Excluding Forcepoint files from antivirus scans

Applies to:
  • Forcepoint Web Security and Forcepoint URL Filtering, v8.5.x
  • Forcepoint DLP, v8.5.x, v8.6.x, v8.7.x, v8.8.x, v8.9.x, v9.0, v10.x
  • Forcepoint Email Security, v8.5.x
  • Forcepoint appliances, v8.5.x

Antivirus scanning can degrade the performance of Forcepoint security components. This article lists folders and files that should be excluded from antivirus scans.

Please note:

  • Forcepoint is not aware of a risk in excluding the files or folders that are mentioned in this section from your antivirus scans. However, it is possible that your system would be safer if you did not exclude them.
  • When you scan these files, performance and operating system reliability problems may occur because of file locking.
  • Do not exclude any files based on the filename extension. For example, do not exclude all files that have a .dit extension.
  • All the files and folders that are described in this section are protected by default permissions to allow only SYSTEM and administrator access, and they contain only operating system components. Excluding an entire folder maybe simpler but may not provide as much protection as excluding specific files based on file names.

Refer to your antivirus vendor’s documentation for instructions on excluding files from scans.

Note: During installation of Forcepoint products, disable antivirus software altogether. After installation, be sure to re-enable antivirus software.

Disabling antivirus for web protection solutions

It is a best practice to exclude the installation directory (includes subdirectories) from antivirus scans. By default this directory is:

  • Windows (Forcepoint management server):

    *:\Program Files (x86)\Websense

  • Windows (all others):

    *:\Program Files\Websense

  • Linux:

    /opt/Websense/

Disabling antivirus for Forcepoint DLP

Management servers

It is a best practice to exclude the following (includes subdirectories) from antivirus scans.

  • The product installation folder, which is one of the following:
    • *:\Program Files\Websense
    • *:\Program Files (x86)\Websense
  • *:\Program files\Microsoft SQL Server\*.*
  • %localappdata%\Temp*.*

    Example: C:\Users\<user>\AppData\Local\Temp

    '<user>' is referred to the DLP service account used to install the DLP Management servers.

  • %WINDIR%\Temp\*.*
  • The forensics repository (configurable; defaults to installation folder)

Non-management servers

On non-management servers, such as Forcepoint DLP standalone agents, exclude the following directories from antivirus scanning:

  • The folder where Forcepoint DLP was installed. By default, this is one of the following:
    • Program Files\Websense\
    • Program Files (x86)\Websense\*.*
  • *:\Inetpub\mailroot\*.* - (typically at the OS folder)
  • *:\Inetpub\wwwroot\*.* - (typically at the OS folder)
  • %localappdata%\Temp*.*

    Example: C:\Users\<user>\AppData\Local\Temp

    '<user>' is referred to the DLP service account used to install the DLP Management servers.

  • %WINDIR%\Temp\*.*
  • The forensics repository (configurable; defaults to the installation folder)
Note: This document lists the default installation folders. You can configure the software to install to other locations. The FP-Repository folder is usually located inside the installation folder.

Windows endpoints

The following directories should be excluded from the antivirus software that is deployed to Windows-based endpoint machines:

  • C:\Program Files\Websense\Websense Endpoint
  • Custom folder location defined by the customer Also exclude the following:
Also exclude the following:
  • Processes
    Forcepoint DLP Endpoint and Forcepoint Web Security Endpoint:
    • ..\Websense\Websense Endpoint\wepsvc.exe
    • ..\Websense\Websense Endpoint\dserui.exe
    Forcepoint DLP Endpoint only:
    • ..\Websense\Websense Endpoint\EndpointClassifier.exe
    • ..\Websense\Websense Endpoint\FilterSDK\kvoop.exe
    Forcepoint F1E only:
    • ..\Websense\Websense Endpoint\f1eui.exe
    • ..\Websense\Websense Endpoint\fppsvc.exe
    Forcepoint Web Security Endpoint only:
    • ..\Websense\Websense Endpoint\tsui.exe (Forcepoint Web Security Direct Connect Endpoint UI process)
    • ..\Websense\Websense Endpoint\proxyui.exe (Forcepoint Web Security Proxy Connect Endpoint UI process)
    • ..\Websense\Websense Endpoint\rfui.exe (Forcepoint Remote Filtering Client UI process)
    • ..\Websense\Websense Endpoint\WEPDiag.exe (Diagnostics tool process.This process only runs on demand. It does not run continuously like the other processes.)

    Forcepoint CASB Endpoint only:

    • ..\Websense\Websense Endpoint\SkyfenceSecurityService\certutil.exe
    • ..\Websense\Websense Endpoint\SkyfenceSecurityService\RefreshSettings.exe
    • ..\Websense\Websense Endpoint\SkyfenceSecurityService\sfage.exe
    • ..\Websense\Websense Endpoint\SkyfenceSecurityService\sfsrv.exe
  • DLL files
    • C:\Windows\System32\QIPCAP.dll
    • C:\Windows\System32\QIPCAP64.dll
    • C:\Windows\System32\QIPOverlay.dll
  • SYS files
    • C:\Windows\System32\drivers\cwnep.sys
    • C:\Windows\System32\drivers\FpFile.sys (Forcepoint F1E only)
    • C:\Windows\System32\drivers\FpProcess.sys (Forcepoint F1E only)
    • C:\Windows\System32\drivers\qip.sys
    • C:\Windows\System32\drivers\qiptdi.sys
    • C:\Windows\System32\drivers\rnetcore.sys
    • C:\Windows\System32\drivers\WNetCore.sys
    • C:\Windows\System32\drivers\WFPRedir.sys
    • C:\Windows\System32\drivers\WsNetFlt.sys
    • C:\Windows\System32\drivers\WsOMFlt.sys
    • C:\Windows\System32\drivers\WsWfpRF.sys

Mac endpoints

The following directories should be excluded from the antivirus software that is deployed to Mac-based endpoint machines:
  • /Library/Application Support/Websense Endpoint
  • /Library/Mail/Bundles/DataSecurityPlugin.mailbundle
  • /Applications/Forcepoint DLP Endpoint.app
  • /Applications/Forcepoint DC Endpoint.app (if Direct Connect Endpoint is installed)
  • /Applications/Forcepoint PC Endpoint.app (if Proxy Connect Endpoint is installed)
  • /Applications/Forcepoint Decryption Utility.app
Also exclude the following:
  • Libraries
    • /usr/local/lib/libwep
    • /usr/local/lib/libwep_airdrop.dylib
    • /usr/local/lib/libwep_burn.dylib
    • /usr/local/lib/libwep_cbcarbon.dylib
    • /usr/local/lib/libwep_cbcocoa.dylib
    • /usr/local/lib/libwep_dutil.dylib
    • /usr/local/lib/libwep_ff.dylib
    • /usr/local/lib/libwep_hook.dylib
    • /usr/local/lib/libwep_icloud.dylib
    • /usr/local/lib/libwep_mail.dylib
    • /usr/local/lib/libwep_outlook.dylib
    • /usr/local/lib/libwep_post.dylib
    • /usr/local/lib/libwep_printer.dylib
    • /usr/local/lib/libwep_screen.dylib
  • Utility tool
    • /usr/local/sbin/wepsvc

Disabling antivirus for Forcepoint Email Security

It is a best practice to exclude the installation folder (includes subfolders), by default:

*:\Program Files\Websense

or

*:\Program Files (x86)\Websense

Also exclude any Forcepoint DLP folders that apply (see Disabling antivirus for Forcepoint DLP).