Antivirus Exclusions for the Agent

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

This document contains the list of both files and folders that should be excluded in any other security software on endpoints that also have an App Control Agent installed.

Environment

App Control Agent: All Supported Versions
Microsoft Windows: All Supported Versions
Linux OS: All Supported Versions
macOS: All Supported Versions

Resolution

Windows:

Folder Exclusions
Path	Information
C:\ProgramData\Bit9\Parity Agent\	Agent Data Directory
C:\Documents and Settings\All users\Application Data\Bit9\Parity Agent\	Application Data Directory On XP / Server 2003 Devices
C:\Program Files (x86)\Bit9\Parity Agent\	Agent Application Directory On 64 Bit Systems
C:\Program Files\Bit9\Parity Agent\	Agent Application Directory On 32 Bit Systems

File Exclusions
Path	Information
C:\Windows\System32\drivers\Parity.sys	Agent Kernel Driver
C:\Program Files (x86)\Bit9\Parity Agent\Crawler.exe	Used for Trusted Directory Scanning on 64 Bit Systems
C:\Program Files (x86)\Bit9\Parity Agent\Dascli.exe	Command Line Interface on 64 bit systems
C:\Program Files (x86)\Bit9\Parity Agent\Notifier.exe	Used To Display Blocks/Prompts to End Users on 64 Bit Systems
C:\Program Files (x86)\Bit9\Parity Agent\Parity.exe	Agent Process on 64 bit systems
C:\Program Files (x86)\Bit9\Parity Agent\Timedoverride.exe	Used for putting a device into timed override on 64 Bit Systems
C:\Program Files\Bit9\Parity Agent\Crawler.exe	Used for Trusted Directory Scanning on 32 Bit Systems
C:\Program Files\Bit9\Parity Agent\Dascli.exe	Command Line Interface on 32 Bit Systems
C:\Program Files\Bit9\Parity Agent\Notifier.exe	Used to Displays Blocks/Prompts to End Users on 32 Bit Systems
C:\Program Files\Bit9\Parity Agent\Parity.exe	Agent Process on 32 Bit Systems
C:\Program Files\Bit9\Parity Agent\Timedoverride.exe	Used for putting a device into timed override on 32 bit systems

Linux:

Path/Location	Information
/opt/bit9/bin/	Agent Application Directory
/srv/bit9/data/	Agent Data Directory
/lib/modules/kernelversion/kernel/lib/b9k*.ko	Agent Kernel Driver
/lib/modules/kernelversion/kernel/lib/cbproxy_cbp_*.ko	Agent Proxy Module
/etc/rc/b9daemon and /etc/init.d/b9daemon	Agent Startup Script
/etc/X11/xinit/xinitrc.d/90b9notifier.sh	Agent Block Notifier

macOS:

System Extensions are used with macOS Agent 8.7.x and higher when installed on macOS 11.x and higher
Path/Location	Information
/Applications/Bit9/	Agent Application Directory
/Library/Application Support/com.bit9.Agent/	Agent Data Directory
/Applications/Bit9/Agent/appc-es-loader.app/Contents/MacOS/appc-es-loader	Agent System Extension Bundle ID: com.vmware.carbonblack.appc-es-loader.appc-es-extension

Kernel Extensions are used with macOS Agent 8.7.x and lower when installed on macOS 10.15.x and lower
Path/Location	Information
/Applications/Bit9	Agent Application Directory
/Library/Application Support/com.bit9.Agent/	Agent Data Directory (10.9 and higher)
/Library/Extensions/b9kernel.kext/	Agent Driver (10.9 and higher)
/Library/Caches/com.bit9.agent/	Agent Data Directory (10.8 and lower)
/System/Library/Extensions/b9kernel.kext	Agent Driver (10.8 and lower)

Additional Information

Windows Defender is enabled by default on Windows machines, and also requires these exclusions.
Sub-folders should be included on the exclusion. Some vendors require a trailing asterisks (*) when entering exclusions. Please refer to the vendor's documentation.
The App Control Agent is considered a "real-time" scanner. It also has a self-protection mechanism (Tamper Protection) to ensure that the average end-user cannot disable it.
It is important to set up an exclusion policy with your antivirus (or any other real-time scanning application) to provide proper interoperability.
This exclusion will also eliminate potential performance issues caused by the AV process constantly scanning our cache and transaction log files. The Agent is a real-time scanner, these files are constantly being written to.