ferullo
commented
1 year ago cc @roxana-gheorghe @caitlinbetz @nfritts for visibility
Closed ferullo closed 9 months ago
ferullo
commented
1 year ago cc @roxana-gheorghe @caitlinbetz @nfritts for visibility
MXMLN-sec
commented
1 year ago Thank you for creating the Doc Issue. Maybe you could also add process names since other AV Vendors allow also for the process names to be whitelisted which could improve the overall whitelisting.
ferullo
commented
1 year ago I updated the comment with them. But I don't think we should give advice to create trusted application entries in other products based solely on process name rather than full path and ideally digital signature on Windows and macOS as well.
Description
Most AV products contain a feature like Endpoint's Trusted Applications. We document for users how to add entries to Endpoint for other AV products Endpoint shouldn't monitor. We should also document what values for Endpoint they should add to other AV product's "trusted apps". I don't mean how to add them, I just mean what Endpoint's paths and signatures are.
Notes
We recommend users using both the file path and digital signature in the third party AV product to identify Endpoint if possible. Spaces/formatting is important for the signature values.
Windows
c:\Program Files\Elastic\Endpoint\elastic-endpoint.exe(executable)elastic-endpoint.exec:\Windows\system32\drivers\elastic-endpoint-driver.sys(ELAM driver)c:\Windows\system32\drivers\ElasticElam.sys(driver)Elasticsearch, Inc.Elasticsearch B.V.(a secondary signature that may not continue to be used)More detailed notes for Windows are in the elastic/endpoint repo
macOS
/Library/Elastic/Endpoint/elastic-endpoint(executable)elastic-endpoint/Applications/ElasticEndpoint.app/(system extension, recursive directory structure)co.elastic.systemextensionElasticsearch, Inc (2BT3HPN62Z)(Authority/Developer ID Application)2BT3HPN62Z(Team ID)Linux
/opt/Elastic/Endpoint/elastic-endpoint(executable)elastic-endpoint