WithSecure Policy Manager 16 AV with Active Directory Controllers

Jukka · 2024-05-29T11:25:37+00:00

There was an error rendering this rich post.

We got WithSecure Policy Manager 16. I'm Building new AV rules for our soon to be renewed Active Directory. Is WithSecure automatically compatible with MS's recommended folder and file bypasses for Active Directory Controllers?

If not, I need help to create rules. Here are MS recommended bypass rules:

https://support.microsoft.com/en-au/topic/virus-scanning-recommendations-for-enterprise-computers-that-are-running-windows-or-windows-server-kb822158-c067a732-f24a-9079-d240-3733e39b40bc

File path	\\Windows\\Security\\database\\.log
File path	%allusersprofile%\NTUser.pol
File path	%SystemRoot%\ntfrs\jet\Ntfrs.jdb
File path	\\Windows\\Security\\database\\.sdb
File path	\\Windows\\SoftwareDistribution\\Datastore\\\\edb.chk
File path	\\Windows\\Security\\database\\.jrs
File path	%SystemRoot%\Ntds\Edb.chk
File path	%SystemRoot%\Ntds\Ntds.dit
File path	\\Windows\\SoftwareDistribution\\Datastore\\\\Res*.log
File path	%SystemRoot%\Ntds\Ntds.pat
File path	\\Windows\\Ntds\\Res.log
File path	\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows\\\\*.log
File path	\\Windows\\SoftwareDistribution\\Datastore\\\\Datastore.edb
File path	\\%systemdrive%\\System Volume Information\\DFSR\\SimilarityTable_
File path	\\Windows\\ntfrs\\jet\\log\\.log
File path	\\Windows\\Ntds\\Edb.jrs
File path	%SystemRoot%\System32\GroupPolicy\Machine\Registry.pol
File path	%SystemRoot%\System32\GroupPolicy\User\Registry.pol
File path	\\Windows\\SoftwareDistribution\\Datastore\\\\edb*.log
File path	\\Windows\\Security\\database\\.chk
File path	\\Windows\\ntfrs\\.log
File path	%SystemRoot%\ntfrs\jet\sys\edb.chk
File path	\\Windows\\Security\\database\\.edb
File path	%SystemRoot%\System32\GroupPolicy\Registry.pol
File path	%SystemRoot%\Ntds\Temp.edb
File path	\\Windows\\SoftwareDistribution\\Datastore\\\\Edb*.jrs
File path	\\Windows\\ntfrs\\jet\\log\\Edb.jrs
File path	\\Windows\\SoftwareDistribution\\Datastore\\\\tmp.edb
File path	\\Windows\\Ntds\\EDB.log

Folder path	\\%systemdrive%\\System Volume Information\\DFSR\\
Folder path	\\Windows\\SYSVOL_DFSR\\sysvol\\
Folder path	\\Windows\\System Volume Information\\DFSR\\
Folder path	\\Windows\\Sysvol_DFSR\\Domain\\
Folder path	\\windows\\sysvol\\domain\\
Folder path	\\Windows\\sysvol\\staging\\domain\\
Folder path	\\Program Files\\Microsoft Monitoring Agent\\Agent\\Health Service State\\
Folder path	\\%SystemRoot%\\sysvol\staging\\domain\\
Folder path	\\%SystemRoot%\Sysvol\Domain\\

Bonus question. Does Security Client use SYSTEM account rights when scanning files?

Find more posts tagged with

Accepted answers

Jukka

@JamesC Hi,

Thank for the swift answer. List is not complete for few reasons. For examble, we have DNS on Linux.

JamesC

Dear @Jukka

Thank you for reaching out to WithSecure Community.

I hope the below answer finds you well.

Ultralight is running under the System account.

Your list does not include all the mentioned files and folders, so we recommend adding those explicitly.

Additionally, we suggest applying these exclusions to the Server Security running on the domain controller and not excluding them on other hosts within the organization.

All comments