Verifying Anti Virus exclusions using a Process Monitor boot log

Version 4



    After configuring our recommended Anti-Virus exclusions using this document - Recommended Anti-Virus and AppSense Exclusions - you may want to verify that the exclusions are working as intended, and also see if there are any AV processes which you may have missed.


    This article will give you an example of how this can be done using a Process Monitor boot log, but please note the following:


    • This is only intended as a generic walk through to show you how this might be achieved - the filters and techniques detailed in this guide may not work correctly in all scenarios.
    • This method is not guaranteed to show you all AV processes which need to be excluded, for example some AV processes may not exist throughout the lifetime of the machine. We would recommend contacting your AV vendor (or searching their KB) to determine a full list.
    • A Process Monitor boot log may not be the best way to check this in your scenario - the dll 'lower pane view' option within Process Explorer can also be used to inspect the dlls injected into Ivanti/AV processes, in addition to many other tools.


    Details on how to actually capture the boot log are outside of the scope of this article, can be found here - Capturing a logon with Process Monitor




    Part 1 - Finding Anti-Virus processes which are being injected by AppSense dlls


    With a small amount of filtering, you can narrow down the log file to only injections of AppSense dlls, while ignoring injections into Windows and other AppSense processes.


    The filter rules I have used in this example can be seen here:



    These rules serve the following purpose:


         INCLUDE - Operation is Load Image = This will show operations where an exe or dll is injected into the memory space of a process.

         INCLUDE - Path contains appsense  = The path column of each 'Load Image' operation will show the path of the image being loaded, so this rule will only include images from directories containing 'appsense' in the path.

         EXCLUDE - Image Path begins with c:\windows = The 'Image Path' column lists the full path to the process being loaded in to, and AV processes generally sit in the 'Program Files' directories - so processes sitting under the c:\windows      path are rarely relevant in this scenario.

         EXCLUDE - Image Path contains appsense = This will exclude the loading of AppSense dlls/exes into AppSense processes, which will otherwise result in a lot of noise in the logs.


    Once you have applied these filter rules to the boot log you captured earlier, there should be a relatively small number of events left visible:



    At this point you will need to review the listed processes and determine which are related to AV, although it may help to go to "Options > Select Columns" and select the "Image Path" column.


    In this column you can often see the vendor name in the path, for example:




    Part 2 - Finding Anti-Virus dlls which are injecting into AppSense processes


    To determine which AV dlls are being injected in to AppSense processes, the following filter rules can be used:




    These rules serve the following purpose:


         INCLUDE - Operation is Load Image = As seen earlier in this article, this will show operations where an exe or dll is injected into the memory space of a process.

         INCLUDE - Image Path contains appsense  = This will include only processes which have the string 'appsense' within the path, which should be true of all relevant AppSense processes.

         EXCLUDE - Path contains appsense = In this scenario the 'Path' column will list the dll being loaded, so this rule will exclude any AppSense-specific dlls being loaded into these processes.

         EXCLUDE - Path begins with c:\windows = This will exclude any Windows dlls being loaded into these processes, as typically AV dlls will not exist in these locations.


    With these rules in place, you should again see a relatively small number of events:




    In most cases the AV product concerned should be evident by reviewing the "Path" column, and from here you should review your Anti Virus exclusions and ensure that all AppSense processes are excluded from your AV software, as per the following article - Recommended Anti-Virus and AppSense Exclusions.