-
Notifications
You must be signed in to change notification settings - Fork 191
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
New page about allowlisting Elastic Endpoint in 3rd-party AV software (…
…#4439) * Adds new page about allowlisting Elastic Endpoint * Update docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc Co-authored-by: Daniel Ferullo <[email protected]> * Update docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc Co-authored-by: Daniel Ferullo <[email protected]> * incorporates feedback * incorporates Gabriel Landau's feedback --------- Co-authored-by: Daniel Ferullo <[email protected]> (cherry picked from commit 08a7c08)
- Loading branch information
1 parent
8dea177
commit 6b7ba70
Showing
2 changed files
with
55 additions
and
0 deletions.
There are no files selected for viewing
54 changes: 54 additions & 0 deletions
54
docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
[[allowlist-endpoint-3rd-party-av-apps]] | ||
= Allowlist Elastic Endpoint in third-party antivirus apps | ||
|
||
Third-party antivirus (AV) applications may identify the expected behavior of {elastic-endpoint} as a potential threat. Add {elastic-endpoint}'s digital signatures and file paths to your AV software's allowlist to ensure {elastic-endpoint} continues to function as intended. We recommend you allowlist both the file paths and digital signatures, if applicable. | ||
|
||
NOTE: Your AV software may refer to allowlisted processes as process exclusions, ignored processes, or trusted processes. It is important to note that file, folder, and path-based exclusions/exceptions are distinct from trusted applications and will not achieve the same result. This page explains how to ignore actions taken by processes, not how to ignore the files that spawned those processes. | ||
|
||
[[allowlist-endpoint-on-windows]] | ||
[discrete] | ||
== Allowlist {elastic-endpoint} on Windows | ||
|
||
File paths: | ||
|
||
* ELAM driver: `c:\Windows\system32\drivers\elastic-endpoint-driver.sys` | ||
* Driver: `c:\Windows\system32\drivers\ElasticElam.sys` | ||
* Executable: `c:\Program Files\Elastic\Endpoint\elastic-endpoint.exe` | ||
+ | ||
NOTE: The executable runs as `elastic-endpoint.exe`. | ||
|
||
Digital signatures: | ||
|
||
* `Elasticsearch, Inc.` | ||
* `Elasticsearch B.V.` | ||
|
||
For additional information about allowlisting on Windows, refer to https://github.com/elastic/endpoint/blob/main/PerformanceIssues-Windows.md#trusting-elastic-defend-in-other-software[Trusting Elastic Defend in other software]. | ||
|
||
[[allowlist-endpoint-on-macos]] | ||
[discrete] | ||
== Allowlist {elastic-endpoint} on macOS | ||
|
||
File paths: | ||
|
||
* System extension (recursive directory structure): `/Applications/ElasticEndpoint.app/` | ||
+ | ||
NOTE: The system extension runs as `co.elastic.systemextension`. | ||
|
||
* Executable: `/Library/Elastic/Endpoint/elastic-endpoint.app/Contents/MacOS/elastic-endpoint` | ||
+ | ||
NOTE: The executable runs as `elastic-endpoint`. | ||
|
||
Digital signatures: | ||
|
||
* Authority/Developer ID Application: `Elasticsearch, Inc (2BT3HPN62Z)` | ||
* Team ID: `2BT3HPN62Z` | ||
|
||
[[allowlist-endpoint-on-linux]] | ||
[discrete] | ||
== Allowlist {elastic-endpoint} on Linux | ||
|
||
File path: | ||
|
||
* Executable: `/opt/Elastic/Endpoint/elastic-endpoint` | ||
+ | ||
NOTE: The executable runs as `elastic-endpoint`. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters