Help Center

Application Whitelisting

When running malware/virus detection software on the server, it can be useful to 'whitelist' the Prognosis processes so that it does not trigger false alarms. This topic will provide guidance to assist in this process.

At a high level:

  • Almost all executables run out of the <Prognosis_Home>\Server and <Prognosis_Home>\Server\x64 folders

  • Almost all executables follow the naming convention ir<name>.exe

  • These executables read and write to files in the sub-directory tree of <Prognosis_Home>\Server\Configuration folder.

  • Most executables are deployed in production builds with their accompanying debug files (.PDB) to assist in troubleshooting.

  • PDBs should not be deleted and have not been identified to date as a security risk.

The following executables are typically found to be running on the server. Nothing should inhibit them from running.

On MS Windows, the executables have .exe appended to the names mentioned below.

irtrace

Trace command which should be limited to users on an as-needed basis.

irpacecol

Data collector which may have several other programs running under the same signature but with different names. This is especially true if any customizations have been provided by IR Consulting.

irpqlsrv

Used for data queries and interacting with the Web Application.

irpromgs

Prognosis service process, which is the main executable

irnetrtr

Used for internode communication

ircmdsrv

Used for issuing shell commands; it is used internally to perform scheduled operations.

irdbase

Used to access Databases

irautoan

Used to run Analysts and Thresholds

irdspsrv

Used for dispatching functionality

iradicol

Implements Extractors

ircmd

Used to start and stop Configurations, Analysts, Thresholds and Databases from the command line.

irclview

A utility that can display collected data on the command line.

ircmdgwy

A utility that will execute Commands using authentication when required.

iravcol

Collector for monitoring the availability of processes, disks, ports, and other components in the application environment.

irperl

Encapsulated Perl distribution.

ircnfutl

A utility used to list and update Configurations regardless of whether Prognosis service is running or not.

Irdllcol

Collector shell that performs many types of collection on the system (MS Windows only).

irprdbshUsed for patching and updating the Prognosis Server.
The Collaborate suite has some identified components that typically should not be installed on a Transact server, these will need to be an exception to policy. This is only applicable where the same server is being used for both Collaborate and Transact monitoring.
If McAfee VirusScan is being used on Cisco UCM Switch off the 'Buffer Overflow' Protection option, open the Virus Scan Console (Network Associates) from the Start → Programs menu, then right click on the 'Buffer Overflow Protection' line then choose 'Properties'. On the 'Buffer Overflow Protection' tab, uncheck the box next to 'Enable Buffer Overflow Protection', click Apply then click OK.

Recommendations

In all environments, the following approach is recommended when running virus scanning on the server:

  • Periodic scheduled scans are suggested for the <Prognosis_Homefolder

  • The use of on-access scanning should not be utilized for any file under the <Prognosis_Home> folder

  • ‘Whitelist’ Prognosis processes to ensure the continued monitoring of applications

Provide feedback on this article