Are there any EventSentry files that I might need to whitelist in my Antivirus/Antimalware software?

Article ID: 369
Category: General
Applies to: All
Updated: 2022-05-02

Yes, depending on how aggressive your Antivirus/Antimalware software is, you may be unable to deploy the agent or push an updated configuration without whitelisting. If you experience the error "Unable to update files" or "Unable to update file(s)" despite having Administrator permission on the remote host, you may need to whitelist the following files:

  • c:\windows\system32\eventsentry\eventsentry_svc_x64.exe
  • c:\windows\system32\eventsentry\eventsentry_svc.reg
  • c:\windows\system32\eventsentry\
  • c:\windows\system32\eventsentry\

Note: For 32-bit hosts, you also need to whitelist c:\windows\system32\eventsentry\eventsentry_svc.exe

Depending on how aggressive your Antivirus/Antimalware software is, you may experience RPC errors or TCP errors when deploying/upgrading the agent, pushing the configuration, checking the agent status, monitoring SNMP for remote hosts, or sending an email. You may need to whitelist the following files:

  • c:\program files\eventsentry\eventsentry_gui_x64.exe
  • c:\windows\system32\eventsentry\es_heartbeat_svc_x64.exe
  • c:\windows\system32\eventsentry\es_network_svc_x64.exe
  • c:\windows\system32\eventsentry\es_collector_svc_x64.exe
  • c:\program files (x86)\eventsentry\eventsentry_gui.exe (if you do not have EventSentry 5.0 yet)

If you have the optional EventSentry ADMonitor component, you may experience freezing or crashing or failed synchronization errors if the Antivirus/Antimalware software is too aggressive. You may need to whitelist the following EventSentry ADMonitor files:

  • c:\program files\eventsentry\admonitor\admin\es_admonitor_col_x64.exe
  • c:\program files\eventsentry\admonitor\admin\ es_admonitor_svc_x64.exe

Most Antivirus/Antimalware software causes poor database performance by scanning the database files for threats every time the database is read, modified, or creates a new file. Databases experience a very high rate of these types of activity and can end up being scanned excessively, leading to poor database performance. It is recommended to whitelist your database service executables, which can be found in your database vendor's documentation, but for the built-in EventSentry database they are:

  • c:\program files\eventsentry\postgresql14\bin\postgres.exe
  • c:\program files\eventsentry\postgresql14\bin\pg_ctl.exe

Note: If you do not have EventSentry 5.0 yet you may have these two database executable files installed in the "c:\program files (x86)\eventsentry\postgresql96\bin" folder, or a custom location.

It is also helpful to whitelist the actual database files, such as .MDF/.LDF (Microsoft SQL), or .IBD/.FRM (MySQL), please consult your DBA or your vendor documentation for the location of these files in your environment. For the built-in EventSentry database there are no extensions for the database files, so it is recommended to whitelist the "c:\program files\eventsentry\data14" folder or the "c:\program files (x86)\eventsentry\data96" folder, or the built-in database's custom location on your EventSentry server.

Certain Antivirus/Antimalware software flags encrypted files as a potential virus. If you are uninstalling EventSentry, or upgrading in a manner that runs an uninstaller first (such as upgrading your web reports in 3.4 series) you can ignore or whitelist "_uninstall1234" and "_uninstall1234.000" files (where 1234 is a random 4-digit number) that are temporarily created in the "C:\Users\username\AppData\Local\Temp_uninstall" folder.