endpoint files and processes to exclude from anti-virus inspection

book

Article ID: 211659

calendar_today

Updated On:

Products

CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

We are running pamsc endpoint version 14.1.  We're getting ready to deploy MS Defender on Linux servers, and need to know which pamsc files and processes (full path to executable) need to by excluded from checking.  Can you provide a list of files and executables that should be excluded from AV inspection?

More on MDE for Linux exclusions here: 

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions

Environment

Release : 14.1

Component : PRIVILEGED ACCESS MANAGEMENT

Resolution

 While support cannot provide a complete list of files and executables I can provide a method for you to get them, and how to configure:

Regarding PIM / PAM SC coexistence with any AntiVirus running on the same box - it is recommended to exclude the processes of the AV from being processed by our product. Basically, find out using the Windows Task Manager or "ps -ef" call what processes are launched and owned by the AV product. The same applies to the kernel modules of the AV - e.g. in Linux use the lsmod command. Then define relevant specialpgm rules with propagate/fullbypass attribute to the according binary, e.g. NEWRES SPECIALPGM ('/opt/McAfee/agent/bin/macmnsvc') PgmType('propagate','fullBypass') Vice Versa - please also exclude in the AV the PIM / PAM SC components from being processed. e.g. run the issec command and put the seos kernel module and add all the listed binaries to the exclusion list of the AV

If you are using unab, then please also check those services.