Verifying Anti Virus exclusions using a Process Monitor boot log

Version 2

    Introduction

     

    After configuring our recommended Anti-Virus exclusions using this document - Recommended Anti-Virus and AppSense Exclusions - you may want to verify that the exclusions are working as intended, and also see if there are any AV processes which you may have missed.

     

    This article will give you an example of how this can be done using a Process Monitor boot log, but please note the following:

    • This is only intended as a generic walk through to show you how this might be achieved - the filters and techniques detailed in this guide may not work correctly in all scenarios.
    • This method is not guaranteed to show you all AV processes which need to be excluded, for example some AV processes may not exist throughout the lifetime of the machine. We would recommend contacting your AV vendor (or searching their KB) to determine a full list.
    • A Process Monitor boot log may not be the best way to check this in your scenario - the dll 'lower pane view' option within Process Explorer can also be used to inspect the dlls injected into Ivanti/AV processes, in addition to many other tools.

     

    Details on how to actually capture the boot log are outside of the scope of this article, can be found here - Capturing a logon with Process Monitor

     

    Detail

     

    Part 1 - Finding Anti-Virus processes which are being injected by AppSense dlls

     

    With a small amount of filtering, you can narrow down the log file to only injections of AppSense dlls, while ignoring injections into Windows and other AppSense processes.

     

    The filter rules I have used in this example can be seen here:

     

         filter1.jpg

    These rules serve the following purpose:

     

         INCLUDE - Operation is Load Image = This will show operations where an exe or dll is injected into the memory space of a process.

         INCLUDE - Path contains appsense  = The path column of each 'Load Image' operation will show the path of the image being loaded, so this rule will only include images from directories containing 'appsense' in the path.

         EXCLUDE - Image Path begins with c:\windows = The 'Image Path' column lists the full path to the process being loaded in to, and AV processes generally sit in the 'Program Files' directories - so processes sitting under the c:\windows      path are rarely relevant in this scenario.

         EXCLUDE - Image Path contains appsense = This will exclude the loading of AppSense dlls/exes into AppSense processes, which will otherwise result in a lot of noise in the logs.

     

    Once you have applied these filter rules to the boot log you captured earlier, there should be a relatively small number of events left visible:

     

         results.jpg

    At this point you will need to review the listed processes and determine which are related to AV, although it may help to go to "Options > Select Columns" and select the "Image Path" column.

     

    In this column you can often see the vendor name in the path, for example:

     

        

     

    Part 2 - Finding Anti-Virus dlls which are injecting into AppSense processes

     

    To determine which AV dlls are being injected in to AppSense processes, the following filter rules can be used:

     

         results2.jpg

     

    These rules serve the following purpose:

     

         INCLUDE - Operation is Load Image = As seen earlier in this article, this will show operations where an exe or dll is injected into the memory space of a process.

         INCLUDE - Image Path contains appsense  = This will include only processes which have the string 'appsense' within the path, which should be true of all relevant AppSense processes.

         EXCLUDE - Path contains appsense = In this scenario the 'Path' column will list the dll being loaded, so this rule will exclude any AppSense-specific dlls being loaded into these processes.

         EXCLUDE - Path begins with c:\windows = This will exclude any Windows dlls being loaded into these processes, as typically AV dlls will not exist in these locations.

     

    With these rules in place, you should again see a relatively small number of events:

     

         results3.jpg

     

    In most cases the AV product concerned should evident by reviewing the "Path" column, and from here you should review your Anti Virus exclusions and ensure that all AppSense processes are excluded from your AV software as per the following article - Recommended Anti-Virus and AppSense Exclusions.