Cybersecurity team has informed us about a threat detection during our TEST environment during the upgrade to 20.3.2 version.
We would like to know if security team should exclude these alerts from our Nimsoft environment, since we're going to run this same upgrade in PROD in a few days and it would be convenient to avoid this type of issue. Please read below the information sent by the Cybersecurity Team.
"We received a few detections on XXXSXXX02 for the following file: conf_data_engine.exe"
Release : 20.3.2 (Test environment)
Component : UIM - INSTALL
During installation/upgrades, please ask the Security team to temporarily disable any/all Anti-Virus as this may interfere with the installation/upgrade process.
This includes and extends to any/all security applications installed locally on the Windows, Linux or UNIX server that may interfere through blocking, filtering, or even the need for proactively ‘whitelisting’ of DX UIM components, connections or message traffic.
Any/all Anti-Virus/Security software MUST be disabled on the Primary hub before proceeding otherwise you may experience unforeseen issues due to some form of interference, such as blocking, filtering, malware blocking-prevention, false-positive malware detection, e.g., applications such as Carbon Black, CrowdStrike, Symantec Endpoint Protection, Kaspersky, McAfee, Bit9, etc.
If the antivirus application cannot be disabled, then you MUST ensure that the installer application and ALL Nimsoft programs, directories/files are completely excluded from blocking, scanning, filtering, etc., before and during the upgrade. After the upgrade is complete normally you can re-enable Anti-Virus but the exceptions must remain in place for the programs to run unabated.
If you have not excluded UIM/OC from security software or Anti-Virus applications that can end up blocking/filtering applications/ports/protocols/connections, and it may also happen at a time when you don’t expect it. In that case, you may have to reach out to your Security team, there may be delays in obtaining a response and this may interfere with the progress of your install, upgrade or monitoring.