DLP Endpoint Agents with Antivirus Protection
search cancel

DLP Endpoint Agents with Antivirus Protection

book

Article ID: 160045

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent Data Loss Prevention Data Loss Prevention Endpoint Discover

Issue/Introduction

The DLP Endpoint Agent and other program files may be blocked, or cause issues when installed on a system where an antivirus (AV) application is installed, or Endpoint Detection and Response (EDR) software.

Failure to provide these exclusions can and has lead to file system corruption of the DLP agent components causing install/uninstall to fail, as well as component failures including missed detection , incorrect severities and other anomalous behaviors.

Therefore it is required that you provide these exclusions in your antivirus or other security software to ensure the DLP agent can perform effectively.

Environment

Resolution

With a typical antivirus program or endpoint detection and response solution, excluding a folder prevents the AV and EDR program from monitoring data that are written to, or read from, the folder. 

Excluding a binary or executable file prevents the AV engine and EDR from monitoring executable during read and write operations.

It is recommended to whitelist all of the processes, files, folders, and subfolders that are listed below.

Windows

*Endpoint Agent Installation LocationC:\Program Files\Manufacturer\Endpoint Agent\*
Processes

edpa.exe
wdp.exe
cui.exe
cuil.exe
kvoop.exe
brkrprcs.exe
brkrprcs64.exe
prcs32.exe
Auth.exe
ludp.exe "16.1-"

luce.exe "25.1+"
plgh.exe
prcsinfo.exe
OfficeOpenXMLContentExtractor.exe
userOps.exe
ate.exe

Driversvfsmfd.sys
vrtam.sys
vnwcd.sys
FilesC:\Program Files\Manufacturer\Endpoint Agent\*.ead

*For Crowdstrike in particular use

C:\Program Files\Manufacturer\Endpoint Agent\**

the ** states all subdirectories

MacOS

Endpoint Agent Installation Location/Library/Manufacturer/Endpoint Agent
Endpoint Agent Temp Folder Location/Library/Manufacturer/Endpoint Agent/Temp
Processes *

edpa
wdp
CUI
kvoop
Symantec / Symantec.app
OfficeOpenXMLContentExtractor / OOXMLHostApp
brkrprcs
FFbrkr 
EdgeBrkr
start_agent

ludp "16.1-"

luce "25.1+"

SEHA

DriversN/A
Files/Library/Manufacturer/Endpoint Agent/*.ead

* Process exclusions are not necessary if the AV program being used is the Symantec Endpoint Protection agent (SEP, SESE or SESC)

Additional Information

If using Symantec Endpoint Protection (SEP), use the tech docs below to create the exclusions:

Excluding a file or a folder from scans

Excluding file extensions from virus and spyware scans on Windows clients and Linux clients

CMD.exe is also required for full agent functionality:
brkrprcs64 does not start on the endpoint

Please note: Executables ending in 32 are generally for 32bit processes and ending in 64 is 64bit processes, however, you may see 32 bit processes in the 64 bit installations as we need backward compatibility for older applications and files.

Not all files may be included in your installation, as some components are only available depending on the configuration options selected, but it is recommended to include those options in your AV exclusions in case they get added at a later date.

Powered by Wolken Software