000038392 - Third-party Antivirus Exclusions Related to RSA NetWitness Endpoint 11.x

Document created by RSA Customer Support Employee on Feb 11, 2020
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000038392
Applies ToRSA Product Set: NetWitness Endpoint
RSA Product/Service Type: Agents
RSA Version/Condition: 11.x
Platform: Windows
IssueThird-party anti-virus products may not always co-exist with RSA NetWitness Endpoint agents. While RSA cannot advise you on configuration of third-party software, there are a few procedures that you can follow to reduce conflicts between RSA NetWitness Endpoint agents and third-party anti-virus software. This is intended as a general guideline and is not intended to replace consultation with the anti-virus vendor.
TasksFor machines running the RSA NetWitness Endpoint agent:

The third-party software must whitelist the service and driver files, that comprise the NetWitness Endpoint agent. By default, the service name is NWEAgent and driver service name is NWEDriver, but service names can be modified when generating the agent packager. The third-party software should be configured to ignore C:\Windows\System32\<servicename> and C:\Windows\System32\Drivers\<servicename>XXXXX.sys (the numbers that are appended to the driver name will vary).  

The RSA NetWitness Endpoint agent uses the directory C:\ProgramData\<servicename>\ for multiple purposes, including the staging of tracking data. RSA recommends that you configure the third-party anti-virus to ignore C:\ProgramData\<servicename>\* (using the appropriate service name) to avoid potential conflicts with third-party anti-virus products.

The following links may be helpful in excluding a file or folder from scans:
Sophos: https://community.sophos.com/kb/en-us/116368
McAfee: https://kc.mcafee.com/corporate/index?page=content&id=KB50998