Third-party Antivirus Exclusions Related to RSA NetWitness Endpoint 11.x

Issue

Third-party anti-virus products may not always co-exist with RSA NetWitness Endpoint agents. While RSA cannot advise you on configuration of third-party software, there are a few procedures that you can follow to reduce conflicts between RSA NetWitness Endpoint agents and third-party anti-virus software. This is intended as a general guideline and is not intended to replace consultation with the anti-virus vendor.

Tasks

For machines running the RSA NetWitness Endpoint agent:

The third-party software must whitelist the service and driver files, that comprise the NetWitness Endpoint agent. By default, the service name is NWEAgent and driver service name is NWEDriver, but service names can be modified when generating the agent packager. The third-party software should be configured to ignore C:\Windows\System32\ and C:\Windows\System32\Drivers\ XXXXX.sys (the numbers that are appended to the driver name will vary).  

The RSA NetWitness Endpoint agent uses the directory C:\ProgramData\ \ for multiple purposes, including the staging of tracking data. RSA recommends that you configure the third-party anti-virus to ignore C:\ProgramData\ \* (using the appropriate service name) to avoid potential conflicts with third-party anti-virus products.

The following links may be helpful in excluding a file or folder from scans:
Symantec:  https://support.symantec.com/en_US/article.HOWTO80920.html
Sophos:  https://community.sophos.com/kb/en-us/116368
McAfee:  https://kc.mcafee.com/corporate/index?page=content&id=KB50998

Product Details

RSA Product Set: NetWitness Endpoint
RSA Product/Service Type: Agents
RSA Version/Condition: 11.x
Platform: Windows

Approval Reviewer Queue

RSA NetWitness Suite Approval Queue