To stay updated on your favorite discussions, please create an account or log in. Then, click the Bookmark icon to subscribe and receive notifications.

WithSecure Policy Manager 16 AV with Active Directory Controllers

Options
Jukka
Jukka W/ Member Posts: 17 Cyber Knight
edited May 29 in Business Suite

We got WithSecure Policy Manager 16. I'm Building new AV rules for our soon to be renewed Active Directory. Is WithSecure automatically compatible with MS's recommended folder and file bypasses for Active Directory Controllers?

If not, I need help to create rules. Here are MS recommended bypass rules:

https://support.microsoft.com/en-au/topic/virus-scanning-recommendations-for-enterprise-computers-that-are-running-windows-or-windows-server-kb822158-c067a732-f24a-9079-d240-3733e39b40bc

File path

*\\Windows\\Security\\database\\*.log

File path

%allusersprofile%\NTUser.pol

File path

%SystemRoot%\ntfrs\jet\Ntfrs.jdb

File path

*\\Windows\\Security\\database\\*.sdb

File path

*\\Windows\\SoftwareDistribution\\Datastore\\*\\edb.chk

File path

*\\Windows\\Security\\database\\*.jrs

File path

%SystemRoot%\Ntds\Edb.chk

File path

%SystemRoot%\Ntds\Ntds.dit

File path

*\\Windows\\SoftwareDistribution\\Datastore\\*\\Res*.log

File path

%SystemRoot%\Ntds\Ntds.pat

File path

*\\Windows\\Ntds\\Res*.log

File path

*\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows\\*\\*.log

File path

*\\Windows\\SoftwareDistribution\\Datastore\\*\\Datastore.edb

File path

*\\%systemdrive%\\System Volume Information\\DFSR\\SimilarityTable_*

File path

*\\Windows\\ntfrs\\jet\\log\\*.log

File path

*\\Windows\\Ntds\\Edb*.jrs

File path

%SystemRoot%\System32\GroupPolicy\Machine\Registry.pol

File path

%SystemRoot%\System32\GroupPolicy\User\Registry.pol

File path

*\\Windows\\SoftwareDistribution\\Datastore\\*\\edb*.log

File path

*\\Windows\\Security\\database\\*.chk

File path

*\\Windows\\ntfrs\\*.log

File path

%SystemRoot%\ntfrs\jet\sys\edb.chk

File path

*\\Windows\\Security\\database\\*.edb

File path

%SystemRoot%\System32\GroupPolicy\Registry.pol

File path

%SystemRoot%\Ntds\Temp.edb

File path

*\\Windows\\SoftwareDistribution\\Datastore\\*\\Edb*.jrs

File path

*\\Windows\\ntfrs\\jet\\log\\Edb*.jrs

File path

*\\Windows\\SoftwareDistribution\\Datastore\\*\\tmp.edb

File path

*\\Windows\\Ntds\\EDB*.log

Folder path

*\\%systemdrive%\\System Volume Information\\DFSR\\*

Folder path

*\\Windows\\SYSVOL_DFSR\\sysvol\\*

Folder path

*\\Windows\\System Volume Information\\DFSR\\*

Folder path

*\\Windows\\Sysvol_DFSR\\Domain\\*

Folder path

*\\windows\\sysvol\\domain\\*

Folder path

*\\Windows\\sysvol\\staging\\domain\\*

Folder path

*\\Program Files\\Microsoft Monitoring Agent\\Agent\\Health Service State\\*

Folder path

*\\%SystemRoot%\\sysvol\staging\\domain\\*

Folder path

*\\%SystemRoot%\Sysvol\Domain\\*

Bonus question. Does Security Client use SYSTEM account rights when scanning files?

Best Answers

  • JamesC
    JamesC W/ Partner, W/ Staff, W/ Moderator Posts: 524 Moderator
    Solved
    Options

    Dear @Jukka

    Thank you for reaching out to WithSecure Community.

    I hope the below answer finds you well.

    Ultralight is running under the System account.

    Your list does not include all the mentioned files and folders, so we recommend adding those explicitly.

    Additionally, we suggest applying these exclusions to the Server Security running on the domain controller and not excluding them on other hosts within the organization.

  • Jukka
    Jukka W/ Member Posts: 17 Cyber Knight
    Solved
    Options

    @JamesC Hi,

    Thank for the swift answer. List is not complete for few reasons. For examble, we have DNS on Linux.