Endpoint files and processes to exclude from anti-virus inspection
Article ID: 211659
Updated On:
Products
CA Privileged Access Manager - Server Control (PAMSC)
Issue/Introduction
You are running pamsc endpoint version 14.1. You are getting ready to deploy MS Defender on Linux servers, and need to know which pamsc files and processes (full path to executable) need to by excluded from checking. You are looking for a list of files and executables that should be excluded from AV inspection.
Environment
Release : 14.1
Component : PRIVILEGED ACCESS MANAGEMENT
Resolution
While support cannot provide a complete list of files and executables, we can provide a method for you to get them, and how to configure:
- Regarding PIM / PAM SC coexistence with any AntiVirus running on the same box - it is recommended to exclude the processes of the AV from being processed by our product.
- Basically, find out using the Windows Task Manager or "ps -ef" call what processes are launched and owned by the AV product.
- The same applies to the kernel modules of the AV - e.g. in Linux use the lsmod command. Then define relevant specialpgm rules with propagate/fullbypass attribute to the according binary, e.g. NEWRES SPECIALPGM ('/opt/McAfee/agent/bin/macmnsvc') PgmType('propagate','fullBypass') Vice Versa.
- Also exclude in the AV the PIM / PAM SC components from being processed. e.g. run the issec command and put the seos kernel module and add all the listed binaries to the exclusion list of the AV.
- If you are using unab, then also check those services.
Additional Information
More on MDE for Linux exclusions here: Configure and validate exclusions for Microsoft Defender for Endpoint on Linux
Feedback
Yes
No
Powered by
