Realtime Antivirus Exclusions

If you removed third party antivirus or endpoint protection software to conduct an upgrade or installation, reinstall it. When running antivirus scanning software on a LogRhythm platform and/or on System Monitor Agent systems, be sure to exclude the following directories from realtime antivirus scans. Scanning these directories has a major impact on the performance of the LogRhythm platform. However, these locations should be scanned on a regularly scheduled basis.

The following lists include the default directories, however, the location of any State folder (including AI Engine, Job Manager, and SCARM) and archive data is customizable to use any location (for example, D:\). The locations of these folders need to be excluded.

XM Appliance

If you have an XM appliance, apply the exclusions specified for the PM, DPX, and AIE (if installed). 

PM Appliance

• D:\*.mdf
• L:\*.ldf
• T:\*.mdf
• T:\*.ldf
• C:\Program Files\LogRhythm\LogRhythm System Monitor\state\*.pos
• C:\tmp\indices\ (if Web Console is installed on the PM)
• If the Threat Intelligence Service (TIS) is installed:
  • C:\Program Files\LogRhythm\LogRhythm Job Manager\config\list_import\*.*
  • C:\Program Files\LogRhythm\LogRhythm Threat Intelligence Service\staging\HailATaxii\*.*

DP or DPX Appliance (Windows)

• All files in the directories and sub-directories of the paths stored in the environment variables %DXPATH%, %DXCONFIGPATH%, and %DXDATAPATH%. By default, this is D:\Program Files\LogRhythm\Data Indexer\. To view the environment variables, go to the Advanced System Settings, and click Environment Variables.
• D:\LogRhythmArchives\Active\*.lua
• X:\LogRhythmArchives\Inactive\*.lca (where X: is the location of the inactive archives, D: by default)
• C:\Program Files\LogRhythm\LogRhythm System Monitor\state\*.pos
• X:\Program Files\LogRhythm\LogRhythm Mediator Server\state\*.bin (where X: is the location of the state folder)

• X:\Program Files\LogRhythm\LogRhythm Mediator Server\state\*.dgz (where X: is the location of the state folder)

• C:\Program Files\LogRhythm\LogRhythm Common\LogRhythm Service Registry\data
• C:\Program Files\LogRhythm\Data Indexer\elasticsearch\data
• C:\Windows\Temp\jtds*.tmp

DX Appliance (Linux)

• /usr/local/logrhythm/db/elasticsearch/data (default path, includes both state and data files)

• /var/tmp/jdts*.tmp

AIE Appliance

• C:\Program Files\LogRhythm\LogRhythm AI Engine\data\*.*
• X:\Program Files\LogRhythm\LogRhythm AI Engine\state\*.*
• X:\Program Files\LogRhythm\LogRhythm System Monitor\state\*.pos

If the AIE service is running on the PM appliance, exclude these directories on the PM.

Collector Appliance or Agents Deployed on Servers

• C:\Program Files\LogRhythm\LogRhythm System Monitor\state\*.bin
• C:\Program Files\LogRhythm\LogRhythm System Monitor\state\*.pos
• C:\Program Files\LogRhythm\LogRhythm System Monitor\state\*.suspense

The above path is the default installation locations for the System Monitor Agent. If you install the Agent in a different location (for example, D:\), update the exclusion as required.

Agents Deployed Linux Servers

• /opt/logrhythm/scsm/state/*.pos
• /opt/logrhythm/scsm/state/*.suspense

Web Console

• D:\tmp\indices

High Availability Deployments

• C:\lk\* directory (or whichever folder LifeKeeper is installed in)
• C:\Program Files (x86)\SIOS\DataKeeper> directory (or whichever folder DataKeeper is installed in)
• C:\Program Files (x86)\SIOS\DataKeeper\Bitmaps) (or whichever folder the bitmap file is stored in)
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{71A27CDD-812A-11D0- BEC7-08002BE2092F}
• Registry keys used by SIOS, available at the following link:  https://docs.us.sios.com/WindowsSPS/8.6/SPS4W/TechDoc/index.htm#DataKeeper/Administration/Registry_Entries.htm?Highlight=Registry