Third-party antivirus exclusions related to RSA NetWitness Endpoint
RSA Product Set: NetWitness Endpoint RSA Product/Service Type: Agents, Server, User Interface RSA Version/Condition: 4.4, 11.3, and higher Platform: Windows, MAC OS X
Third-party antivirus products may not always peacefully coexist with RSA NetWitness Endpoint software, the agent in particular. While we cannot advise you on a configuration of third-party software, there are a few procedures that can be followed to reduce the conflicts between RSA NetWitness Endpoint and third-party antivirus software. This is intended as a general guideline and is not intended to replace consultation with the antivirus vendor.
For machines running the RSA NetWitness Endpoint agent:
First and foremost, the third-party software needs to "whitelist" the 2 processes that comprise the NWE agent. By default, these 2 processes are named "EcatService" and "EcatServiceDriver" but alternate names can be specified when the agent installer is built. The third-party software should be configured to ignore C:\Windows\System32\EcatService.exe (or alternate name) as well as C:\Windows\System32\Drivers\EcatServiceXXXXX.sys (the numbers that are appended to the driver name will vary).
The RSA NetWitness Endpoint agent uses the directory C:\ProgramData\<servicename>\ for multiple purposes, including the staging of tracking data and hard links to deleted files (which could be malware) to be transferred to the server. RSA recommends that you configure the third-party antivirus to ignore C:\ProgramData\EcatService\* (using the appropriate service name of course) to avoid potential conflicts with third-party antivirus products.