• State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 38 subscribers
  • Views 662 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

What are the executables that NPM and APM uses?

mvjames

Yes, I have read:

What files and directories should I exclude from antivirus protection to ensure adequate file access for Orion products?

knowledgebase.solarwinds.com/.../What files and directories should I exclude from antivirus protection to ensure adequate file access for Orion products?

It states NOT TO EXCLUDE EXECUTABLE FILES, but then goes ahead and states to exclude all files (including executables) from

    • c:\Documents and Settings\All Users\Application Data\SolarWinds\
    • c:\Program Files\SolarWinds\

The above would only work for scheduled or sequential Antivirus scan of the hard drive. Also for excluding all scanning form the directory allows to a virus (or root-kit) to reside in the directory.

For correct Antivirus implementation following industry best practices, Real-time or OnAccess, or memory resident (scanning on each disk I/O request to the OS) scanning must be enabled.  Both Microsoft and McAfee both discourage file/folder exclusions. Processes (EXE) and sub process and child processes will need to be classified or grouped, then any exclusions applied to that classification of groups explained in

McAfee KB55139: Understanding High-Risk, Low-Risk, and Default processes configuration and usage    kc.mcafee.com/.../index

For example, with memory resident scanning enabled classifying the Orion NPM/APM process (EXE) as say Low-Risk will do the following:

On start-up, the system or explorer.exe would start an Orion application binary (EXE), it would be scanned. Once the application binary (EXE) is loaded, exclusions fall into the Low-Risk grouping classifications exclusion lists (either excluding Read or Write scanning or exclude scanning in identified file/directory). If the Low-Risk classified application binary (EXE) calls for a separate EXE to load it would need also classified as "Low-risk" to receive the same treatment, otherwise any disk I/O request could be scanned.

 

  • 0

    mvjames,

    I've raised your concerns with PM and Development for their consideration and clarified our current exclusions in the knowledge base article you've referenced.

    Thank you,

  • 0 in reply to pacetti

    mvjames,

    Thank you for pointing out the error in the documentation. 

    Regarding updating how NPM works to better align with best practices. I've opened an internal bug case to track this request (FB104296), but unfortunately we have no immediate plans to change how this works. If there are other users who would like to see this, please post here so we can gauge the demand for this and prioritize appropriately.

    Thanks,

    Mav

  • 0 in reply to mavturner

    Regarding updating how NPM works to better align with best practices. I've opened an internal bug case to track this request (FB104296), but unfortunately we have no immediate plans to change how this works.





    Umm. Im not sure you understand. The request and susequent explanation is reguarding "what are the operating executables names used by NPM/APM?" Of the current product. ITs not a request to change the product nor even a request to document how your program internally operates nor coded, but to document your existing product on how it interacts with the operating system, particularly which executable binaries "filename.exe" that perform Disk I/O. If you change any of the excecutable names in any future bugfix or development then I would request you then state or document which changed.

    I am only asking for executables that do Disk I/O that would be affected by a third party application, such as AntiVirus. But that is not limited to just AntiVirus. Certain Host Intrusion Prevention software require you specify what executable and port. Other Application "white listing" (such as Bit9) software only allow listed application binaries executables to run.

    Since NPM & APM require full access into subnets to query/poll the monitored devices, firewalls have to be opened up (fairly wide open to do WMI). Most security minded profesionals will want to secure or lockdown those devices with access across the firewalls, especially those subnets that have access to sensitive data. Any malicious code or person obtaining access into the polling engine servers could use the poller as the beachhead (or jumppoint) into those systems with sensitive data.

     



SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.