Splunk Antivirus Exemptions

Splunk Antivirus Exemptions

splunk anti virus exemptionsThere are 2 main parts of your Splunk environment that will need exemptions from Antivirus software: the hosts that run Splunk and the hosts that run Universal Forwarder. The file locations are different for Windows and Linux. The file paths assume you have installed Splunk to the default location. If your environment required you to install to another directory/location just apply those changes to the paths below. You will also need to check and see if any of the scripts that are run as part of the apps or add-ons that you installed need to be exempted as well. This is the case in my environment and I have to get any file changes exempted before they will run in the production environment. This can get tricky when you are pushing changes to Universal Forwarders and the folders/files are transferred successfully but do not run to return results.

So as of the current release when this was written those are:

Splunk Enterprise on Windows Server

\Program Files\Splunk and all sub-directories
\Program Files\Splunk\var\lib\splunk and all sub-directories

Splunk Universal Forwarder on Windows OS

\Program Files\SplunkUniversalForwarder and all subdirectories

Splunk Enterprise on Linux

/opt/splunk and all sub-directories
/opt/splunk/var/lib/splunk and all sub-directories

Splunk Universal Forwarder on Linux OS

/opt/splunkforwarder and all subdirectories

Files to exclude on Windows

splunk-admon.exe
splunk-compresstool.exe
splunk-MonitorNoHandle.exe
splunk-netmon.exe
splunk-optimize-lex.exe
splunk-optimize.exe
splunk-perfmon.exe
splunk-regmon.exe
splunk-winevtlog.exe
splunk-winhostinfo.exe
splunk-winprintmon.exe
splunk-wmi.exe
splunk.exe
splunkd.exe
splunkweb.exe

Files to exclude on Linux

bloom
btool
btprobe
bzip2
cherryd
classify
exporttool
locktest
locktool
node
python*
splunk
splunkd
splunkmon
tsidxprobe
tsidxprobe_plo
walklex

 

Author: Logan Bingham

Designing IT solutions for 20 years.

Leave a Reply