Excluding ObserveIT Processes from Antivirus Software
Some Antivirus programs detect executable files as unknown and block them by default. To avoid this, ObserveIT works with Antivirus vendors to permanently whitelist ObserveIT Agent executable files. If you have encountered blocking by your Antivirus software during installation of the ObserveIT Windows Agent, follow these guidelines.
Known security software conflicting with ObserveIT
- Cylance
- CrowdStrike
- Symantec Endpoint Security
- McAfee suite
- FireEye
- Windows Defender
- Windows Filtering Platform
Antivirus Software Supporting Whitelisting
If your Antivirus software supports the whitelisting of an entire directory including all its executable files, it is recommended to whitelist the root installation folder, as follows:
-
For machines on which the Agent is installed, the default root installation folder is %Program Files%\ObserveIT\ObserveITAgent.
-
For machines on which the Application Server is installed, the default root installation folder is:
C:\Program Files (x86)\ObserveIT (for 32-bit machines)
C:\Program Files\ObserveIT (for 64-bit machines).
Antivirus Software Not Supporting Whitelisting
If your Antivirus software does not support the whitelisting of entire folders, it is recommended that you exclude the following files from the Antivirus software:
ObserveIT Services
- %ProgramFiles%\ObserveIT\HealthMonitor\bin\ObserveIT.HealthMonitor.Service.exe
- %ProgramFiles%\ObserveIT\NotificationService\ObserveIT.WinService.exe
- %ProgramFiles%\ObserveIT\RuleEngineService\bin\ActivityAlerts.Service.exe
- %ProgramFiles%\ObserveIT\UserAnalytics\bin\ObserveIT.UserAnalytics.Service.exe
- %ProgramFiles%\ObserveIT\Web\ObserveIT\Registry\RegistryService.exe
- %ProgramFiles%\ObserveIT\Web\ObserveIT\Registry\Trace\*.log
- %ProgramFiles%\ObserveIT\Web\ObserveIT\Repository\RepositoryService.exe
- %ProgramFiles%\ObserveIT\Web\ObserveIT\Repository\VersionInserter.exe
- %ProgramFiles%\ObserveIT\Web\ObserveIT\Repository\Trace\*.log
ObserveIT Trace Log Files
- %ProgramFiles%\ObserveIT\Web\ObserveITApplicationServer\Trace\*.txt
- %ProgramFiles%\ObserveIT\Web\ObserveIT\Trace\*.txt
- %ProgramFiles%\ObserveIT\HealthMonitor\Trace\*.txt
- %ProgramFiles%\ObserveIT\NotificationService\Trace\ObserveITNotificationService_Trace.txt
- %ProgramFiles%\ObserveIT\RuleEngineService\Trace\*.txt
- %ProgramFiles%\ObserveIT\UserAnalytics\Trace\*.txt
- %ProgramFiles%\ObserveIT\ScreenshotsStorageOptimizer\Trace\*.txt
ObserveIT SIEM Integration Files
- %ProgramFiles%\ObserveIT\NotificationService\LogFiles\*.txt
Microsoft IIS and ASP.Net
- %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\CONFIG
- %SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\CONFIG
- %SystemRoot%\Microsoft.NET\Framework\v4.0.30319\Config
- %SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\Config
- %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files
- %SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\Temporary ASP.NET Files
- %SystemRoot%\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files
- %SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files
- %SystemDrive%\Windows\System32\inetsrv\config
- %systemroot%\system32\inetsrv\w3wp.exe
- %systemroot%\SysWOW64\inetsrv\w3wp.exe
ObserveIT Website Categorization
- %ProgramFiles%\ObserveIT\WebsiteCat\Adapters\NetStar\db\sbin\gcf1service.exe
- %ProgramFiles%\ObserveIT\WebsiteCat\Adapters\NetStar\db\sbin\gcf1d.exe
- %ProgramFiles%\ObserveIT\WebsiteCat\Adapters\NetStar\db\bin\gcf1check.exe
- %ProgramFiles%\ObserveIT\WebsiteCat\Adapters\NetStar\db\bin\gcf1dbmng.exe
- %ProgramFiles%\ObserveIT\WebsiteCat\Adapters\NetStar\db\bin\gcf1report.exe
- %ProgramFiles%\ObserveIT\WebsiteCat\Adapters\NetStar\db\bin\gcf1tool.exe
- %ProgramFiles%\ObserveIT\WebsiteCat\WebsiteCat.Manager.exe
- %ProgramFiles%\ObserveIT\WebsiteCat\ObserveIT.LauncherService.exe
- %ProgramFiles%\ObserveIT\WebsiteCat\ObserveIT.UtilityLauncher.exe
File Share
- Exclude all files that include *.screenshot
- Exclude the following files with file type .txt or .html
- %Program Files%\ObserveIT\Web\V2\apis\auth\logs\
- %Program Files%\ObserveIT\Web\V2\apis\activity\logs\
- %Program Files%\ObserveIT\Web\V2\apis\registry\logs\
- %Program Files%\ObserveIT\Web\V2\apis\task\logs\
- %Program Files%\ObserveIT\Web\V2\apis\report;realm=observeit\logs\
- %Program Files%\ObserveIT\Web\V2\apis\report;realm=observeit-analytics\logs\
SQL Server
- SQL Server executable:
- %ProgramFiles%\Microsoft SQL Server\MSSQL<SQLVersion>.<Instance Name>\MSSQL\Binn\SQLServr.exe
- SQL Server data files:
- *.mdf
- *.ldf
- *.ndf
- SQL Server backup files:
- *.bak
- *.trn
- Full-Text catalog files
- Default instance:
- %Program Files%\Microsoft SQL Server\MSSQL\FTDATA
- Named instance:
- %Program Files%\Microsoft SQL Server\MSSQL$instancename\FTDATA
- Default instance:
- Trace files:
- *.trc - these files can be generated either when you configure profiler tracing manually or when you enable C2 auditing for the server.
- SQL audit files (for SQL Server 2008 or later versions):
- *.sqlaudit
- SQL query files:
- *.sql
Server Side – WebConsole
- %Program Files%\ObserveIT\Web\ObserveIT\Registry\RegistryService.exe
- %Program Files%\ObserveIT\Web\ObserveIT\Registry\Trace\*.log
- %Program Files%\ObserveIT\Web\ObserveIT\Repository\RepositoryService.exe
- %Program Files%\ObserveIT\Web\ObserveIT\Repository\VersionInserter.exe
- %Program Files%\ObserveIT\Web\ObserveIT\Repository \Trace\*.log
Server Side – AppServer
- %Program Files%\ObserveIT\Web\ObserveITApplicationServer\Registry\RegistryService.exe
- %Program Files%\ObserveIT\Web\ObserveITApplicationServer\Registry\Trace\*.log
- %Program Files%\ObserveIT\Web\ObserveITApplicationServer\Repository\RepositoryService.exe
- %Program Files%\ObserveIT\Web\ObserveITApplicationServer\Repository\VersionInserter.exe
- %Program Files%\ObserveIT\Web\ObserveITApplicationServer\Repository\Trace\*.log
Node.js
- %Program Files\nodejs
- Node.exe
- Nodevars.bat
- Npm
- Npm.cmd
- Npx
- Npx.cmd
- %Program Files\Nodejs\Node_modules\npm
- %Program Files\iisnode
- %Program Files (x86)\iisnode
ObserveIT Agent for Windows
The following are the files in the Program Files folder. The list below assumes a 64-bit Windows system. For 32-bit systems replace %ProgramFiles% with %ProgramFiles(x86)%.
- %ProgramFiles%\ObserveIT\ObserveITAgent\bin\ObserveIT.TaskMgrBlocker.exe
- %ProgramFiles%\ObserveIT\ObserveITAgent\bin\ObserveIT.DesktopPerformance.ConfigurationBuilder.exe
- %ProgramFiles%\ObserveIT\ObserveITAgent\bin\LauncherIntermediateProcess.exe
- %ProgramFiles%\ObserveIT\ObserveITAgent\bin\bcplc.exe
- %ProgramFiles%\ObserveIT\ObserveITAgent\bin\dlmonitor.exe
- %ProgramFiles%\ObserveIT\ObserveITAgent\bin\rcdact.exe
- %ProgramFiles%\ObserveIT\ObserveITAgent\bin\rcdcl.exe
- %ProgramFiles%\ObserveIT\ObserveITAgent\bin\rcdsvc.exe
- %ProgramFiles%\ObserveIT\ObserveITAgent\bin\settings.bin
- %ProgramFiles%\ObserveIT\ObserveITAgent\bin\svchostw.exe
- %ProgramFiles%\ObserveIT\ObserveITAgent\bin\svcwtch.exe
- %ProgramFiles%\ObserveIT\ObserveITAgent\bin\sm.exe
- %ProgramFiles%\ObserveIT\ObserveITAgent\bin\smx64.exe
- %ProgramFiles%\ObserveIT\ObserveITAgent\bin\FAM\EldosDriverUninstallProcess.exe
- %ProgramFiles%\OBSFAM
- %ProgramFiles%\ObserveIT\ObserveITAgent\Trace\*T
-
These files are also added when the File Activity Monitoring is installed and might trigger an alert.
%SystemRoot%\system32\drivers\cbfltfs4.sys
%SystemRoot%\system32\drivers\famdrv.sys
Updater: Agent side for Windows
- %Program Files%Windows Client Utility\Updater Utility\it-autoupdate-service.exe
- %Program Files%Windows Client Utility\Updater Utility\logs\*.log
Additional Exclusions
Exclude the following components/folders from antivirus/software scan:
- ObserveIT Hot Storage folder
- ObserveIT Warm Storage folder
- ObserveIT Archive folder
ObserveIT Agent for Windows
The following list assumes a 64-bit Windows system. For 32-bit systems replace %ProgramFiles% with %ProgramFiles(x86)%.
- %ProgramFiles%\ObserveIT\ObserveITAgent\bin\ObserveIT.TaskMgrBlocker.exe
- %ProgramFiles%\ObserveIT\ObserveITAgent\bin\ObserveIT.DesktopPerformance.ConfigurationBuilder.exe
- %ProgramFiles%\ObserveIT\ObserveITAgent\bin\LauncherIntermediateProcess.exe
- %ProgramFiles%\ObserveIT\ObserveITAgent\bin\bcplc.exe
- %ProgramFiles%\ObserveIT\ObserveITAgent\bin\dlmonitor.exe
- %ProgramFiles%\ObserveIT\ObserveITAgent\bin\rcdact.exe
- %ProgramFiles%\ObserveIT\ObserveITAgent\bin\rcdcl.exe
- %ProgramFiles%\ObserveIT\ObserveITAgent\bin\rcdsvc.exe
- %ProgramFiles%\ObserveIT\ObserveITAgent\bin\settings.bin
- %ProgramFiles%\ObserveIT\ObserveITAgent\bin\svchostw.exe
- %ProgramFiles%\ObserveIT\ObserveITAgent\bin\svcwtch.exe
- %ProgramFiles%\ObserveIT\ObserveITAgent\bin\sm.exe
- %ProgramFiles%\ObserveIT\ObserveITAgent\bin\smx64.exe
- %ProgramFiles%\ObserveIT\ObserveITAgent\bin\FAM\EldosDriverUninstallProcess.exe
- %ProgramFiles%\OBSFA
- %ProgramFiles%\ObserveIT\ObserveITAgent\Trace\*
- %ProgramFiles%\ObserveIT\Updater Utility\it-autoupdate-service.exe
- %ProgramFiles%\ObserveIT\Updater Utility\logs\*.log
"No Label" Version
For security and stealth reasons, ObserveIT Windows Agent can be deployed with obfuscated names for all of its components.
If you have installed the "No Label" version of the Agent, you should use the names of the Windows Agent components installed in your organization.
To view the mapping of obfuscated names in the Windows Agent version installed in your organization, select the Agent Name Mapping option from the Help menu in the upper right corner of the ObserveIT Web Console. (See Agent Name Mapping.)