When running malware/virus detection software on the server, it can be useful to 'whitelist' the Prognosis processes so that it does not trigger false alarms. This topic will provide guidance to assist in this process.
At a high level:
Almost all executables run out of the <Prognosis_Home>\Server and <Prognosis_Home>\Server\x64 folders
Almost all executables follow the naming convention ir<name>.exe
These executables read and write to files in the sub-directory tree of <Prognosis_Home>\Server\Configuration folder.
Most executables are deployed in production builds with their accompanying debug files (.PDB) to assist in troubleshooting.
PDBs should not be deleted and have not been identified to date as a security risk.
The following executables are typically found to be running on the server. Nothing should inhibit them from running.
Trace command which should be limited to users on an as-needed basis.
Data collector which may have several other programs running under the same signature but with different names. This is especially true if any customizations have been provided by IR Consulting.
Used for data queries and interacting with the Web Application.
Prognosis service process, which is the main executable
Used for internode communication
Used for issuing shell commands; it is used internally to perform scheduled operations.
Used to access Databases
Used to run Analysts and Thresholds
Used for dispatching functionality
Used to start and stop Configurations, Analysts, Thresholds and Databases from the command line.
A utility that can display collected data on the command line.
A utility that will execute Commands using authentication when required.
Collector for monitoring the availability of processes, disks, ports, and other components in the application environment.
Encapsulated Perl distribution.
A utility used to list and update Configurations regardless of whether Prognosis service is running or not.
Collector shell that performs many types of collection on the system (MS Windows only).
|irprdbsh||Used for patching and updating the Prognosis Server.|
In all environments, the following approach is recommended when running virus scanning on the server:
Periodic scheduled scans are suggested for the <Prognosis_Home> folder
The use of on-access scanning should not be utilized for any file under the <Prognosis_Home> folder
‘Whitelist’ Prognosis processes to ensure the continued monitoring of applications