Real Time AV Exclusions

This page has not been liked. Updated 10/13/17, 2:54 PM by mpaishonTags: None

The BigFix Console, Server and Relay components of the architecture perform high volume file operations. This activity is a substantial part of the functionality that these BigFix architecture components provide. If file operations are interrupted or “shimmed” by anti-virus or heuristic type applications (like HIPS), the performance of these components will be significantly impacted. Sometimes, this can result in errors and instability. The BigFix Client also is continuously evaluating the machine, and this also creates a large volume of API, registry and file operations. The client is also negatively impacted by the same concerns, and as a result can experience significantly slower content evaluation times. 

To address this issue configure Anti-virus and heuristic applications (such as HIPS) to exclude the following directories and processes. It is important to note the specifications below are related to the exclusion of folders paths and processes for real-time scans and heuristics, we do still recommend scheduled scans be configured and enabled from a security perspective.

Important Caveats

The following applies to the BigFix platform core components only, and excludes solutions such as BigFix Inventory, ILMT or OSD (which may have their own guidance around AV exceptions). This also assumes the default installation paths, customers may need to adjust appropriately to the configurations of your environment.

On the BigFix Server 

The following Folder and sub folder paths should be excluded: 

%DRIVE%:\Program Files (x86)\BigFix Enterprise\BES Server\*

Additionally the following processes should be excluded as well: 

%DRIVE%:\Program Files (x86)\BigFix Enterprise\BES Server\BESGather.exe

%DRIVE%:\Program Files (x86)\BigFix Enterprise\BES Server\BESRootServer.exe

%DRIVE%:\Program Files (x86)\BigFix Enterprise\BES Server\BESWebReportsServer.exe

%DRIVE%:\Program Files (x86)\BigFix Enterprise\BES Server\BESAdmin.exe

%DRIVE%:\Program Files (x86)\BigFix Enterprise\BES Server\FillDB.exe.exe

%DRIVE%:\Program Files (x86)\BigFix Enterprise\BES Server\GatherDB.exe

On the BigFix Relay 

The following Folder and sub folder paths should be excluded: 

%DRIVE%:\Program Files (x86)\BigFix Enterprise\BES Relay\*

Additionally the following processes should be excluded as well: 

%DRIVE%:\Program Files (x86)\BigFix Enterprise\BES Relay\BESRelay.exe

On the BigFix Client

The following Folder and sub folder paths should be excluded: 

%DRIVE%:\Program Files (x86)\BigFix Enterprise\BES Client\*

Additionally the following processes should be excluded as well: 

%DRIVE%:\Program Files (x86)\BigFix Enterprise\BES Client\BESClient.exe

On the BigFix Console

The following Folder and sub folder paths should be excluded: 

This primary AV exception for the console relates to the console cache directory. This directory by default is located within the users profile path. For example: %DRIVE%:\Users\<%USER_PROFILE%>\AppData\Local\BigFix\*

The user console cache location is configurable as well via a registry setting (this may make it easier to apply AV exclusions in some AV and heuristics products). More information on this configuration can be located here: http://www-01.ibm.com/support/docview.wss?uid=swg21505741

Additionally the following processes should be excluded as well: 

%DRIVE%:\Program Files (x86)\BigFix Enterprise\BES Console\BESConsole.exe

Optionally the following directory should also be excluded if leveraging the QNA component within the console directory: %DRIVE%:\Program Files (x86)\BigFix Enterprise\BES Console\QNA

Additionally, the following processes: %DRIVE%:\Program Files (x86)\BigFix Enterprise\BES Console\QNA\FixletDebugger.exe

On the BigFix WEBUI Server

The following Folder and sub folder paths should be excluded: (depending upon your implementation upgrade path, and version the following may vary. Exclude the paths that are observed on your WebUI Server): 

%DRIVE%:\ Program Files (x86)\BigFix Enterprise\BES Server\WebUI\*

OR 

%DRIVE%:\Program Files (x86)\BigFix Enterprise\ BES WebUI\*

Additionally the following processes should be excluded (depending upon your version the following may vary. Exclude the paths that are observed on your WebUI Server): 

%DRIVE%:\%WebUI Path%\ node.exe

OR

%DRIVE%:\%WebUI Path%\ WebUIService.exe

 

Refer to instructions from your virus scanner for more information on how to set this exclusion rule.

For more details, see the technote Should the BigFix agent be excluded from antivirus scanning?