WithSecure Policy Manager 16 AV with Active Directory Controllers
We got WithSecure Policy Manager 16. I'm Building new AV rules for our soon to be renewed Active Directory. Is WithSecure automatically compatible with MS's recommended folder and file bypasses for Active Directory Controllers?
If not, I need help to create rules. Here are MS recommended bypass rules:
File path | *\\Windows\\Security\\database\\*.log |
---|---|
File path | %allusersprofile%\NTUser.pol |
File path | %SystemRoot%\ntfrs\jet\Ntfrs.jdb |
File path | *\\Windows\\Security\\database\\*.sdb |
File path | *\\Windows\\SoftwareDistribution\\Datastore\\*\\edb.chk |
File path | *\\Windows\\Security\\database\\*.jrs |
File path | %SystemRoot%\Ntds\Edb.chk |
File path | %SystemRoot%\Ntds\Ntds.dit |
File path | *\\Windows\\SoftwareDistribution\\Datastore\\*\\Res*.log |
File path | %SystemRoot%\Ntds\Ntds.pat |
File path | *\\Windows\\Ntds\\Res*.log |
File path | *\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows\\*\\*.log |
File path | *\\Windows\\SoftwareDistribution\\Datastore\\*\\Datastore.edb |
File path | *\\%systemdrive%\\System Volume Information\\DFSR\\SimilarityTable_* |
File path | *\\Windows\\ntfrs\\jet\\log\\*.log |
File path | *\\Windows\\Ntds\\Edb*.jrs |
File path | %SystemRoot%\System32\GroupPolicy\Machine\Registry.pol |
File path | %SystemRoot%\System32\GroupPolicy\User\Registry.pol |
File path | *\\Windows\\SoftwareDistribution\\Datastore\\*\\edb*.log |
File path | *\\Windows\\Security\\database\\*.chk |
File path | *\\Windows\\ntfrs\\*.log |
File path | %SystemRoot%\ntfrs\jet\sys\edb.chk |
File path | *\\Windows\\Security\\database\\*.edb |
File path | %SystemRoot%\System32\GroupPolicy\Registry.pol |
File path | %SystemRoot%\Ntds\Temp.edb |
File path | *\\Windows\\SoftwareDistribution\\Datastore\\*\\Edb*.jrs |
File path | *\\Windows\\ntfrs\\jet\\log\\Edb*.jrs |
File path | *\\Windows\\SoftwareDistribution\\Datastore\\*\\tmp.edb |
File path | *\\Windows\\Ntds\\EDB*.log |
Folder path | *\\%systemdrive%\\System Volume Information\\DFSR\\* |
Folder path | *\\Windows\\SYSVOL_DFSR\\sysvol\\* |
Folder path | *\\Windows\\System Volume Information\\DFSR\\* |
Folder path | *\\Windows\\Sysvol_DFSR\\Domain\\* |
Folder path | *\\windows\\sysvol\\domain\\* |
Folder path | *\\Windows\\sysvol\\staging\\domain\\* |
Folder path | *\\Program Files\\Microsoft Monitoring Agent\\Agent\\Health Service State\\* |
Folder path | *\\%SystemRoot%\\sysvol\staging\\domain\\* |
Folder path | *\\%SystemRoot%\Sysvol\Domain\\* |
Bonus question. Does Security Client use SYSTEM account rights when scanning files?
Best Answers
-
Dear @Jukka
Thank you for reaching out to WithSecure Community.
I hope the below answer finds you well.
Ultralight is running under the System account.
Your list does not include all the mentioned files and folders, so we recommend adding those explicitly.
Additionally, we suggest applying these exclusions to the Server Security running on the domain controller and not excluding them on other hosts within the organization.
0
Categories
- All Categories
- 3.5K WithSecure Community
- 3.5K Products
- Get Support