Best Practice: DLP Endpoint Agents with Antivirus Protection
search cancel

Best Practice: DLP Endpoint Agents with Antivirus Protection

book

Article ID: 160045

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent Data Loss Prevention Data Loss Prevention Endpoint Discover

Issue/Introduction

The DLP Endpoint Agent and other program files may be blocked, or cause issues when installed on a system where an antivirus (AV) application is installed, or Endpoint Detection and Response (EDR) software.

Environment

Resolution

With a typical antivirus program or endpoint detection and response solution, excluding a folder prevents the AV and EDR program from monitoring data that are written to, or read from, the folder. 

Excluding a binary or executable file prevents the AV engine and EDR from monitoring executable during read and write operations.

It is recommended to whitelist all of the processes, files, folders, and subfolders that are listed below.

Windows

Endpoint Agent Installation Location C:\Program Files\Manufacturer\Endpoint Agent\*
Processes

edpa.exe
wdp.exe
cui.exe
cuil.exe
kvoop.exe
brkrprcs.exe
brkrprcs64.exe
prcs32.exe
Auth.exe
ludp.exe
plgh.exe
prcsinfo.exe
OfficeOpenXMLContentExtractor.exe
userOps.exe

Drivers vfsmfd.sys
vrtam.sys
vnwcd.sys
Files C:\Program Files\Manufacturer\Endpoint Agent\*.ead

 

MacOS

Endpoint Agent Installation Location /Library/Manufacturer/Endpoint Agent
Endpoint Agent Temp Folder Location /Library/Manufacturer/Endpoint Agent/Temp
Processes *

edpa
wdp
CUI
kvoop
Symantec
OfficeOpenXMLContentExtractor
brkrprcs
FFbrkr 
EdgeBrkr
start_agent
lupd
SEHA

Drivers N/A
Files /Library/Manufacturer/Endpoint Agent/*.ead

* Process exclusions are not necessary if the AV program being used is the Symantec Endpoint Protection agent (SEP, SESE or SESC)

Additional Information

If using Symantec Endpoint Protection (SEP), use the tech docs below to create the exclusions:

Excluding a file or a folder from scans

Excluding file extensions from virus and spyware scans on Windows clients and Linux clients