Realtime Endpoint Protection (Antivirus) Exclusions (LogRhythm SIEM)

Endpoint Security software, including Anti-Virus, Anti-Malware, and EDR/EPP solutions, can have a major impact on Installation, Upgrade, and ongoing Operations of any high-performance application, which includes the LogRhythm platform. LogRhythm provides a recommended list of paths to exclude from Realtime Scanning as a best practice to reduce the performance/stability impacts that can negatively affect the software. In some cases, there may be features specific to your Endpoint Security vendor, such as Heuristic detections, which may be required to be disabled due to vendor incompatibility. The directories below should be considered a minimum list of exclusion paths and additional paths may be required in some situations.

The following paths listed below include the default directories for each service. These locations are configurable in most cases and may vary from deployment to deployment or from version to version. Consider this to be a minimum list and adjust accordingly.

Where File Extensions are not provided, use RECURSIVE path configurations.

XM

If you have an XM appliance, apply the exclusions specified for all services below.

PM Services

• D:\LogRhythm\*.mdf

• L:\LogRhythm\*.ldf

• T:\Temp\*.mdf

• T:\Temp\*.ldf

• C:\Program Files\LogRhythm\LogRhythm Common\*

• C:\Program Files\LogRhythm\LogRhythm Alarming and Response Manager\*

• C:\Program Files\LogRhythm\LogRhythm Job Manager\*

• C:\Program Files\LogRhythm\LogRhythm Metrics\*

• If the Threat Intelligence Service (TIS) is installed:

  • C:\Program Files\LogRhythm\LogRhythm Threat Intelligence Service\*

DP Services (Windows)

• S:\LogRhythmArchives\Active\*.lua

• D:\LogRhythmArchives\Inactive\*.lca

• C:\Program Files\LogRhythm\LogRhythm Common\*

• S:\LogRhythm\LogRhythm Mediator Server\state\*

DX Services (Linux)

• /usr/local/logrhythm/db/elasticsearch/data

DX Services (Windows XM)

• All files in the directories and sub-directories of the paths stored in the environment variables %DXPATH% and %DXDATAPATH%. (Defaults below)

  • D:\LRIndexer

  • C:\Program Files\LogRhythm\Data Indexer

AIE Services

• S:\Program Files\LogRhythm\LogRhythm AI Engine\data\*.

• S:\Program Files\LogRhythm\LogRhythm AI Engine\state\*

• C:\Program Files\LogRhythm\LogRhythm System Monitor\state\*.pos

• C:\Program Files\LogRhythm\LogRhythm Common\*

• C:\Program Files\LogRhythm\LogRhythm AI Engine\*

• S:\Program Files\LogRhythm\LogRhythm Archive Engine\*

System Monitor Agent (Windows)

• C:\Program Files\LogRhythm\LogRhythm System Monitor\state\*.bin

• C:\Program Files\LogRhythm\LogRhythm System Monitor\state\*.pos

• C:\Program Files\LogRhythm\LogRhythm System Monitor\state\*.suspense

System Monitor Agent (Legacy Linux)

• /opt/logrhythm/scsm/state/*.pos

• /opt/logrhythm/scsm/state/*.suspense

Web Console Services

• C:\Program Files\LogRhythm\LogRhythm Web Services\*

• S:\tmp\indices\* (also often S:\LogRhythm\webindices\*)

• C:\Program Files\LogRhythm\LogRhythm Common\*

Secondlook API

• C:\Windows\system32\config\systemprofile\AppData\Roaming\LogRhythm\temp\

High Availability Deployments

• C:\lk\* directory (or whichever folder LifeKeeper is installed in)

• C:\Program Files (x86)\SIOS\DataKeeper> directory (or whichever folder DataKeeper is installed in)

• C:\Program Files (x86)\SIOS\DataKeeper\Bitmaps) (or whichever folder the bitmap file is stored in)

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{71A27CDD-812A-11D0- BEC7-08002BE2092F}

• Registry keys used by SIOS are available at the following link:  http://docs.us.sios.com/WindowsSPS/8.6/SPS4W/TechDoc/index.htm#DataKeeper/Administration/Registry_Entries.htm%3FTocPath%3DDataKeeper%7CAdministration%7C_____10