000034465 - Third party antivirus exclusions related to RSA NetWitness Endpoint

Document created by RSA Customer Support Employee on Nov 30, 2016Last modified by RSA Customer Support on Jun 26, 2018
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000034465
Applies ToRSA Product Set: NetWitness Endpoint, ECAT
RSA Product/Service Type: Agents, Server, User Interface
RSA Version/Condition: 4.1.x.x, 4.2.x.x, 4.3.x.x
Platform: Windows
IssueThird party antivirus products may not always peacefully coexist with RSA NetWitness Endpoint software, the agent in particular. While we cannot advise you on a configuration of third-party software, there are a few procedures that can be followed to reduce the conflicts between RSA NetWitness Endpoint and third-party antivirus software. This is intended as a general guideline and is not intended to replace consultation with the antivirus vendor.
TasksFor machines running the RSA NetWitness Endpoint agent:

First and foremost, the third-party software needs to "whitelist" the 2 processes that comprise the NWE agent.  By default, these 2 processes are named "EcatService" and "EcatServiceDriver" but alternate names can be specified when the agent installer is built.  The third-party software should be configured to ignore C:\Windows\System32\EcatService.exe (or alternate name) as well as C:\Windows\System32\Drivers\EcatServiceXXXXX.sys (the numbers appended to the driver name will vary).  

The RSA NetWitness Endpoint agent uses the directory C:\ProgramData\<servicename>\ for multiple purposes, including the staging of tracking data and hard links to deleted files (which could be malware) to be transferred to the server.  RSA recommends that you configure the third party antivirus to ignore C:\ProgramData\EcatService\* (using the appropriate service name of course) to avoid potential conflicts with third-party antivirus products.

The following links may be helpful in excluding a file or folder from scans:
Symantec: https://support.symantec.com/en_US/article.HOWTO80920.html
Sophos: https://community.sophos.com/kb/en-us/116368
McAfee: https://kc.mcafee.com/corporate/index?page=content&id=KB50998

For machines running the RSA NetWitness Endpoint UI:

When an analyst launches the Module Analyzer, the module being analyzed is copied to a %APPDATA%\local\temp directory on the machine running the UI before it is parsed.  It is important to understand that the file is not executed.  Third party antivirus can determine whether or not a file is malicious and quarantine the file before the module analyzer can parse it.  Whitelisting this directory in your antivirus suite will prevent this from happening but potentially creates a blind spot.
Workaround: download a local copy of the file and run the Module Analyzer (Tools - Module Analyzer) on the local copy.  
WARNING:  In older versions, the file may be executable if an underscore was not appended to the filename. and beyond
No exclusions are necessary unless the analyst saves a local copy. 

Machines running the RSA ECAT console server

The configured files download directory must be excluded from third-party antivirus scans.  The directory in question is specified in Configure - Connection - Files UNC Path in the UI.

For performance reasons only, the following directories can be considered for whitelisting:
- the QueuedData directory
- the folders containing the ECAT$PRIMARY and tempdb database files .mdf and .ldf files

RSA recommends consulting with the antivirus vendor for specific recommendations regarding general SQL exclusions related to performance.

Following these guidelines will lead to peaceful coexistence between RSA NetWitness Endpoint and third-party antivirus products.