Closed ferullo closed 9 months ago
cc @roxana-gheorghe @caitlinbetz @nfritts for visibility
Thank you for creating the Doc Issue. Maybe you could also add process names since other AV Vendors allow also for the process names to be whitelisted which could improve the overall whitelisting.
I updated the comment with them. But I don't think we should give advice to create trusted application entries in other products based solely on process name rather than full path and ideally digital signature on Windows and macOS as well.
Description
Most AV products contain a feature like Endpoint's Trusted Applications. We document for users how to add entries to Endpoint for other AV products Endpoint shouldn't monitor. We should also document what values for Endpoint they should add to other AV product's "trusted apps". I don't mean how to add them, I just mean what Endpoint's paths and signatures are.
Notes
We recommend users using both the file path and digital signature in the third party AV product to identify Endpoint if possible. Spaces/formatting is important for the signature values.
Windows
c:\Program Files\Elastic\Endpoint\elastic-endpoint.exe
(executable)elastic-endpoint.exe
c:\Windows\system32\drivers\elastic-endpoint-driver.sys
(ELAM driver)c:\Windows\system32\drivers\ElasticElam.sys
(driver)Elasticsearch, Inc.
Elasticsearch B.V.
(a secondary signature that may not continue to be used)More detailed notes for Windows are in the elastic/endpoint repo
macOS
/Library/Elastic/Endpoint/elastic-endpoint
(executable)elastic-endpoint
/Applications/ElasticEndpoint.app/
(system extension, recursive directory structure)co.elastic.systemextension
Elasticsearch, Inc (2BT3HPN62Z)
(Authority/Developer ID Application)2BT3HPN62Z
(Team ID)Linux
/opt/Elastic/Endpoint/elastic-endpoint
(executable)elastic-endpoint