Excluding ObserveIT Processes from Antivirus Software

Some Antivirus programs detect executable files as unknown and block them by default. To avoid this, ObserveIT works with Antivirus vendors to permanently whitelist ObserveIT Agent executable files. If you have encountered blocking by your Antivirus software during installation of the ObserveIT Windows Agent, follow these guidelines.

Known security software conflicting with ObserveIT

  • Cylance
  • CrowdStrike
  • Symantec Endpoint Security
  • McAfee suite
  • FireEye
  • Windows Defender
  • Windows Filtering Platform

Antivirus Software Supporting Whitelisting

If your Antivirus software supports the whitelisting of an entire directory including all its executable files, it is recommended to whitelist the root installation folder, as follows:

  • For machines on which the Agent is installed, the default root installation folder is %Program Files%\ObserveIT\ObserveITAgent.

  • For machines on which the Application Server is installed, the default root installation folder is:

C:\Program Files (x86)\ObserveIT (for 32-bit machines)

C:\Program Files\ObserveIT (for 64-bit machines).

Antivirus Software Not Supporting Whitelisting

If your Antivirus software does not support the whitelisting of entire folders, it is recommended that you exclude the following files from the Antivirus software:

ObserveIT Services

  • %ProgramFiles%\ObserveIT\HealthMonitor\bin\ObserveIT.HealthMonitor.Service.exe
  • %ProgramFiles%\ObserveIT\NotificationService\ObserveIT.WinService.exe
  • %ProgramFiles%\ObserveIT\RuleEngineService\bin\ActivityAlerts.Service.exe
  • %ProgramFiles%\ObserveIT\UserAnalytics\bin\ObserveIT.UserAnalytics.Service.exe
  • %ProgramFiles%\ObserveIT\Web\ObserveIT\Registry\RegistryService.exe
  • %ProgramFiles%\ObserveIT\Web\ObserveIT\Registry\Trace\*.log
  • %ProgramFiles%\ObserveIT\Web\ObserveIT\Repository\RepositoryService.exe
  • %ProgramFiles%\ObserveIT\Web\ObserveIT\Repository\VersionInserter.exe
  • %ProgramFiles%\ObserveIT\Web\ObserveIT\Repository\Trace\*.log

ObserveIT Trace Log Files

  • %ProgramFiles%\ObserveIT\Web\ObserveITApplicationServer\Trace\*.txt
  • %ProgramFiles%\ObserveIT\Web\ObserveIT\Trace\*.txt
  • %ProgramFiles%\ObserveIT\HealthMonitor\Trace\*.txt
  • %ProgramFiles%\ObserveIT\NotificationService\Trace\ObserveITNotificationService_Trace.txt
  • %ProgramFiles%\ObserveIT\RuleEngineService\Trace\*.txt
  • %ProgramFiles%\ObserveIT\UserAnalytics\Trace\*.txt
  • %ProgramFiles%\ObserveIT\ScreenshotsStorageOptimizer\Trace\*.txt

ObserveIT SIEM Integration Files

  • %ProgramFiles%\ObserveIT\NotificationService\LogFiles\*.txt

Microsoft IIS and ASP.Net

  • %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\CONFIG
  • %SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\CONFIG
  • %SystemRoot%\Microsoft.NET\Framework\v4.0.30319\Config
  • %SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\Config
  • %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files
  • %SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\Temporary ASP.NET Files
  • %SystemRoot%\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files
  • %SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files
  • %SystemDrive%\Windows\System32\inetsrv\config
  • %systemroot%\system32\inetsrv\w3wp.exe
  • %systemroot%\SysWOW64\inetsrv\w3wp.exe

ObserveIT Website Categorization

  • %ProgramFiles%\ObserveIT\WebsiteCat\Adapters\NetStar\db\sbin\gcf1service.exe
  • %ProgramFiles%\ObserveIT\WebsiteCat\Adapters\NetStar\db\sbin\gcf1d.exe
  • %ProgramFiles%\ObserveIT\WebsiteCat\Adapters\NetStar\db\bin\gcf1check.exe
  • %ProgramFiles%\ObserveIT\WebsiteCat\Adapters\NetStar\db\bin\gcf1dbmng.exe
  • %ProgramFiles%\ObserveIT\WebsiteCat\Adapters\NetStar\db\bin\gcf1report.exe
  • %ProgramFiles%\ObserveIT\WebsiteCat\Adapters\NetStar\db\bin\gcf1tool.exe
  • %ProgramFiles%\ObserveIT\WebsiteCat\WebsiteCat.Manager.exe
  • %ProgramFiles%\ObserveIT\WebsiteCat\ObserveIT.LauncherService.exe
  • %ProgramFiles%\ObserveIT\WebsiteCat\ObserveIT.UtilityLauncher.exe

File Share

  • Exclude all files that include *.screenshot
  • Exclude the following files with file type .txt or .html
    • %Program Files%\ObserveIT\Web\V2\apis\auth\logs\
    • %Program Files%\ObserveIT\Web\V2\apis\activity\logs\
    • %Program Files%\ObserveIT\Web\V2\apis\registry\logs\
    • %Program Files%\ObserveIT\Web\V2\apis\task\logs\
    • %Program Files%\ObserveIT\Web\V2\apis\report;realm=observeit\logs\
    • %Program Files%\ObserveIT\Web\V2\apis\report;realm=observeit-analytics\logs\

SQL Server

  • SQL Server executable:
    • %ProgramFiles%\Microsoft SQL Server\MSSQL<SQLVersion>.<Instance Name>\MSSQL\Binn\SQLServr.exe
  • SQL Server data files:
    • *.mdf
    • *.ldf
    • *.ndf
  • SQL Server backup files:
    • *.bak
    • *.trn
  • Full-Text catalog files
    • Default instance:
      • %Program Files%\Microsoft SQL Server\MSSQL\FTDATA
    • Named instance:
      • %Program Files%\Microsoft SQL Server\MSSQL$instancename\FTDATA
  • Trace files:
    • *.trc - these files can be generated either when you configure profiler tracing manually or when you enable C2 auditing for the server.
  • SQL audit files (for SQL Server 2008 or later versions):
    • *.sqlaudit
  • SQL query files:
    • *.sql

Server Side – WebConsole

  • %Program Files%\ObserveIT\Web\ObserveIT\Registry\RegistryService.exe
  • %Program Files%\ObserveIT\Web\ObserveIT\Registry\Trace\*.log
  • %Program Files%\ObserveIT\Web\ObserveIT\Repository\RepositoryService.exe
  • %Program Files%\ObserveIT\Web\ObserveIT\Repository\VersionInserter.exe
  • %Program Files%\ObserveIT\Web\ObserveIT\Repository \Trace\*.log

Server Side – AppServer

  • %Program Files%\ObserveIT\Web\ObserveITApplicationServer\Registry\RegistryService.exe
  • %Program Files%\ObserveIT\Web\ObserveITApplicationServer\Registry\Trace\*.log
  • %Program Files%\ObserveIT\Web\ObserveITApplicationServer\Repository\RepositoryService.exe
  • %Program Files%\ObserveIT\Web\ObserveITApplicationServer\Repository\VersionInserter.exe
  • %Program Files%\ObserveIT\Web\ObserveITApplicationServer\Repository\Trace\*.log

Node.js

  • %Program Files\nodejs
    • Node.exe
    • Nodevars.bat
    • Npm
    • Npm.cmd
    • Npx
    • Npx.cmd
  • %Program Files\Nodejs\Node_modules\npm
  • %Program Files\iisnode
  • %Program Files (x86)\iisnode

ObserveIT Agent for Windows

The following are the files in the Program Files folder. The list below assumes a 64-bit Windows system. For 32-bit systems replace %ProgramFiles% with %ProgramFiles(x86)%.

  • %ProgramFiles%\ObserveIT\ObserveITAgent\bin\ObserveIT.TaskMgrBlocker.exe
  • %ProgramFiles%\ObserveIT\ObserveITAgent\bin\ObserveIT.DesktopPerformance.ConfigurationBuilder.exe
  • %ProgramFiles%\ObserveIT\ObserveITAgent\bin\LauncherIntermediateProcess.exe
  • %ProgramFiles%\ObserveIT\ObserveITAgent\bin\bcplc.exe
  • %ProgramFiles%\ObserveIT\ObserveITAgent\bin\dlmonitor.exe
  • %ProgramFiles%\ObserveIT\ObserveITAgent\bin\rcdact.exe
  • %ProgramFiles%\ObserveIT\ObserveITAgent\bin\rcdcl.exe
  • %ProgramFiles%\ObserveIT\ObserveITAgent\bin\rcdsvc.exe
  • %ProgramFiles%\ObserveIT\ObserveITAgent\bin\settings.bin
  • %ProgramFiles%\ObserveIT\ObserveITAgent\bin\svchostw.exe
  • %ProgramFiles%\ObserveIT\ObserveITAgent\bin\svcwtch.exe
  • %ProgramFiles%\ObserveIT\ObserveITAgent\bin\sm.exe
  • %ProgramFiles%\ObserveIT\ObserveITAgent\bin\smx64.exe
  • %ProgramFiles%\ObserveIT\ObserveITAgent\bin\FAM\EldosDriverUninstallProcess.exe
  • %ProgramFiles%\OBSFAM
  • %ProgramFiles%\ObserveIT\ObserveITAgent\Trace\*T
  • These files are also added when the File Activity Monitoring is installed and might trigger an alert.
    %SystemRoot%\system32\drivers\cbfltfs4.sys
    %SystemRoot%\system32\drivers\famdrv.sys

Updater: Agent side for Windows

  • %Program Files%Windows Client Utility\Updater Utility\it-autoupdate-service.exe
  • %Program Files%Windows Client Utility\Updater Utility\logs\*.log

Additional Exclusions

Exclude the following components/folders from antivirus/software scan:

  • ObserveIT Hot Storage folder
  • ObserveIT Warm Storage folder
  • ObserveIT Archive folder

ObserveIT Agent for Windows

The following list assumes a 64-bit Windows system. For 32-bit systems replace %ProgramFiles% with %ProgramFiles(x86)%.

  • %ProgramFiles%\ObserveIT\ObserveITAgent\bin\ObserveIT.TaskMgrBlocker.exe
  • %ProgramFiles%\ObserveIT\ObserveITAgent\bin\ObserveIT.DesktopPerformance.ConfigurationBuilder.exe
  • %ProgramFiles%\ObserveIT\ObserveITAgent\bin\LauncherIntermediateProcess.exe
  • %ProgramFiles%\ObserveIT\ObserveITAgent\bin\bcplc.exe
  • %ProgramFiles%\ObserveIT\ObserveITAgent\bin\dlmonitor.exe
  • %ProgramFiles%\ObserveIT\ObserveITAgent\bin\rcdact.exe
  • %ProgramFiles%\ObserveIT\ObserveITAgent\bin\rcdcl.exe
  • %ProgramFiles%\ObserveIT\ObserveITAgent\bin\rcdsvc.exe
  • %ProgramFiles%\ObserveIT\ObserveITAgent\bin\settings.bin
  • %ProgramFiles%\ObserveIT\ObserveITAgent\bin\svchostw.exe
  • %ProgramFiles%\ObserveIT\ObserveITAgent\bin\svcwtch.exe
  • %ProgramFiles%\ObserveIT\ObserveITAgent\bin\sm.exe
  • %ProgramFiles%\ObserveIT\ObserveITAgent\bin\smx64.exe
  • %ProgramFiles%\ObserveIT\ObserveITAgent\bin\FAM\EldosDriverUninstallProcess.exe
  • %ProgramFiles%\OBSFA
  • %ProgramFiles%\ObserveIT\ObserveITAgent\Trace\*
  • %ProgramFiles%\ObserveIT\Updater Utility\it-autoupdate-service.exe
  • %ProgramFiles%\ObserveIT\Updater Utility\logs\*.log

"No Label" Version

For security and stealth reasons, ObserveIT Windows Agent can be deployed with obfuscated names for all of its components.

If you have installed the "No Label" version of the Agent, you should use the names of the Windows Agent components installed in your organization.

To view the mapping of obfuscated names in the Windows Agent version installed in your organization, select the Agent Name Mapping option from the Help menu in the upper right corner of the ObserveIT Web Console. (See Agent Name Mapping.)