Anti-malware Configuration

Anonymous user · ‎2021-06-09

This page describes practices around security software such as anti-virus, anti-malware, XDR (Extended detection and Response), EDR (Endpoint detection and response) and other similar security software.

Good Practice

Like all software and operating system updates, we recommend tests in an offline environment before the deployment of security software on live SCADA systems. This also applies to anti-malware database updates because there is a risk that these updates may have errors which identify good software and behavior as bad (false positive). As a minimum, changes to redundant items in a system should be applied separately with a time allocated for problems to be identified.

This advice applies to server, web server and client installations.

Exclusions

Most security software which performs scanning of files will allow exclusions to be set up. However it may not be certain that these exclusions apply to all scanning activities, therefore we recommend testing in an offline environment to ensure that the performance and reliability of the system is not affected by file scanning.

The performance of Geo SCADA servers and clients may be affected by anti-malware software. We advise that you review and include file exclusions to prevent such software from read-locking essential Geo SCADA files such as the database and historic files.

Anti-malware products can cause problems with Geo SCADA unless certain exclusions are configured. The "on access" scan in anti-virus products can temporarily lock files used by Geo SCADA, either having the effect of slowing Geo SCADA down whilst it waits for the scan of that file to finish or causing the file save to be aborted resulting in incomplete database files. In addition, scheduled scans may cause a more general performance issue during a scan of the disk due to the large number of files of the Geo SCADA database having to be scanned.

If Geo SCADA is unable to successfully write to a file the database will either go into a safe state or result in the database not being saved to disk correctly, depending on the file.

Backup and archive times can be drastically improved without having anti-virus products scanning each file it needs to read from the database and write out to its new location.

For exclusions, we recommend excluding all or parts of the Geo SCADA database (defaults to c:\ProgramData\Schneider Electric\ClearSCADA\Database ). We do not recommend excluding the executable file folders c:\Program Files\Schneider Electric\ClearSCADA or c:\Program Files (x86)\Schneider Electric\ClearSCADA.

The simple approach is to exclude the entire Database folder. Sometimes custom locations are set for the different parts of the database, and these will need to be separately excluded. (Check using the Server Configuration tool, in the Locations section).

If you want to minimize the exclusions a little more, then these are the folders (default locations) which we strongly recommend are excluded. They include files which are read or written to under database locks, and the files can be large, so can cause performance issues if anti-malware software locks the file for a long-running scan. Some of these may not be used on your system

c:\ProgramData\Schneider Electric\ClearSCADA\Database\AlarmSummary
c:\ProgramData\Schneider Electric\ClearSCADA\Database\ConfigChanges
c:\ProgramData\Schneider Electric\ClearSCADA\Database\DataFiles
c:\ProgramData\Schneider Electric\ClearSCADA\Database\History
c:\ProgramData\Schneider Electric\ClearSCADA\Database\Journal
c:\ProgramData\Schneider Electric\ClearSCADA\Database\Archive

Again, check whether these locations have been moved on your installation. Specific directories used on your system can be found in the Location section of the Geo SCADA Server Config tool, or within relevant object configurations in the database. Also consider adding the folder(s) you have used for database backup files.

There are other file locations which the Geo SCADA server, ViewX client and Virtual ViewX web server use, and we do not recommend exclusions for them. For example there are ViewX file caches, systems xml etc.

Under the history, journal, configuration changes and alarm summary directories, sub-directories will be created for each item that has data. If your anti-malware product does not support wildcards in exclusions, then add the entire history, journal and configuration changes directories to the exclusion list.

The above exclusions are recommended for the "on access"/"real time" scan. Scheduled scans, which are usually daily or once a week, should also have these exclusions added, if they are configured separately.

If you are concerned that anti-virus or other software is accessing the Geo SCADA database and causing performance issues, you can find which external processes are accessing Geo SCADA files. Use the Process Monitor utility from SysInternals. Set the filter to default, add a new filter for the path to include database locations on disk and then add a second filter to exclude "DBServer.exe". The resultant list should be blank, any entries shown should indicate other processes accessing the database's files and these may impact performance and stability

Also see Online Defragmenter Exclusions

Go: Home Back

Anti-malware Configuration