What are the requirements concerning Anti-Virus for pre and post-installation and ensuring normal ongoing operation for DX UIM (DX Unified Infrastructure Management)?

• Infrastructure Manager (IM)
• Admin Console
• Operator Console
• CABI
• Hubs/Robots and all probes

• Release: Any version
• Component: All Components
• Installation or upgrades
• Hubs, robots and all probe operations

Important notes on AntiVirus

Configure your Operating Systems

Firewalls and Virus Scanners

Before you install DX UIM:

Shutdown any Antivirus software (temporarily during install/upgrade)
(Optional) Shut down your firewall. While not always necessary, this action maximizes your chance of a successful installation. 

If you keep your firewall running:

1. Ensure the port between the CA UIM system and the database system is open.
2. Specify a starting port during CA UIM installation (the recommended default is port 48000)
3. Ensure that an adequate range of ports are open (for example, ports 48000 through 48020).

At a minimum, the first three ports assigned (controller, spooler, and hub) must be open. The port that is used for the distsrv probe communication is dynamically assigned.

Reenable the firewall and anti-virus software when installation has been completed.

Firewall Port Reference

Also if you examine our troubleshooting section,

Troubleshooting Additional Scenarios

"We recommend that you EXCLUDE the entire UIM folder from the Anti-virus scanning. This alert can occur in multiple probes. Therefore, excluding the entire UIM folder from anti-virus scanning is recommended."

Symptoms of Anti-Virus interference e.g., from Windows Defender could be revealed in the robot (controller) log:

Controller: inst_execute_status: sending reply rc=0(OK) 
Controller: inst_file_next: Unable to append to file robot/pkg/temp/vs2017_vcredist_x86.exe.tmp 
Controller: inst_execute_status: sending reply rc=0(OK) 

In the controller.log - specifically the 'append' error... Also, if the file is small, you might see a 'file not found' message instead because the AV is removing the file in the time between when it is created and when it is accessed.

To quickly and easily add an exception to Windows Defender, e.g., 

  Defender\Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Nimsoft"   

when run from a PowerShell prompt seems to be effective and easy to work around this AV issue.

Check Windows Events

Also, on Windows systems, you can check to see if there were any Windows events via the event viewer. Check the Application and System log but not only for Errors but also for Informational events within the time frame of those failures. Some AV/AV scanners throw/generate "Informational" events when they block or interfere with processes, e.g., CarbonBlack, CrowdStrike, Defender, etc. The security team can also check AV logs for evidence of blocking/interference.

Probe Package Deployment Failures

The easiest way to diagnose this problem on Windows is to use Sysinternals procmon:

https://learn.microsoft.com/en-us/sysinternals/downloads/procmon 

Use a filter to isolate activity on the folder in question and you will very likely be able to see some process like MsSense.exe or other processes performing OPLOCK operations on the files as they are being copied. It may not even be antivirus, but 'something' may be trying to read these files as they're written which causes an interruption.

For Linux systems, we have not seen this as much and usually indicates a problem with the robot installation or communication with the robot itself but for Windows, this is a very common issue related to Windows Defender Endpoint monitoring.

Anti-Virus Protection and Nimsoft programs and folders

Upgrade DX UIM Server

Turn off Anti-Virus Scanning
Turn off any anti-virus scanners running on the server. These scanners can significantly slow down the installation. You can turn your anti-virus scanner back on after the upgrade is complete.

If you don't exclude the Nimsoft application from Anti-Virus, it may interfere with installation as well as normal operation. This can apply to any/all software applications not just enterprise monitoring. During installation you can temporarily disable AV, then reenable it. During normal operation, specific exclusions must be in place as per the content in this KB Article.

UIM works with TCP ports and if a firewall blocks them, it would not communicate. The ports being used that need to be allowed are well documented. For more detailed information please refer to the techdocs page:

Note that in some cases UIM component ports are configurable instead of using their default port(s).

Supplemental Notes

Essentially, it is important to achieve a balance between ensuring a secure and virus-free server environment, while not interfering with the reliability and performance of servers or applications. Virus scanning is often a cause of installation failures, upgrade processes failing, and/or operational performance issues.

This may happen due to the lack of properly configured anti-virus exclusions and/or AV may cause outages of applications and services due to contention or file locking, or application processes being blocked by default. Fortunately, Security Admins can check the AV logs for such evidence.

Aside from most applications and numerous business applications, even Microsoft publishes/documents a fairly long list of files and folders that they recommend should be excluded from AV scanning. Information regarding recommended AV scan exclusions for Applications or Operating Systems are easily searched and found on the web. It is a very common practice.

Note also that you can sign up for proactive notifications for DX Infrastructure Management (Unified Infrastructure Management) which include Security Advisories, here:

https://support.broadcom.com/user/notifications.html

Last but not least, any partner, customer or user of UIM that finds a specific breach or vulnerability can open a support case and report it to Broadcom, and Development/Engineering will address it.