Recommended Anti-Virus and AppSense Exclusions

Version 2

    Verified Product Versions

    AppSense Environment Manager 10.0AppSense Environment Manager 10.1AppSense Performance Manager 10.0AppSense Performance Manager 10.1AppSense Application Manager 10.0AppSense Application Manager 10.1AppSense Environment Manager 8.6AppSense Environment Manager 8.5AppSense Environment Manager 8.4AppSense Environment Manager 8.3AppSense Environment Manager 8.2AppSense Environment Manager 8.1AppSense Environment Manager 8.0AppSense Management Center 10.0AppSense Application Manager 8.0AppSense Application Manager 8.1AppSense Application Manager 8.2AppSense Application Manager 8.3AppSense Application Manager 8.4AppSense Application Manager 8.5AppSense Application Manager 8.6AppSense Application Manager 8.7AppSense Application Manager 8.8AppSense Application Manager 8.9AppSense Management Center 8.0AppSense Management Center 8.1AppSense Management Center 8.2AppSense Management Center 8.3AppSense Management Center 8.4AppSense Management Center 8.5AppSense Management Center 8.6AppSense Management Center 8.7AppSense Performance Manager 8.0AppSense Performance Manager 8.1AppSense Performance Manager 8.2AppSense Performance Manager 8.3AppSense DataNow 3.6AppSense DataNow 4.0AppSense Insight 10.0AppSense Insight 1.4AppSense Management Center 10.1AppSense DataNow 4.1AppSense Insight 10.1

    Introduction

    This article will be discussing the following items with regards to Best Practice for AppSense Exclusions and Anti-Virus products. This will include:

     

    • Excluding AppSense from 3rd Party Applications
      • AppSense Processes to Exclude
    • Preventing AppSense from Interacting with 3rd Party Applications
      • Application Manager Exclusions
      • Environment Manager Exclusions
      • Performance Manager Exclusions

     

    Symptoms of Anti-Virus excludes not being in-place on an endpoint can result in (but not limited to) the following:

     

    • Dead-locks on process requests;
    • Negative performance;
    • Application crashes;
    • Inconsistent behaviour;
    • Timing related/intermittent faults;
    • Blue screens

    Detail

    Excluding AppSense from 3rd Party Applications

     

    Depending on the AppSense products installed on an endpoint, the following processes are advised to be added to an Anti-Virus exclusion list(s).

     

    CAUTION: When using Symantec anti-virus products, if Tamper Protection is enabled in the environment please ensure that the Tamper exclusion list is also updated.

     

    AppSense Exclusion

     

    In order to exclude AppSense software from your Anti-Virus/security products there is an order of preference (where 1 is highest preference):

     

    1. Add the AppSense certificate (from a signed executable) as a "Trusted Vendor" in your Anti-Virus/security product;
    2. Add the full path to the executable as per the table below (e.g. "C:\Program Files\AppSense\Environment Manager\Agent\EmCoreService.exe"); OR
    3. Add the executable name only (e.g. "EmCoreService.exe")

     

    The process table list below is subject to change and is not finite. It contains the executable name to exclude along with the version it applies to (in square brackets).

                                                                                                                         

    APPLICATION MANAGERENVIRONMENT MANAGERPERFORMANCE MANAGERCCADataNowInsight
    AMAgent.exe [8.0+]EMAgent.exe [8.0]PMAgent.exe [8.0+]CCA.exe [8.0+]DataNow_Service.exeInsightService.exe
    AMAgentAssist.exe [8.0+]EMAgentAssist.exe [8.0]PMAgentAssist.exe [8.0+]WatchdogAgent.exe [8.0+]
    AMMessageAssist.exe [8.0+]EMNotify.exe [8.0]PMOptimizer.sys [8.0+]WatchdogAgent64.exe [8.0+]
    AMMiniFilter.sys [8.0+]EMCoreService.exe [8.1+]PMUserMem.sys [8.0+]
    AMFilterDriver.sys [8.0+]EMExit.exe [8.1+]
    AsModLdr.sys [8.9+]EMLoggedOnUser.exe [8.1+]
    AMMessage.exe [8.0+]EMSystem.exe [8.1+]
    AMAppLimits.exeEMUser.exe [8.1+]
    AMOnDemand.exe [8.9+]EMUserLogoff.exe [8.1+]
    AMProperties.exe [8.9+]EMDriver.sys [8.1+]
    AMSystemControl.exe

    AsVfxLdr.sys [8.1-8.5]

    AMUninstallAssist.exeAsModLdr.sys [8.6+]
    EmPsHost.exe [8.4+]

     

     

     

    AppSenseVirtual

     

    Please note that it is neither necessary nor recommended to add the APPSENSEVIRTUAL folder to your Anti-Virus exclusion list. The APPSENSEVIRTUAL folder [which defaults to "C:\APPSENSEVIRTUAL"] is the virtual cache used by Environment Manager Personalization to store users’ settings during the session. Although it is a hidden virtual cache, users and their personalized applications do have Read and Write access to their individual folders in it. To ensure adequate protection from malware, Anti-Virus solutions should monitor this location as it would the rest of the user’s profile.

     

    DataNow Exclusions

     

    Antivirus should be configured so that DataNow_Service.exe is defined as an excluded process (Where possible). This means that the Anti Virus software should not scan locations being accessed by the DataNow service, which if not correctly excluded can lead to Windows Explorer hangs, sync issues and other intermittent symptoms.

     

    An example of configuring these exclusions for McAfee can be found in the following KB http://www.appsense.com/kb/160420072001309

     

    Please note that it is neither necessary nor recommended to add the DataNow folder or other DataNow managed locations to your general Windows Anti-Virus exclusion list. The DataNow folder is the offline cache used by DataNow to store users data. To ensure adequate protection from malware, Anti-Virus solutions should monitor this location as it would the rest of the user’s profile.

     

    For further information on configuring excludes for your 3rd party products, please refer to the documentation or online support of your application.

     

    Preventing AppSense from Interacting with 3rd Party Applications

     

    It may be deemed necessary to stop AppSense from injecting or “hooking” a process. This has the same principle as Anti-Virus injecting in to processes and can display similar undesirable side effects.

     

    TIP: It is recommended that the exclusions are in place at boot time of the endpoint in order to prevent unexpected behaviour.

     

    Application Manager Exclusions

     

    Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\AppSense Technologies\Application Manager\DriverParameters\

     

    Responsible for excluding processes from Application Manager Legacy Filter Driver.

     

    Value Name: ExProcessNames

    Value Type: String (REG_SZ)

    Value Data: processname.exe drivername.sys processname.exe  (Case Sensitive and Space character delimited)

     

    If you are using Application Manager up to and including 8.7, the following registry entries need to be added where the Application Manager console is installed and used to edit the configuration requiring these settings.

     

    When they have been created in the registry the Administrator should open the current live configuration and save it again to the Management Center for deployment.

     

    By doing this the registry keys are saved into the Application Manager configuration and are applied to the endpoint when the updated configuration is installed. The registry value to which the relevant values must be added on the machine where the Application Manager configuration is edited is:

     

    Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\AppSense Technologies\Application Manager\Engineering

     

    Responsible for excluding processes from the Application Network Access Control [ANAC] feature of Application Manager.

     

    Value Name: AppHookEx

    Value Type: REG_SZ

    Value Data: processname.exe;drivername.sys;processname.exe  (Semi-colon [;] delimited)

     

    Responsible for excluding processes from the User Rights Management [URM] feature in Application Manager.

     

    Value Name: UrmHookEx

    Value Type: REG_SZ

    Value Data: processname.exe;drivername.sys;processname.exe  (Semi-colon [;] delimited)

     

    Responsible for excluding processes from the Rights Discovery Management [RDM] feature in Application Manager.

     

    Value Name: RdmHookEx

    Value Type: REG_SZ

    Value Data: processname.exe;drivername.sys;processname.exe  (Case Sensitive and Semi-colon [;] delimited)

     

    Responsible for excluding processes from the Application Manager driver injection.

     

    Value Name: DriverHookEx

    Value Type: REG_SZ

    Value Data: processname.exe;drivername.sys;processname.exe  (Case Sensitive and Semi-colon [;] delimited)

     

    From Application Manager 8.8 the AppHookEx, UrmHookEx, and RdmHookEx options can be found in the Application Manager console under:

     

    • Manage > Advanced Settings > Custom Settings [tab] > Add [button]

     

    From Application Manager 8.9 the ExProcessNames and DriverHookEx must be configured via 'Custom Settings'

     

    NOTE: From Application Manager 8.9, there is a different place to change the exceptions for the Application Manager driver.

     

    AsModLdr Shared Driver Application Manager Exclusions

     

    Registry Key: HKEY_LOCAL_MACHINE\Software\AppSense\Application Manager\AsModLdr

     

    Responsible for allowing processes to be excluded from AsModLdr.sys.

     

    Value Name = Exceptions

    Value Type = REG_MULTI_SZ

    Value Data = Single process per line

     


     

    Environment Manager Exclusions

     

    The information below details where to add your process exclusions for 3rd party executables.

     

    These exclusions can be added directly into the registry on the agent endpoints, or via other methods such as through Environment Manager Policy configuration, via the start-up trigger or by Group Policies.

     

    NOTE: By default EM 8.4+ have default executables in these keys, it is advised to ensure these are all implemented along with any additional ones you add.

     

    CAUTION: If using Environment Manager Policy to add the exclusions to the endpoint, a reboot may be required as the processes may already have launched before the exclusions have had chance to be applied to the endpoint. This may not be a suitable configuration for non-persistent endpoints.

     

    Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\AppSense\Environment Manager

     

    Responsible for allowing processes to be excluded from EmDriver.sys (see "Environment Manager Engineering Setting - ProcessWhiteList (EmDriver.sys)" for more information).

     

     

    Value Name: ProcessWhiteList
    Value Type: REG_MULTI_SZ
    Value Data: Single process per line
    Registry Key: HKEY_LOCAL_MACHINE\Software\AppSense\AsVfxLdr

     

    Responsible for allowing processes to be excluded from Asvfxldr.sys (see "Environment Manager Engineering Setting - Exceptions (AsVfxLdr.sys)" for more information).

     

     

    Value Name = Exceptions
    Value Type = REG_MULTI_SZ
    Value Data = Single process per line

     

    NOTE: From Environment Manager 8.6, there is a different place to change the exceptions for the AsModLdr driver [formerly AsVfxLdr].

     


     

    AsModLdr Shared Driver Environment Manager Exclusions

     

    Registry Key: HKEY_LOCAL_MACHINE\Software\AppSense\Environment Manager\AsModLdr

     

    Responsible for allowing processes to be excluded from AsModLdr.sys.

     

     

    Value Name = Exceptions
    Value Type = REG_MULTI_SZ
    Value Data = Single process per line

     


     

    Performance Manager Exclusions

     

    Performance Manager differs from Application Manager and Environment Manager in that exclusions for the product are configured within the configuration applied to the endpoint.

     

    To configure excludes, launch the Performance Manager console and the excludes are then configured in two separate locations:

     

    • Global Resources > Memory Optimizer > Excluded Components; and
    • Global Resources > Memory Optimizer > Excluded Applications

     

    Add required folder and process excludes as required and save and deploy the updated configuration. It is recommended to add your Anti-Virus installation folder to these excludes.