Yes, I have read:
What files and directories should I exclude from antivirus protection to ensure adequate file access for Orion products?
It states NOT TO EXCLUDE EXECUTABLE FILES, but then goes ahead and states to exclude all files (including executables) from
c:\Documents and Settings\All Users\Application Data\SolarWinds\
The above would only work for scheduled or sequential Antivirus scan of the hard drive. Also for excluding all scanning form the directory allows to a virus (or root-kit) to reside in the directory.
For correct Antivirus implementation following industry best practices, Real-time or OnAccess, or memory resident (scanning on each disk I/O request to the OS) scanning must be enabled. Both Microsoft and McAfee both discourage file/folder exclusions. Processes (EXE) and sub process and child processes will need to be classified or grouped, then any exclusions applied to that classification of groups explained in
McAfee KB55139: Understanding High-Risk, Low-Risk, and Default processes configuration and usage https://kc.mcafee.com/corporate/index?page=content&id=KB55139
For example, with memory resident scanning enabled classifying the Orion NPM/APM process (EXE) as say Low-Risk will do the following:
On start-up, the system or explorer.exe would start an Orion application binary (EXE), it would be scanned. Once the application binary (EXE) is loaded, exclusions fall into the Low-Risk grouping classifications exclusion lists (either excluding Read or Write scanning or exclude scanning in identified file/directory). If the Low-Risk classified application binary (EXE) calls for a separate EXE to load it would need also classified as "Low-risk" to receive the same treatment, otherwise any disk I/O request could be scanned.
Thank you for pointing out the error in the documentation.
Regarding updating how NPM works to better align with best practices. I've opened an internal bug case to track this request (FB104296), but unfortunately we have no immediate plans to change how this works. If there are other users who would like to see this, please post here so we can gauge the demand for this and prioritize appropriately.
Regarding updating how NPM works to better align with best practices. I've opened an internal bug case to track this request (FB104296), but unfortunately we have no immediate plans to change how this works.
Umm. Im not sure you understand. The request and susequent explanation is reguarding "what are the operating executables names used by NPM/APM?" Of the current product. ITs not a request to change the product nor even a request to document how your program internally operates nor coded, but to document your existing product on how it interacts with the operating system, particularly which executable binaries "filename.exe" that perform Disk I/O. If you change any of the excecutable names in any future bugfix or development then I would request you then state or document which changed.
I am only asking for executables that do Disk I/O that would be affected by a third party application, such as AntiVirus. But that is not limited to just AntiVirus. Certain Host Intrusion Prevention software require you specify what executable and port. Other Application "white listing" (such as Bit9) software only allow listed application binaries executables to run.
Since NPM & APM require full access into subnets to query/poll the monitored devices, firewalls have to be opened up (fairly wide open to do WMI). Most security minded profesionals will want to secure or lockdown those devices with access across the firewalls, especially those subnets that have access to sensitive data. Any malicious code or person obtaining access into the polling engine servers could use the poller as the beachhead (or jumppoint) into those systems with sensitive data.
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.