Antivirus Exclusions
For Privilege Manager users, we recommend several anti-virus exclusions to maintain application performance and integrity. These guidelines apply to both real time and on-demand antivirus scanning via antivirus, EDR, or other products.
Ideally, these products should be configured to go completely hands-off as such:
-
Do not block access to any of our program files (.exe, .dll, .sys, .ps1) and data files for "live" or "on-demand" scanning operations.
-
Do not perform file filtering operations for any process running our programs or executing our scripts. The product's file system mini-filter driver code must exempt these processes from the file operations if it normally filters them. File filtering operations can impact things like accessing the client items and file hash cache database files, or accessing files with open/read when file hashes need to be calculated.
-
Do not perform registry filtering operations for any process running our programs or executing our scripts. The product's registry filtering driver code must exempt these processes from registry operations if it normally filters them. If a product is slowing down access to the registry in any way, then that will negatively impact the performance of Application Control Service (ACS).
Directories
Exclude these directories from your antivirus filters to ensure Privilege Manager processes will not be blocked (or for a more granular approach to these exclusions, see the Client Item Database and Privilege Manager Application Control Agent Services sections at the end of this article):
%ProgramData%\Arellia\
%ProgramData%\Application Data\Arellia
%ProgramFiles%\Thycotic\
%ProgramData%\Arellia\ClientItems
C:\Program Files\Thycotic\Agents\ApplicationControl\ArelliaACSvc.exe
Exclusions for Web Server
Exclude the following antivirus programs for Privilege Manager's web server, also sometimes TMS:
Temporary ASP.NET Files
Exclude the following directory to prevent degradation in performance and possible unexpected restarts of the Tms and TmsWorker IIS application pools:
%SYSTEMROOT%\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files
Exclusions for Database Server
Exclude the following database files.
SQL Server Data Files
These files contain data and typically have the following extensions:
- .mdf - primary data filegroups
- .ndf - secondary data filegroups
- .ldf - transaction log filegroups
SQL Server Backup Files
These files contain the backup files and typically have the following extensions:
- .bak - database backup files
- .trn - transaction log backup files
By default, the directories that contain the Data and Backup files are located under C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL
.
SQL profiler trace files
These files contain SQL Profiler Trace log data and can be contained in any folder.
They usually have the file extension .trc.
Exclusions for Managed Workstations
Windows Agents
Exclude the following for managed workstations, in addition to any agent installers.
Request Run As Administrator Registry Key
Privilege Manager Application Control installs a context menu item that allows executables to be "Request Run as Administrator."
This context menu is added under the following registry key which some antivirus programs incorrectly flag as malware:
HKLM\SOFTWARE\Classes\exefile\Shell
Client Item Database
These directories contain the Delinea Agent client item database and should be excluded from antivirus to prevent corruption:
%ProgramData%\Arellia\ClientItems
%ProgramData%\Application Data\Arellia
If required, you can further limit this exclusion to all files with the .db and .db-* extensions under this location.
Privilege Manager Application Control Agent Service
Some antivirus products require that the Privilege Manager Application Control service be excluded from tamper protection rules because Application Control manipulates other applications which antivirus products may mistake as malicious.
C:\Program Files\Thycotic\Agents\ApplicationControl\ArelliaACSvc.exe
macOS Agents
Depending on which version of the macOS agent is used, different directories can be excluded.
macOS Agent, version 11.3.3.1 and later
Exclude these directories from your antivirus filters to ensure Privilege Manager processes will not be blocked:
/Library/Application Support/Delinea/Agent
/usr/local/delinea/quarantine
(if the quarantine feature is being used)
macOS Agent before version 11.3.3
For older versions of the agent, these directories should be excluded:
/Library/Application Support/Thycotic/Agent
/usr/local/thycotic/agent
/usr/local/thycotic/quarantine
(if the quarantine feature is being used)