3 Replies Latest reply on Feb 1, 2012 10:11 PM by mvjames

    What are the executables that NPM and APM uses?

    mvjames

      Yes, I have read:

      What files and directories should I exclude from antivirus protection to ensure adequate file access for Orion products?

      http://knowledgebase.solarwinds.com/kb/questions/2124/What+files+and+directories+should+I+exclude+from+antivirus+protection+to+ensure+adequate+file+access+for+Orion+products%3F

      It states NOT TO EXCLUDE EXECUTABLE FILES, but then goes ahead and states to exclude all files (including executables) from

      • c:\Documents and Settings\All Users\Application Data\SolarWinds\
      • c:\Program Files\SolarWinds\

      The above would only work for scheduled or sequential Antivirus scan of the hard drive. Also for excluding all scanning form the directory allows to a virus (or root-kit) to reside in the directory.

      For correct Antivirus implementation following industry best practices, Real-time or OnAccess, or memory resident (scanning on each disk I/O request to the OS) scanning must be enabled.  Both Microsoft and McAfee both discourage file/folder exclusions. Processes (EXE) and sub process and child processes will need to be classified or grouped, then any exclusions applied to that classification of groups explained in

      McAfee KB55139: Understanding High-Risk, Low-Risk, and Default processes configuration and usage    https://kc.mcafee.com/corporate/index?page=content&id=KB55139

      For example, with memory resident scanning enabled classifying the Orion NPM/APM process (EXE) as say Low-Risk will do the following:

      On start-up, the system or explorer.exe would start an Orion application binary (EXE), it would be scanned. Once the application binary (EXE) is loaded, exclusions fall into the Low-Risk grouping classifications exclusion lists (either excluding Read or Write scanning or exclude scanning in identified file/directory).  If the Low-Risk classified application binary (EXE) calls for a separate EXE to load it would need also classified as "Low-risk" to receive the same treatment, otherwise any disk I/O request could be scanned.

       

        • Re: What are the executables that NPM and APM uses?
          pacetti

          mvjames,

          I've raised your concerns with PM and Development for their consideration and clarified our current exclusions in the knowledge base article you've referenced.

          Thank you,

            • Re: What are the executables that NPM and APM uses?
              mavturner

              mvjames,

              Thank you for pointing out the error in the documentation. 

              Regarding updating how NPM works to better align with best practices. I've opened an internal bug case to track this request (FB104296), but unfortunately we have no immediate plans to change how this works. If there are other users who would like to see this, please post here so we can gauge the demand for this and prioritize appropriately.

              Thanks,

              Mav

                • Re: What are the executables that NPM and APM uses?
                  mvjames

                  Regarding updating how NPM works to better align with best practices. I've opened an internal bug case to track this request (FB104296), but unfortunately we have no immediate plans to change how this works.





                  Umm. Im not sure you understand. The request and susequent explanation is reguarding "what are the operating executables names used by NPM/APM?" Of the current product. ITs not a request to change the product nor even a request to document how your program internally operates nor coded, but to document your existing product on how it interacts with the operating system, particularly which executable binaries "filename.exe" that perform Disk I/O. If you change any of the excecutable names in any future bugfix or development then I would request you then state or document which changed.

                   

                  I am only asking for executables that do Disk I/O that would be affected by a third party application, such as AntiVirus. But that is not limited to just AntiVirus. Certain Host Intrusion Prevention software require you specify what executable and port. Other Application "white listing" (such as Bit9) software only allow listed application binaries executables to run.

                  Since NPM & APM require full access into subnets to query/poll the monitored devices, firewalls have to be opened up (fairly wide open to do WMI). Most security minded profesionals will want to secure or lockdown those devices with access across the firewalls, especially those subnets that have access to sensitive data. Any malicious code or person obtaining access into the polling engine servers could use the poller as the beachhead (or jumppoint) into those systems with sensitive data.