Real Time AV Exclusions

BigFix Console, Server and Relay components of the architecture perform high volume file operations. This activity is a substantial part of the functionality that these BigFix architecture components provide.

If file operations are interrupted or "shimmed" by anti-virus or heuristic type applications (like HIPS), the performance of these components will be significantly impacted. Sometimes, this can result in errors and instability. The BigFix Client also is continuously evaluating the machine and this also creates a large volume of API, registry and file operations. The client is also negatively impacted by the same concerns and as a result can experience significantly slower content evaluation times.

To address this issue, configure Anti-virus and heuristic applications (such as HIPS) to exclude the following directories and processes. It is important to note the specifications below are related to the exclusion of folders paths and processes for real-time scans and heuristics, we do still recommend scheduled scans be configured and enabled from a security perspective.

Important Caveats

The following applies to BigFix platform core components only and excludes solutions such as BigFix Inventory, ILMT or OSD (which may have their own guidance around AV exceptions). This also assumes that you are using the default installation paths, otherwise you might need to adjust appropriately to the configurations of your environment.

  • On the BigFix Server

    The following folder and sub folder paths should be excluded:

    %DRIVE%:\Program Files (x86)\BigFix Enterprise\BES Server\*

    Additionally the following processes should be excluded as well:

    %DRIVE%:\Program Files (x86)\BigFix Enterprise\BES Server\BESGather.exe

    %DRIVE%:\Program Files (x86)\BigFix Enterprise\BES Server\BESRootServer.exe

    %DRIVE%:\Program Files (x86)\BigFix Enterprise\BES Server\BESWebReportsServer.exe

    %DRIVE%:\Program Files (x86)\BigFix Enterprise\BES Server\BESAdmin.exe

    %DRIVE%:\Program Files (x86)\BigFix Enterprise\BES Server\FillDB.exe.exe

    %DRIVE%:\Program Files (x86)\BigFix Enterprise\BES Server\GatherDB.exe

  • On the BigFix Relay

    The following folder and sub folder paths should be excluded:

    %DRIVE%:\Program Files (x86)\BigFix Enterprise\BES Relay\*

    Additionally the following processes should be excluded as well:

    %DRIVE%:\Program Files (x86)\BigFix Enterprise\BES Relay\BESRelay.exe

  • On the BigFix Client

    The following folder and sub folder paths should be excluded:

    %DRIVE%:\Program Files (x86)\BigFix Enterprise\BES Client\*

    Additionally the following processes should be excluded as well:

    %DRIVE%:\Program Files (x86)\BigFix Enterprise\BES Client\BESClient.exe

  • On the BigFix Console

    The following folder and sub folder paths should be excluded: this primary AV exception for the console relates to the console cache directory. This directory by default is located within the users profile path. For example:

    %DRIVE%:\Users\<%USER_PROFILE%>\AppData\Local\BigFix\*

    The user BigFix Console cache location is configurable as well via a registry setting (this may make it easier to apply AV exclusions in some AV and heuristics products). More information on this configuration can be found here: Altering BigFix Console cache location

    Additionally the following processes and files should be excluded as well:

    %DRIVE%:\Program Files (x86)\BigFix Enterprise\BES Console\BESConsole.exe

    %DRIVE%:\Users\<%USER_PROFILE%>\AppData\Local\Temp\tem*.tmp

    Optionally the following directory should also be excluded if leveraging the QNA component within the BigFix Console directory:

    %DRIVE%:\Program Files (x86)\BigFix Enterprise\BES Console\QNA

    Additionally, the following processes:

    %DRIVE%:\Program Files (x86)\BigFix Enterprise\BES Console\QNA\FixletDebugger.exe

  • On the BigFix WebUI Server

    The following folder and sub folder paths should be excluded: (depending upon your implementation upgrade path, and version the following may vary. Exclude the paths that are observed on your WebUI Server):

    %DRIVE%:\ Program Files (x86)\BigFix Enterprise\BES Server\WebUI\*

    OR

    %DRIVE%:\Program Files (x86)\BigFix Enterprise\ BES WebUI\*

    Additionally the following processes should be excluded (depending upon your version the following may vary. Exclude the paths that are observed on your WebUI Server):

    %DRIVE%:\%WebUI Path%\ node.exe

    OR

    %DRIVE%:\%WebUI Path%\ WebUIService.exe

Refer to instructions from your virus scanner for more information on how to set this exclusion rule.

For more details, see the technote Configuring your virus scanner to exclude the BigFix client and the BigFix Inventory Scanners.