From af02fe28e5df91187911e188b50c956f308d978b Mon Sep 17 00:00:00 2001 From: "mergify[bot]" <37929162+mergify[bot]@users.noreply.github.com> Date: Sun, 31 Dec 2023 09:50:13 -0800 Subject: [PATCH] [8.4] New page about allowlisting Elastic Endpoint in 3rd-party AV software (backport #4439) (#4513) * New page about allowlisting Elastic Endpoint in 3rd-party AV software (#4439) * Adds new page about allowlisting Elastic Endpoint * Update docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc Co-authored-by: Daniel Ferullo <56368752+ferullo@users.noreply.github.com> * Update docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc Co-authored-by: Daniel Ferullo <56368752+ferullo@users.noreply.github.com> * incorporates feedback * incorporates Gabriel Landau's feedback --------- Co-authored-by: Daniel Ferullo <56368752+ferullo@users.noreply.github.com> (cherry picked from commit 08a7c08aa4370fa559a4bbf8576b7fbcf898ed9c) # Conflicts: # docs/management/manage-intro.asciidoc * fixes merge conflict --------- Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> Co-authored-by: Benjamin Ironside Goldstein --- .../allowlist-endpoint-3rd-party-av.asciidoc | 54 +++++++++++++++++++ docs/management/manage-intro.asciidoc | 1 + 2 files changed, 55 insertions(+) create mode 100644 docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc diff --git a/docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc b/docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc new file mode 100644 index 0000000000..3a53338b53 --- /dev/null +++ b/docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc @@ -0,0 +1,54 @@ +[[allowlist-endpoint-3rd-party-av-apps]] += Allowlist Elastic Endpoint in third-party antivirus apps + +Third-party antivirus (AV) applications may identify the expected behavior of {elastic-endpoint} as a potential threat. Add {elastic-endpoint}'s digital signatures and file paths to your AV software's allowlist to ensure {elastic-endpoint} continues to function as intended. We recommend you allowlist both the file paths and digital signatures, if applicable. + +NOTE: Your AV software may refer to allowlisted processes as process exclusions, ignored processes, or trusted processes. It is important to note that file, folder, and path-based exclusions/exceptions are distinct from trusted applications and will not achieve the same result. This page explains how to ignore actions taken by processes, not how to ignore the files that spawned those processes. + +[[allowlist-endpoint-on-windows]] +[discrete] +== Allowlist {elastic-endpoint} on Windows + +File paths: + +* ELAM driver: `c:\Windows\system32\drivers\elastic-endpoint-driver.sys` +* Driver: `c:\Windows\system32\drivers\ElasticElam.sys` +* Executable: `c:\Program Files\Elastic\Endpoint\elastic-endpoint.exe` ++ +NOTE: The executable runs as `elastic-endpoint.exe`. + +Digital signatures: + +* `Elasticsearch, Inc.` +* `Elasticsearch B.V.` + +For additional information about allowlisting on Windows, refer to https://github.com/elastic/endpoint/blob/main/PerformanceIssues-Windows.md#trusting-elastic-defend-in-other-software[Trusting Elastic Defend in other software]. + +[[allowlist-endpoint-on-macos]] +[discrete] +== Allowlist {elastic-endpoint} on macOS + +File paths: + +* System extension (recursive directory structure): `/Applications/ElasticEndpoint.app/` ++ +NOTE: The system extension runs as `co.elastic.systemextension`. + +* Executable: `/Library/Elastic/Endpoint/elastic-endpoint.app/Contents/MacOS/elastic-endpoint` ++ +NOTE: The executable runs as `elastic-endpoint`. + +Digital signatures: + +* Authority/Developer ID Application: `Elasticsearch, Inc (2BT3HPN62Z)` +* Team ID: `2BT3HPN62Z` + +[[allowlist-endpoint-on-linux]] +[discrete] +== Allowlist {elastic-endpoint} on Linux + +File path: + +* Executable: `/opt/Elastic/Endpoint/elastic-endpoint` ++ +NOTE: The executable runs as `elastic-endpoint`. \ No newline at end of file diff --git a/docs/management/manage-intro.asciidoc b/docs/management/manage-intro.asciidoc index 2af59c3ec5..575e0b731e 100644 --- a/docs/management/manage-intro.asciidoc +++ b/docs/management/manage-intro.asciidoc @@ -12,3 +12,4 @@ include::{security-docs-root}/docs/management/admin/trusted-apps.asciidoc[levelo include::{security-docs-root}/docs/management/admin/event-filters.asciidoc[leveloffset=+1] include::{security-docs-root}/docs/management/admin/host-isolation-exceptions.asciidoc[leveloffset=+1] include::{security-docs-root}/docs/management/admin/blocklist.asciidoc[leveloffset=+1] +include::{security-docs-root}/docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc[leveloffset=+1] \ No newline at end of file