Are there any EventSentry files that I might need to whitelist in my Antivirus/Antimalware software?

Article ID: 369
Category: General
Applies to: All
Updated: 2018-11-07

Yes, depending on how aggressive your Antivirus/Antimalware software is, you may be unable to deploy the agent or push an updated configuration without whitelisting. If you experience the error "Unable to update files" or "Unable to update file(s)" despite having Administrator permission on the remote host, you may need to whitelist the following files:

  • c:\windows\system32\eventsentry\eventsentry_svc_x64.exe
  • c:\windows\system32\eventsentry\eventsentry_svc.reg
  • c:\windows\system32\eventsentry\eventsentry_svc.zip
  • c:\windows\system32\eventsentry\eventsentry_svc.zip.complete

Note: For 32-bit hosts, you also need to whitelist c:\windows\system32\eventsentry\eventsentry_svc.exe

Depending on how aggressive your Antivirus/Antimalware software is, you may experience RPC errors or TCP errors when deploying/upgrading the agent, pushing the configuration, checking the agent status, monitoring SNMP for remote hosts, or sending an email. You may need to whitelist the following files:

  • c:\program files (x86)\eventsentry\eventsentry_gui.exe
  • c:\windows\syswow64\eventsentry\eventsentry_hb_svc.exe
  • c:\windows\system32\eventsentry\es_network_svc_x64.exe

Most Antivirus/Antimalware software causes poor database performance by scanning the database files for threats every time the database is read, modified, or creates a new file. Databases experience a very high rate of these types of activity and can end up being scanned excessively, leading to poor database performance. It is recommended to whitelist your database service executable, which can be found in your database vendor's documentation, but for the built-in EventSentry database it is:

  • c:\program files (x86)\eventsentry\postgresql\bin\postgres.exe
  • c:\program files (x86)\eventsentry\postgresql\bin\pg_ctl.exe

Note: You may have these files installed in "c:\program files (x86)\eventsentry\postgresql96\bin\", or a custom location.

It is also helpful to whitelist the actual database files, such as .MDF/.LDF (Microsoft SQL), or .IBD/.FRM (MySQL), please consult your DBA or your vendor documentation for the location of these files in your environment. For the built-in EventSentry database there are no extensions for the database files, so it is recommended to whitelist the "c:\program files (x86)\eventsentry\data" or "c:\program files (x86)\eventsentry\data96" folder, or its custom location on your EventSentry server.

Certain Antivirus/Antimalware software flags encrypted files as a potential virus. If you are uninstalling EventSentry, or upgrading in a manner that runs an uninstaller first (such as upgrading your web reports in 3.4 series) you can ignore or whitelist "_uninstall1234" and "_uninstall1234.000" files (where 1234 is a random 4-digit number) that are temporarily created in the "C:\Users\username\AppData\Local\Temp_uninstall" folder.