Antivirus Detection

Tenable and Microsoft do not recommend installing antivirus, Endpoint Protection Platform (EPP), or Endpoint Detection and Response (EDR) software on domain controllers (or any other tool with a central management console). If you choose to do so, your antivirus/EPP/EDR might detect and even block or delete required items for the collection of Indicator of Attack (IoA) events on domain controllers.

Tenable Identity Exposure's deployment script for Indicators of Attack does not include malicious code, nor is it even obfuscated. However, occasional detections are normal, given its usage of PowerShell and WMI and the agentless nature of the implementation.

If you encounter issues such as:

  • Error messages during installation

  • False-positive or false-negative in detection

To troubleshoot installation scripts antivirus detection:

  1. Review your antivirus/EPP/EDR security logs to check for any detection, blocking, or deletion of Tenable Identity Exposure components. Antivirus/EPP/EDR can affect the following components:

    • The ScheduledTasks.xml file in the Tenable Identity Exposure GPO applied to domain controllers.

    • The Tenable Identity Exposure scheduled task on domain controllers that launches PowerShell.exe.

    • The Tenable Identity Exposure Register-TenableADEventsListener.exe process launched on domain controllers.

  1. Add security exceptions in your tools for the affected components.

    • In particular, Symantec Endpoint Protection can raise CL.Downloader!gen27 detections during the IoA installation process. You can add this specific known risk to your exceptions policy.

    • Once the Task Scheduler is set up, run PowerShell to initiate the Register-TenableADEventsListener.exe process. The antivirus/EPP/EDR software may potentially obstruct this PowerShell script, hindering the proper execution of Indicators of Attack. Track this process closely and ensure that it runs only once across all monitored domain controllers.

      Examples of file path exclusions for Antivirus/EPP/EDR:

    Copy
    Register-TenableADEventsListener.exe process
     "\\"domain"\sysvol\"domain"\Policies\{"GUID_Tenable.ad}\Machine\IOA\Register-TenableADEventsListener.exe"

     

    Copy
    ScheduledTasks.xml file
        C:\Users\<User Name>\AppData\Local\Temp\4\Tenable.ad\{GUID}\DomainSysvol\GPO\Machine\Preferences\ScheduledTasks\ScheduledTasks.xml
        C:\Windows\[SYSVOL]\POLICIES\{[GUID]}\Machine\Preferences\ScheduledTasks\ScheduledTasks.xml     
        \\[DOMAIN.FQDN]\[SYSVOL]\POLICIES\{[GUID]}\Machine\Preferences\ScheduledTasks\ScheduledTasks.xml