimate agent is signed by a known vendor. On macOS: codesign -dv --verbose=4 /path/to/app. On Windows: right click the .exe, Properties, Digital Signatures. If the signer is a known EDR/RMM/AI vendor, it is almost certainly benign. If the signature is invalid or absent, be suspicious.
Identify the install path
EDR agents live in vendor directories (C:\Program Files\<Vendor>\, /Library/Application Support/<Vendor>/). Fazm lives in /Applications/Fazm.app. Malware frequently lives in user-writable paths, temp directories, or randomly named subfolders. Path tells you a lot.
Check what permissions it holds
On macOS: System Settings > Privacy & Security. Walk every category (Accessibility, Screen Recording, Full Disk Access, Input Monitoring). If the agent has access it should not need, ask why. Fazm only appears in Accessibility, Screen Recording, and Microphone.
Trace what it is talking to
Open Little Snitch or use lsof -i -P -n | grep <process>. EDR agents talk to their vendor cloud on port 443. RMM agents do likewise. Automation agents like Fazm talk to the Anthropic API for model calls. Suspicious destinations (residential IPs, odd ports, C2-style domains) are a red flag.
Ask the owner of the machine
If this is a work machine, open a ticket with IT. If you bought it used, ask the seller. If it is your personal machine, check the install logs. The single most reliable triage signal is 'who put this here.' Nothing else beats that.
The anchor fact: how Fazm verifies its own permission, in code
If you are the kind of reader who wants something concrete: here is the piece of the Fazm source nobody else in the "agent on my computer" genre will ever show you. It is the core of how a well-behaved macOS accessibility agent keeps itself honest when the OS lies about its own permission state.
On macOS 26 (Tahoe), and to a lesser extent on Sequoia, the per-process TCC permission cache can return stale results after a re-sign, a macOS point update, or a bundle path change. A naive agent polls AXIsProcessTrusted() once, believes the answer, and breaks silently. Fazm runs four independent checks, in order, and only concludes the permission is broken when multiple layers agree.
Four layers, in the order Fazm actually runs them:
The probe, unpacked
- Layer 1. AXIsProcessTrusted() — the first-class TCC check. Trusted only when confirmed by layer 2.
- Layer 2. AXUIElementCopyAttributeValue on frontmost app's kAXFocusedWindowAttribute — a real AX call that only succeeds if the permission is actually alive.
- Layer 3. CGEvent.tapCreate on cgSessionEventTap with a mouseMoved event mask — bypasses the per-process TCC cache by hitting the live DB.
- Layer 4. Retry against Finder on .cannotComplete — disambiguates a stuck permission from an app-specific AX incompatibility (Qt/OpenGL apps).
Why layer 4 matters
If Fazm only ran layers 1 to 3, it would falsely conclude its permission was broken every time the user focused a Qt-based app like PyMOL, a Java Swing app, or certain OpenGL games. Those apps do not implement the Accessibility protocol correctly; every AX call against them returns .cannotComplete, which looks identical to a stuck TCC permission.
Layer 4 breaks the tie by re-running the same probe against Finder, a system app guaranteed to implement AX correctly. If Finder also fails, the permission is truly stuck and a restart is required. If Finder succeeds, the original failure was app-specific and can be ignored. This is the kind of detail no SERP competitor on "what is huntress agent on my computer" will ever write up, because they are not writing about real agents, they are writing paraphrases of Huntress's support page.
The retry policy, in numbers
When layer 2 says the permission is broken, Fazm does not immediately bother the user. It retries on a timer. The values are declared as static let constants at the top of AppState.swift.
Read that last number again. Fazm has 0 kernel extensions, System Extensions, or privileged helpers. Everything it does happens inside a regular signed user-space .app bundle. That is the single cleanest way to distinguish an accessibility-based automation agent from an EDR agent like Huntress: the absence of root-level components.
Inspect any agent yourself, from Terminal
You do not need Huntress's or Fazm's permission to ask what they are doing. Both macOS and Windows expose enough introspection from the command line to classify any agent. Here is the macOS version, run against Fazm as a worked example.
Run the same sequence against Huntress's bundle and you will see it listed in systemextensionsctl list. That is the difference in one command.
Why Fazm chose accessibility over screenshots
A lot of recent "AI computer-use" agents work a different way from Fazm. They take a screenshot, send the pixels to a cloud model, and ask "where should I click." The model infers where the Send button is from the pixel grid, returns coordinates, and the driver clicks those pixels. That approach has three structural problems: it is lossy (you throw away all the semantic information the OS already has), slow (a cloud roundtrip per action), and brittle (resolution changes, dark mode themes, and scroll position break coordinate inference).
Fazm reads the macOS accessibility tree directly. Every SwiftUI, AppKit, and well-behaved Electron app exposes a hierarchy of AXUIElement nodes, each with a role (AXButton, AXTextField, AXMenu), a title, a frame, and a set of actions. When a Fazm task says "click the Send button in Slack," the runtime queries the Slack process's AX tree, filters for AXRole == AXButton with a title containing "Send," and clicks the center of the reported frame. No screenshot, no pixel inference, no hallucinated coordinates.
This is also the reason Fazm works on every Mac app, not just the browser. Any app that ships a functional Accessibility implementation (all native macOS apps, most Electron apps, most modern Swift/AppKit apps) is readable. The product's ceiling is whatever Apple's AX API exposes, which is a lot.
Want to see the accessibility tree in motion?
Hop on a 20 minute call and we will show you the exact AX queries Fazm runs, live, against your apps. No slides, just the tree.
Book a call →Frequently asked questions
Frequently asked questions
Is Huntress Agent malware?
No. Huntress Agent is a legitimate managed detection and response (MDR) product from Huntress Labs, installed by your IT department or your employer's managed service provider (MSP). It sits at the filter driver / kernel telemetry layer on Windows and streams process, file, and registry events to Huntress's SOC for threat hunting. If you did not expect it, the right answer is not to panic or uninstall it. It is to ask the IT contact for the company that owns the machine what it is doing there.
Why do I see HuntressAgent.exe or HuntressUpdater.exe in Task Manager?
Huntress runs as a pair of Windows services: HuntressAgent.exe (the persistent telemetry service) and HuntressUpdater.exe (the self-update service). Both are signed by Huntress Labs and live in C:\Program Files\Huntress by default. If the digital signature checks out and the install path matches, you are looking at the real agent. Huntress also publishes a macOS version with a similar naming convention, but it uses Apple's System Extension and Endpoint Security framework rather than Task Manager visible services.
Can I uninstall Huntress Agent myself?
Usually no. Huntress ships with tamper protection and the uninstall process is gated by an organization key that only the IT admin has. This is deliberate. If you could uninstall it from a user account, malware could too. If you need it gone (personal device, you bought the laptop from a former employer, etc.), you have to contact the organization that registered the key. There is no legal bypass on a device you do not fully own.
Is Fazm the same kind of agent as Huntress?
No. Fazm and Huntress are both called 'agents' but they live in completely different permission layers. Huntress is an EDR agent: it installs a Windows filter driver (or on Mac, a macOS System Extension using the Endpoint Security framework) and watches the OS from underneath. Fazm is an accessibility-based automation agent: it runs as a regular signed macOS app, has no kernel components, and can only see what the macOS Accessibility API lets it see. One is security infrastructure; the other is a consumer productivity tool you install on purpose.
How do I tell what kind of 'agent' something on my computer is?
Four questions sort it. (1) Is it signed by a security vendor like Huntress, CrowdStrike, SentinelOne, Sophos, Defender ATP? That is an EDR agent. (2) Is it signed by an RMM vendor like NinjaRMM, ConnectWise Automate, Kaseya, or Datto? That is a remote management agent. (3) Does it declare access to the Accessibility TCC permission in macOS System Settings under Privacy & Security > Accessibility? That is either an AI assistant, a voice control tool, a window manager, or an automation agent. (4) Does its bundle ID live under an AI/LLM vendor? That is an AI assistant. Fazm falls into category 3: its bundle ID is com.fazm.app and it lives in the Accessibility pane next to Rectangle and Alfred.
What is the single most reliable way to check if a macOS agent has the permission it claims?
Read System Settings > Privacy & Security > Accessibility. That is the authoritative UI. But the underlying truth is held in the per-user TCC.db SQLite file at ~/Library/Application Support/com.apple.TCC/TCC.db. macOS ships a command-line tool, tccutil, to reset entries from that DB (e.g. 'tccutil reset Accessibility com.fazm.app'). Fazm itself uses tccutil internally when a user asks to reset permissions — see resetAccessibilityPermissionDirect in AppState.swift line 544. No amount of AXIsProcessTrusted() polling is a substitute for what the DB says.
Why does Fazm check accessibility permission four different ways?
Because AXIsProcessTrusted() lies. On macOS 26 (Tahoe) and to a lesser extent on Sequoia, the per-process TCC cache returns stale results after a re-sign, after a macOS point update, or when the app bundle path changes. Fazm's AppState.swift checkAccessibilityPermission (lines 310-371) first calls AXIsProcessTrusted. If that returns true, it verifies by calling AXUIElementCopyAttributeValue on the frontmost app's focused window. If that returns .cannotComplete, it re-checks against Finder to disambiguate between a broken permission and an app-specific AX incompatibility (Qt/OpenGL apps fail AX queries even when your permission is fine). If layer 1 returns false, it falls back to a CGEvent.tapCreate probe against cgSessionEventTap as a tie-breaker. One check would be wrong. Four checks together are right.
Does Fazm install a kernel extension, System Extension, or driver?
No. None of the above. Fazm is a regular notarized macOS app distributed as a .app bundle. It does not use DriverKit, it does not register a System Extension, it does not run an Endpoint Security client, and it does not install a launch daemon at the root level. Its permissions are strictly Accessibility, Screen Recording, and Microphone, granted per-user. The bridge to the Claude Code CLI runs in user space as a normal Node.js subprocess, not as a privileged helper.
If Huntress is on my machine and I install Fazm, will they conflict?
No. They run in orthogonal permission layers. Huntress (on macOS) uses the Endpoint Security framework; Fazm uses the Accessibility API. Huntress can see Fazm's process launching and file writes, which is the whole point of EDR. Fazm cannot see Huntress at all, because Huntress operates below the UI layer Fazm has access to. Both can coexist on one machine. If corporate policy allows AI automation tools, Fazm will run alongside Huntress without either product noticing the other.
How does Fazm's 'real accessibility API' approach differ from screenshot-based AI computer-use agents?
Screenshot-based agents (like generic vision-model 'computer use' sandboxes) work by taking a screenshot, sending pixels to a cloud model, asking 'where do I click,' and getting back pixel coordinates. That approach is lossy (the model has to re-infer what each button does from pixels every time), slow (round trip per action), and brittle (resolution changes break coordinates). Fazm instead reads the real accessibility tree exposed by macOS: every text field, button, and menu item is already labeled with its role, title, and frame. When the user says 'click the Send button in Slack,' Fazm queries the AXUIElement tree for the Slack app, finds the element with AXRole='AXButton' and AXTitle containing 'Send,' and clicks the center of its reported frame. No screenshot, no pixel inference, no hallucinated coordinates.
Related guides
Keep reading
Advantages of business process automation
Not every automation win is visible on a dashboard. Seven quiet wins you get once a well-scoped BPA project ships.
Selenium vs a Mac automation agent
Selenium owns the browser. Fazm owns the whole desktop. When each tool is the right choice, and why the answer is not what you think.
What is Claude extra usage
Pay-as-you-go billing for Claude Pro and Max, decoded from the SDK's rate_limit_event stream.