Endpoint Protection Platform and Anti-Virus White Listing Considerations

book

Article ID: 170103

calendar_today

Updated On:

Products

Control Compliance Suite Vulnerability Manager

Issue/Introduction

Installing an Anti-Virus solutions on the Control Compliance Suite Vulnerability Manager (CCSVM) 12.x

Resolution

 
 
The real time anti-virus scanner should exclude the ..\Symantec\CCS-VM Scanner and ..\Common Files\eEye Digital Security\ directory.
 
At a minimum exclude the following:
%Program Files%\Symantec\CCS-VM Scanner\Scanner\RetinaEngine.exe
%Program Files%\Symantec\CCS-VM Scanner\Retina.exe
%Program Files%\Symantec\CCS-VM Scanner\Scanner\
%Program Files%\Common Files\eEye Digital Security\Application Bus\eeyeevnt.exe.
 
Also consider:
Disable anti-virus on-access scanning for network drives and mapped drives. If this is not done, credentialed scanning to a targets C$ will scan remote files and degrade the scanners capabilities. 
Disable any host based intrusion protection (HIPS) modules or exclude RetinaEngine.exe from HIPS to prevent false positives during a scan on the local hosts security engine. 
Disable the local Firewall on the scanner machine or make an exclusion for RetinaEngine.exe to have access to all remote ports, protocols, and IP addresses. This rule should have a high priority and be stateful.
Disable email filtering proxies on the security solution. Some security solutions create a faux port 25 for scanning incoming mail. If this is active, it will cause scan results to create ghost machines all with port 25 open.
 
Note:
Symantec Endpoint Protection (SEP) 12.1 has a network provider that is in front of LAN Manager. This inspects all Retina traffic. The SEP12.1 network provider priority order needs to be dropped to the bottom of the list in order to resolve any traffic filtering is