Required antivirus exclusions for Veritas eDiscovery Platform

Problem

The Veritas eDiscovery Platform (eDP) does not come with bundled anti-virus software. Veritas recommends that users perform an anti-virus scan of the data that they wish to use eDP to analyze. The eDP administrators may provide anti-virus software on their end-user PCs since eDP users have the ability to download native files.  Veritas recognizes the need for security compliance within an organization and the requirement for deploying anti-virus software. If you install anti-virus software on the eDP appliance, consider the following guidelines for scanning directories and processes.

Solution

The following directories should be excluded from antivirus scanning.

MySQL Database Software
Default Location: D:\mysql
Note: If the mysql directory is scanned, the anti-virus software is likely to quarantine or delete the files. The first symptom of this scenario is that your backups start failing.

Default Location: D:\mysqltemp
Note: If the mysqltemp directory is scanned, the anti-virus software is likely to quarantine or delete the files. The first symptom of this scenario is that backups will start failing.
 

Default Location: D:\MySQLData (Clearwell v7.1.4+)
Note: If the mysqltemp directory is scanned, the anti-virus software is likely to quarantine or delete the files. The first symptom of this scenario is that backups will start failing.

eDP Directories:
Default Location: D:\CWShared
Default Location: D:\CW\<current version>
Note: D:\CW\<current_version> contains a subfolder that needs to be scanned:

D:\CW\<current_version>\scratch\temp\esadb\attCacheDir\

Only directories can be excluded from a virus scan, move the attachments directory (attCacheDir) to a different location and then update the path. For more information see, To update the attachments directory (attCacheDir) location:

JDK Software
Default Locations: 

*eDP version 8.2
C:\jdk-8u74-windows-x32
C:\jdk-8u74-windows-x64

*eDP version 8.3
C:\jdk-8u121-windows-x32
C:\jdk-8u121-windows-x64

* eDP version 9.0
C:\jdk-8u144-windows-x32
C:\jdk-8u144-windows-x64

* eDP version 9.1.0
C:\jdk-8u181-windows-x32
C:\jdk-8u181-windows-x64

*eDP version 9.1.1
C:\jdk-8u201-windows-x32
C:\jdk-8u201-windows-x64

*eDP Version 9.1.2
C:\jdk-8u221-windows-x32
C:\jdk-8u221-windows-x64

*eDP Version 9.1.3
C:\jdk-8u231-windows-x32
C:\jdk-8u231-windows-x64

*eDP Version 9.5.1, 9.5.2 and 10.0.x
C:\jdk-8u251-windows-x32
C:\jdk-8u251-windows-x64

*eDP Version 10.1
C:\jdk-8u301-windows-x32
C:\jdk-8u301-windows-x64

*eDP Version 10.1.1 and 10.1.2
C:\jdk-8u321-windows-x32
C:\jdk-8u321-windows-x64

*eDP Version 10.2.0
C:\jdk-8u342-windows-x32
C:\jdk-8u342-windows-x64

*eDP Version 10.2.1
C:\jdk-8u352-windows-x32
C:\jdk-8u352-windows-x64

*eDP Version 10.2.2
C:\jdk-8u362-windows-x32
C:\jdk-8u362-windows-x64

*eDP Version 10.2.3
C:\jdk-8u372-windows-x32
C:\jdk-8u372-windows-x64

*eDP Version 10.2.4
C:\jdk-8u382-windows-x32
C:\jdk-8u382-windows-x64

*eDP Version 10.2.5
C:\jdk-8u392-windows-x32
C:\jdk-8u392-windows-x64

*eDP Version 10.2.6
C:\jdk-8u402-windows-x32
C:\jdk-8u402-windows-x64

*eDP Version 10.2.7
C:\jdk-8u412-windows-x32
C:\jdk-8u412-windows-x64

*eDP Version 10.3.0
C:\jdk-8u422-windows-x32
C:\jdk-8u422-windows-x64

*eDP Version 10.3.1
C:\jdk-8u432-windows-x32
C:\jdk-8u432-windows-x64

Image Helper
(*version 8.0 and higher)
Default Location:  D:\Clearwell Packages\Muhimbi Document Converter.    (For the Image Helper to work properly, allow access to port 41734.)

C:\Users\[User of ESAImagehelper Service]\AppData\Local\Temp
e.g. C:\Users\edpIGC\AppData\Local\Temp
 

PrizmDoc
(*version 10.0 or higher)
D:\Prizm\PAS
D:\Prizm\Server

Rights Management
Default Location: C:\Users\<username>\AppData\Local\Microsoft\DRM
Note: This directory only exists if the Rights Management feature is being used.

Audio Search
Default Locations:
C:\Program Files(x86)\Nexidia
C:\Program Files(x86)\Nexidia\Language Packs
C:\Program Files(x86)\Nexidia\Search Grid 2.0
C:\Users\<Nexidia_Service_Account_username>\AppData\Local\Temp
D:\Nexidia

Note: These directories only exist if you have the Audio Search module.  By default, the Audio Search software is installed into the following directories and subdirectories.  To avoid interference with critical media operations, be sure to disable virus and mailware scanning software. In particular, Malwarebytes Anti-Mailware, Kasperky Endpoint Security, and Microsoft Security Essentials are known to interfere with media operations.

Source Locations:
Any location that will be specified as a source for processing. If this was collected data, it should be scanned previous to collection. If it is external data, it should be manually scanned before being processed. This will avoid access conflicts, and any change to the data after it has been processed.

The Converted and Extracted files locations are also considered source folders.  The default locations for these files are as follows:
D:\convertedFiles 
If the location has been changed via the property  esa.system.convertedFilesDir,  exclude that location instead.
D:\CW\vXX\containedPstNsf
If the location has been changed via the property  esa.case.contained.pstnsf.dir ,  exclude that location instead.

Collection Destinations:
Any locations specified as a destination for collections. Collected data should be scanned at the source prior to collection and does not need to be scanned during collection.

Case and Node Backup Locations:
The folders or network shares specified for case and node backups must be excluded.  Scanning during the backup process can cause intermittent backup failures.

EV.cloud Collections:
EV.cloud collection tasks data is downloaded from the EV.cloud data center in ZIP file containers.  The collection destination for EV.cloud collection tasks should be excluded from container scans if this process is separate from file/folder exclusions.

Additional Considerations:

External Export Destination:
The default export destination is contained within the Application directory and would be covered by previous exclusions. If you change the export destination to an external location, this will need to be excluded as well. This includes using the esa.export.joboutput.external property in any version and or using custom export locations in 8.1.1 and forward. If required, data should be scanned manually post export and any file deletions noted.

Externalizable Data Directory:
If the EXTDATA and EXTTEMP directories are redirected to an external location using esa.cluster.externalBaseDir, it will also need to be excluded from antivirus.

Scanned Directories
Before a document is displayed to the Reviewer in native view, the document is generated as a temporary file in its native format. Document rendering can be initiated in two different ways:
(1) by downloading documents in real time through Review Mode's Native View or (2) as a batch process through Search Cache Job.
Note: Virus scanning documents will impact cache and review performance.

Downloading files in Real Time
When reviewing documents in their native format without running the Review Cache Job, the files are downloaded and converted in real time. By default, converted files are saved in the D:\CW\<current_version>\scratch\temp\esadb\attCacheDir\ directory. The attCacheDir directory is a staging area for documents and attachments that need to be scanned for viruses prior to being displayed to the user. Because only directories can be excluded from a virus scan, move the attachments directory (attCacheDir) to a different location and then update the path.

To update the attachments directory (attCacheDir) location:
1.From the System view, click Support Features.
2. Select Property Browser from the feature menu.
3. Type esa.altAttachmentsDir in the Name of Property to change field.
4. Specify the new location of the attachments directory.
5. Confirm the change.
6. Click Submit.
Summary: Configure your anti-virus software to scan the attCacheDir directory.

Running Review Cache Job
When running a Review Cache Job, every document within the group is converted into its native format and then stored in a case cache directory. To ensure these native-format files are scanned, a staging directory can be created called d:\CW\netitScan\ and then point your anti-virus software to that directory. After creating the netitScan directory, files are converted to native format, copied to d:\CW\netitScan, scanned by the anti-virus software, and then copied to their final home.

How to create a fixed location to automatically scan temporary, native-format files
1.On the eDP appliance, create the d:\CW\netitScan\ directory if not already there.
2. Log on to the eDP appliance and navigate to System > Support Features.
3. From the Choose a support feature drop-down list, select Property Browser.
4. In the Name of property to change field, type esa.netit.virus_scanner_dir.
5. In the New value (leave blank to remove) field, type d:\CW\netitScan.
6. Select the option Confirm change. Are you sure?.
7. Click Submit to save the configuration.

Disabling the Anti-Virus Software 
If a decision is made to discontinue the practice of scanning documents for viruses, ensure that the esa.netit.virus_scanner_dir property is removed through the Support Features > Property Browser. Before upgrading or installing a new version of eDP, Veritas strongly recommends disabling your anti-virus software first.
Note: For upgrade information, refer to the Veritas eDiscovery Upgrade Overview, and Veritas eDiscovery Upgrade Guide. For new installations, refer to the Veritas eDiscovery Installation Guide.

Ensuring Security Software and Windows Management Instrumentation (WMI) Operability
eDP depends on Windows Management Instrumentation (WMI) in order to gather hardware utilization statistics for adjusting processing speeds. In the event that eDP is unable to obtain WMI statistics, the system will not be able to discover or process data successfully. Ensure that security software configuration is not blocking or interfering with WMI and its ability to collect eDP management data.

NOTE ON EXCLUSION SETTINGS:
When setting exclusions on some anti-virus software, it does not actually disable scanning of the items, but just ignores anything it finds. Efforts need to be made to ensure that the files are not actually being scanned, as the scanning process is what causes the access violations.

NOTE ON PROCESS BASED EXCLUSIONS:Veritas eDiscovery Platform utilizes a large number of processes. A full list of those processes is not available to be shared at this time. Veritas recommends to either disable antivirus scanning using process-based exclusions; or use an antivirus solution that utilizes folder-based exclusions. However, Veritas eDiscovery Platform does not recommend the use of both folder-based exclusions and process-based exclusions.

Though folder-based exclusions is more advisable, you should use process-based exclusions if you are experiencing slower processing on eDiscovery Platform in Windows 2016 environment. The processes that should be excluded are listed below:

Note: For C:\jdk-8u251-windows-x32\* and C:\jdk-8u251-windows-x64\*, use the JDK version that is used by the installed version of eDiscovery Platform.

For more details on process-based exclusions, see the Microsoft documentation.