on Feb 11, 2020Article Content
| Article Number | 000038392 |
| Applies To | RSA Product Set: NetWitness Endpoint RSA Product/Service Type: Agents RSA Version/Condition: 11.x Platform: Windows |
| Issue | Third-party anti-virus products may not always co-exist with RSA NetWitness Endpoint agents. While RSA cannot advise you on configuration of third-party software, there are a few procedures that you can follow to reduce conflicts between RSA NetWitness Endpoint agents and third-party anti-virus software. This is intended as a general guideline and is not intended to replace consultation with the anti-virus vendor. |
| Tasks | For machines running the RSA NetWitness Endpoint agent: The third-party software must whitelist the service and driver files, that comprise the NetWitness Endpoint agent. By default, the service name is NWEAgent and driver service name is NWEDriver, but service names can be modified when generating the agent packager. The third-party software should be configured to ignore C:\Windows\System32\<servicename> and C:\Windows\System32\Drivers\<servicename>XXXXX.sys (the numbers that are appended to the driver name will vary). The RSA NetWitness Endpoint agent uses the directory C:\ProgramData\<servicename>\ for multiple purposes, including the staging of tracking data. RSA recommends that you configure the third-party anti-virus to ignore C:\ProgramData\<servicename>\* (using the appropriate service name) to avoid potential conflicts with third-party anti-virus products. The following links may be helpful in excluding a file or folder from scans: Symantec: https://support.symantec.com/en_US/article.HOWTO80920.html Sophos: https://community.sophos.com/kb/en-us/116368 McAfee: https://kc.mcafee.com/corporate/index?page=content&id=KB50998 |