Open topic with navigation

Third-party Product Exclusions

Overview

The following information discusses general guidelines for creating exclusions for third-party endpoint security products so that they do not interfere with or prevent the normal operation of isolation. Necessary actions may consist of excluding all isolation processes and binaries from the third-party endpoint security product. To create exclusions, refer to your third-party product documentation. The absence of exclusions may result in failed isolation initialization and slow or blocked browsing and opening of untrusted documents.

To stop third-party products from interfering with isolation, certain exclusions need to be created on the system so that isolation processes and binaries are whitelisted. In particular, rules should be created that whitelist the following isolation directories or files on the system:

Directories Exclusions

%userprofile%\AppData\LocalLow\Bromium

%userprofile%\AppData\Local\Bromium

%programfiles%\Bromium

%programdata%\Bromium

File Exclusions

Exclude the following files located in C:\Program Files\Bromium\vSentry\servers:

ax_installer.exe

BrAxService.exe

BrConsole.exe

BrDesktopConsole.exe

BrDownloadManager.exe

BrExeScanner.exe

BrHostDrvSup.exe

BrHostSvr.exe

BrInstaller.exe

BrInstallerPopup.exe

BrLauncher.exe

BrLogMgr.exe

BrManage.exe

BrNav.exe

BrPrintHelper.exe

BrProgressDialog.exe

BrRemoteManagement.exe

BrRemoteMgmtSvc.exe

BrReporter.exe

BrSecurityAlertInspector.exe

BrService.exe

BrStatusMonitor.exe

BrWinFile.exe

chrome.exe

dpinst.exe

firefox_.exe

getcaps.exe

HostPcapDump.exe

Exclude the following files located in C:\Program Files\Bromium\vSentry\bin:

Br-hostconfig.exe

Br-init-a.exe

Br-init-c.exe

Br-init-l.exe

Br-init-n.exe

Br-init-o.exe

Br-init-w.exe

Br-uxendm.exe

uxenctl.exe

uxenctx.exe

Hardware Incompatibility

• Hypervisors and related utilities that use virtualization on the processor. Running these in the system may conflict with isolation and prevent isolation from providing reliable protection. For example McAfee Deep Defender and Avast.
• Bromium cannot be installed from removable drives such as USB drives. This will cause initialization to fail.

Software Incompatibility

• Windows Presentation Foundation running on desktop can cause the Desktop Console and Live View user interfaces to take as much as 30 seconds or more to open.
• If you experience slow display times on a system running Windows Presentation Foundation, open the Services management window and disable Windows Presentation Foundation Font Cache 3.0.0.0. You can also purge the font cache as described in http://support.microsoft.com/kb/937135
• Online meeting websites such as WebEx, Adobe Connect Pro, and Live Meeting may not work when opened in isolation. This is because these websites attempt to run executable content on the desktop that is blocked by isolation. To allow these websites to work, mark them as trusted.

Symantec Endpoint Protection

Symantec Endpoint Protection can be configured to block the execution of unknown process on the system, resulting in the br-uxendm.exe process not getting launched when trying to browse untrusted sites or open untrusted documents. Policy exceptions should be created in SEP to either exclude all isolation binaries from the AV scan or exclude all isolation folders from the AV scan. For more information, see http://www.symantec.com/docs/HOWTO80920

1. Log in to the SEPM and click Policies.
2. Under View Policies, click Centralized Exceptions.
3. Under Tasks, click Add a Centralized Exception policy. This creates and opens a new Centralized Exceptions Policy.
4. In the left pane, click Centralized Exceptions.
5. Click Add, hover the mouse over Windows Exceptionsto display the menu and select Folder.
6. Check include subfolders.
7. Under Specify the type of scan that excludes this folder, select All.
8. You must whitelist four directories. You can add an %appdata% variable using one of the built in prefixes COMMON_APPDATA

Note: Do not use the built in %PROGRAMFILES% prefix, as this always defaults to the 32-bit directory due to the fact that the client is a 32-bit application. Include the explicit program files path.

SEP can be configured to output logs in one of the following locations:

C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Data\Logs

or

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Data\Logs

You can also go to the View Logs tab in the SEP client UI.

McAfee Virus Scan / HIPS

HIPS logs can be found here: https://kc.mcafee.com/corporate/index?page=content&id=KB72869

McAfee Host Intrusion Prevention injects into the running process on the system and can significantly degrade the performance of isolation. The following article describes how to exclude directories from McAfee AV scan: https://kc.mcafee.com/corporate/index?page=content&id=KB50998

Either turn off Process Spoofing (uncheck block) or exclude br-uxendm.exe from the process spoofing check. This is done under the Access Protection policy in ePO, then Anti-Virus Standard Protection. Select Prevent Windows Process Spoofing and add the exclusion. Add br-uxendm.exe separated by a comma and not by a semicolon.

In some cases, excluding the four Bromium standard directories may not work. This may be true particularly if the administrator has increased the sensitivity level of McAfee scan analyzer to medium-high (the default is low-medium.) In this case, create exclusions for each of the Bromium processes listed in File Exclusions.

Digital Guardian

To avoid performance issues with Digital Guardian and isolation, configure the Digital Guardian resource file (PFF = process flag file) to whitelist all Bromium processes.

1. In the Digital Guardian management console (DGMC), create a dynamic group called “Bromium” (for example) and add the test system/s to that dynamic group.
2. Update their current master PFF file and include the below listed Bromium processes to it.
3. Apply the updated PFF file to the dynamic group created in step 1.
4. Once the Digital Guardian Agent communicates with DGMC, verify on the test system that updated PFF file included all Bromium processes. The Digital Guardian configuration file prcsflgs.dat is in the C:\Program Files\DGAgent\ folder.

Note: If the Digital Guardian agent is running in stealth and/or tamper mode, you need to terminate the Digital Guardian agent to grant access to this file.

Next, you may need to rewrite some Digital Guardian rules for network operations-related tasks if they implemented with Digital Guardian, for example, network transfer upload or download (NTU/NTD.) In this case, collect the information for these rules and contact Bromium Support.

Process flags used to whitelist Bromium processes:

Br-hostconfig.e,NI+NC+ND+NR+SK+TR

Br-init-a.exe,NI+NC+ND+NR+SK+TR

Br-init-b.exe,NI+NC+ND+NR+SK+TR

Br-init-c.exe,NI+NC+ND+NR+SK+TR

Br-init-l.exe,NI+NC+ND+NR+SK+TR

Br-init-m.exe,NI+NC+ND+NR+SK+TR

Br-init-n.exe,NI+NC+ND+NR+SK+TR

Br-init-p.exe,NI+NC+ND+NR+SK+TR

Br-init-w.exe,NI+NC+ND+NR+SK+TR

Br-uxendm.exe,NI+NC+ND+NR+SK+TR

kdd.exe,NI+NC+ND+NR+SK+TR

uxenctl.exe,NI+NC+ND+NR+SK+TR

uxendm.exe,NI+NC+ND+NR+SK+TR

vhd-util.exe,NI+NC+ND+NR+SK+TR

xenctx.exe,NI+NC+ND+NR+SK+TR

BrConsole.exe,NI+NC+ND+NR+SK+TR

BrDesktopConsol,NI+NC+ND+NR+SK+TR

BrDownloadManag,NI+NC+ND+NR+SK+TR

BrHostDrvSup.ex,NI+NC+ND+NR+SK+TR

BrHostSvr.exe,NI+NC+ND+NR+SK+TR

BrIEHelper.exe,NI+NC+ND+NR+SK+TR

BrIEHelper64.ex,NI+NC+ND+NR+SK+TR

BrInstaller.exe,NI+NC+ND+NR+SK+TR

BrInstallerPopu,NI+NC+ND+NR+SK+TR

BrLauncher.exe,NI+NC+ND+NR+SK+TR

BrLogMgr.exe,NI+NC+ND+NR+SK+TR

BrManage.exe,NI+NC+ND+NR+SK+TR

BrNav.exe,NI+NC+ND+NR+SK+TR

BrPolicy.exe,NI+NC+ND+NR+SK+TR

BrProgressDialo,NI+NC+ND+NR+SK+TR

BrRemoteManagem,NI+NC+ND+NR+SK+TR

BrRemoteMgmtSvc,NI+NC+ND+NR+SK+TR

BrReporter.exe,NI+NC+ND+NR+SK+TR

BrSecurityAlert,NI+NC+ND+NR+SK+TR

BrService.exe,NI+NC+ND+NR+SK+TR

BrStatusMonitor,NI+NC+ND+NR+SK+TR

BrWinFile.exe,NI+NC+ND+NR+SK+TR

getcaps.exe,NI+NC+ND+NR+SK+TR

BrDeprivilege.e,NI+NC+ND+NR+SK+TR

Autonomyhelper3,NI+NC+ND+NR+SK+TR

BrDeprivilege.e,NI+NC+ND+NR+SK+TR

BrExeScanner.ex,NI+NC+ND+NR+SK+TR

dpinst.exe,NI+NC+ND+NR+SK+TR

HostPcapDump.ex,NI+NC+ND+NR+SK+TR

You can verify the exclusions list in Digital Guardian configuration file prcsflgs.dat in the C:\Program Files\DGAgent\ folder.

Digital Guardian Agent can be configured for stealth and tamper mode. If the performance issue continues even with exclusions done as described above, perform the following steps:

1. Terminate Digital Guardian.
2. Disable all Digital Guardian drivers if performance issues continue, even after terminating Digital Guardian.

BeyondTrust PowerBroker

PowerBroker for Windows allows privilege management by removing or enforcing administrative privileges from users, maintaining application access control, or simply logging privileged activities.

The following exclusions must be added to the PowerBroker product:

c:\Program Files\Bromium\vSentry

c:\ProgramData\Bromium\vSentry

There are also certain exception rules that can be configured in PowerBroker in which any user request may get elevated and files that invoke a UAC prompt cannot be trusted.

To fix this issue, remove UAC from the trust file function using the File types requiring administrative privilege to trust documents policy option in the controller.

Citrix Receiver Internet Explorer Plug-in

The Citrix Receiver plug-in causes a lengthy delay when new uVMs are launched in the browser. Once the original delay has occurred, continuous browsing of that TLD appears normal. With each new TLD, the delay is repeated.

To resolve this issue, disable (or uninstall) the Internet Explorer plug-in in the Internet options >manage Add-ons window.

Trend Micro OfficeScan

Exclusions for the Bromium directories and VolumeShadowCopy files can be applied to Trend Micro to improve initialization times and general machine performance. To do this:

1. Log in to the OfficeScan management console:

• For OfficeScan 10.6 and earlier:

Click Networked Computers > Client Management, then select the server or workgroup on which the backup is located.

• For OfficeScan 11.0:

Click Agents > Agent Management and select the server or workgroup in which the backup is located.

• For OfficeScan 10.6 and earlier:

Click Settings > Scan Settings > Real-time Scan Settings.

• For OfficeScan 11.0:

Right-click the server or workgroup and click Settings > Scan Settings > Real-time Scan Settings.

2. On the Target tab in the Scan Exclusion List (Directories) area, enter C:\Program Files\Bromium|C:\ProgramData\Bromium|C:\Users\*\AppData\LocalLow\Bromium|C:\Users\*\AppData\Local\Bromium then click Add.

3. Click Apply to All Clients to save the changes.

Confirm these exclusions are in place on the endpoint by checking the following registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TrendMicro\PC-cillinNTCorp\CurrentVersion\Real Time Scan Configuration

When both Dell Credant Data Protection and Trend Micro OfficeScan Client software are installed and running, users may experience hang or system unresponsiveness. This issue occurs when TrendMicro Scan Engine scanning threads are intercepted by Credant's CMGShCEF.sys driver and vice versa, creating excessive scan threads for the system.

1. In the OfficeScan Server, open the PCCSRV\ofcscan.ini file and add the following lines in the [Global Setting] section:

[Global Setting]

RegCount=2

Reg1.Description=VSAPI CFI Flag

Reg1.Key=!CRYPT!84037165B03F2E61D3212DF0527D84E8D56F1B04DE3093DD8464D3D7B7DAD3655E4A6B732387EC7A53F5397320C19AAD0FF52CDD44D4D77B58B2B730BA6EFB93C2B4B017734!20BD3D21041E625215008B3EDC4EB4F18451774653F

Reg1.Value=1

Reg2.Description=VSAPI SecI Flag

Reg2.Key=!CRYPT!840FEA4427D119052DE12DF0527D84E8D56F1B04DE3093DD8464D3D7B7DAD3655E4A6B732387EC7A53F5397320C19AAD0FF52CDD44D4D77B58B2B730BA6EFB93C2B4B017B30!20CD3D21041E6252150E2BFE035151A93815E17006C

Reg2.Value=5

2. Log in to the OfficeScan web console and go to the Networked Computers > Global Client Settings tab. Click Save to deploy settings to OfficeScan clients.
3. Connect to one of the OfficeScan client computers and enure that the following registry entries are created:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\TmFilter\Parameters]

"CFI"=dword:00000001

"SecI"=dword:00000005

4. Reboot the system and verify the result.

Additionally, you can exclude Dell's working directories and file extension in the OfficeScan Realtime Scan Settings:

[Folder Exclusion]

C:\Program Files\Dell

C:\Windows\CSC\v2.0.6\namespace

[File Exclusion]

*.CEF

Dell Data Protection

Dell Data Protection is a third-party disk encryption product that may experience faulty behavior with hardlinks. To avoid this, exclude the ProgramData\Bromium\vSentry folder from encrypted folder lists. Check C:\ProgramData\CREDANT\CMGShield.log to verify that the isolation folders are excluded.

Avecto Privilege Guard

Avecto Privilege Guard may cause errors with Internet Explorer and Chrome. To avoid this, locate or create a multi-string value named HookExclusions in the following reg keys:

Win7 32bit - HKEY_LOCAL_MACHINE\SOFTWARE\Avecto\Privilege Guard Client

Win7 64bit - HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Avecto\Privilege Guard Client

For the value, add the Bromium directories (C:\Program Files\Bromium and c:\ProgramData\Bromium) separated by a semicolon.

Also, configure the isolation policy so that UAC (administrator permissions) do not become an issue:

• Allow trusting files by non-administrators
• Allow disable by non-administrators

To create exclusions for Avecto using GPO:

1. In the Avecto Privilege Guard MMC snap-in, navigate to Computer Configuration > Policies.
2. Right-click Privilege Guard Settings and select Advanced Agent Settings.
3. Select 64-bit Agent Values from the Edit drop-down menu.
4. Click Add Value and name it HookExclusions.
5. Select Multi-String in the Type column.
6. Click in the Value Data column. In the Value Data field, add the Bromium paths (c:\Program Files\Bromium and C:\ProgramData\Bromium)

Note: Separate the paths with a carriage return, not a comma or semicolon.

Device Lock

Device Lock is a DLP product that has been known to have issues with various security products, specifically, initialization failures. To avoid this, whitelist the following Bromium processes in Device Lock:

BrConsole.exe

BrDesktopConsole.exe

BrDownloadManager.exe

BrExeScanner.exe

BrHostDrvSup.exe

BrHostSvr.exe

BrInstaller.exe

BrInstallerPopup.exe

BrLauncher.exe

BrLogMgr.exe

BrManage.exe

BrNav.exe

BrProgressDialog.exe

BrRemoteManagement.exe

BrRemoteMgmtSvc.exe

BrReporter.exe

BrSecurityAlertInspector.exe

BrService.exe

BrStatusMonitor.exe

BrWinFile.exe

chrome.exe

dpinst.exe

getcaps.exe

HostPcapDump.exe

Br-hostconfig.exe

Br-init-a.exe

Br-init-c.exe

Br-init-l.exe

Br-init-m.exe

Br-init-n.exe

Br-init-o.exe

Br-init-w.exe

Br-uxendm.exe

uxenctl.exe

uxenctx.exe

uxendm.exe

For more information, contact DLP Support.

AppSense

AppSense Application Manager and AppSense Performance Manager operate on a low-level file basis that sometimes brings them into conflict with some reactive antivirus products. In certain situations this can cause a deadlock to occur, resulting in process requests that cannot be completed. You may need to configure some exclusions, both within the AV and within Application Manager/Performance Manager, dependent on the choice of AV that is in use.

Symantec Endpoint Protection

Add the following exclusions to Performance Manager for Symantec, under Global Resources > Memory Optimizer > Excluded Components:

%ProgramFiles(x86)%\Symantec\*

%ProgramFiles%\Symantec\*

In addition, add the following paths to Symantec's exclusion list for Performance Manager:

%ProgramFiles(x86)%\AppSense\Performance Manager\*

%ProgramFiles%\AppSense\Performance Manager\*

as well as the Bromium directory exclusions listed in Directories Exclusions.

McAfee

The following files need to be added to the McAfee exclusion list:

amagent.exe

amminifilter.sys

amfilterdriver.sys

pmagent.exe

pmoptimizer.sys

pmusermem.sys

as well as the Bromium file exclusions.

Additionally, all relevant McAfee processes and drivers should be added to the following area of the Performance Manager console: Resources Setup > Options > Excluded Application > Share Factor Exclusions. Ensure you are using McAfee VirusScan Enterprise 8.7; update to Patch Level 5 or higher to avoid a potential conflict with AppSense agents.

Trend Micro

To avoid issues with Trend Micro, exclude the following processes from scanning by Trend:

amagent.exe

AmAgentAssist.exe

and add the following value to the Registry key:

HKLM\SOFTWARE\AppSense Technologies\Application Manager\DriverParameters

Value: ExProcessNames

Type: REG_SZ

Data: TMBMSRV.exe (and the files listed in File Exclusions.)

Note: This key contains the names of any processes you want to exclude from Application Manager. You can add other processes, as long as they are in a space-delimited format. If you are using Application Manager as a primary anti-malware mechanism, it is recommended that you configure an AppSense Environment Manager Self-Healing Action for this key to protect it.

Sophos

Sophos requires the following processes to be added to the HKLM\SOFTWARE\AppSense Technologies\Application Manager\DriverParameters registry key:

SavMain.exe

SavProgress.exe

SavService.exe

ALMon.exe

ALsvc.exe

ALUpdate.exe

RouterNT.exe

sav32cli.exe

wscclient.exe

Kaspersky Antivirus

Add all of the AppSense agents and notify processes to the exclusion list in the Kaspersky software and add %ProgramFiles%\AppSense and the Bromium directory to the exclusion list. Add the agents to the trusted applications list.

Using EM Policy, create a computer startup registry action to exclude the Kaspersky processes from AM:

HKLM\SOFTWARE\AppSense Technologies\Application Manager\DriverParameters

Value: ExProcessNames

Type: REG_SZ

Data: avp.exe klnagent.exe (and the files listed in File Exclusions.)

Bit9

Whitelist the following directories:

%userprofile%\AppData\LocalLow\Bromium

%userprofile%\AppData\Local\Bromium

%programfiles%\Bromium

%programdata%\Bromium