KB Article | Forcepoint Support
Support
  1. Home
  2. Knowledgebase

Excluding Forcepoint Endpoint from Antivirus Scanning

  • Article Number: 000007534
  • Products: Forcepoint DLP, Forcepoint DLP Endpoint, Forcepoint One Endpoint, Forcepoint Web Security Endpoint, TRITON AP-DATA, TRITON AP-ENDPOINT DLP, TRITON AP-ENDPOINT Web, TRITON AP-WEB, Web Filter & Security
  • Version: 8.6, 8.5, 8.4, 8.3, 8.2, 8.1, 8.0, 19, 18
  • Last Published Date: February 18, 2020

Problem Description

Antivirus scanning can degrade the performance of Forcepoint components. This article lists folders and files that should be excluded from antivirus scans.

Please note:
  • Forcepoint's recommendation to exclude specific Forcepoint One Endpoint files or folders from antivirus scans is designed to minimize the risk of software conflict between security agents deployed on the same endpoint machine, which could result in an endpoint machine experiencing performance and stability issues.
  • When you scan these files, performance and operating system reliability problems may occur because of file locking.
  • Do not exclude any files based on the filename extension. For example, do not exclude all files that have a .dit extension.

Refer to your antivirus vendor's documentation for instructions on excluding files from scans.

NOTE: During installation of Forcepoint products, disable antivirus software altogether. After installation, re-enable antivirus software.

Resolution

NOTE: The DLP Endpoint has been renamed several times:

  • TRITON AP-ENDPOINT DLP was renamed Forcepoint DLP Endpoint in v8.4.x.
  • Forcepoint DLP Endpoint was renamed Forcepoint One Endpoint (DLP) in v18.12.x (released with DLP v8.6 and Web Security v8.5.3)
  • Forcepoint DLP Endpoint is again used in v19.03 and higher.

This KBA refers to all DLP Endpoints by its current name: Forcepoint DLP Endpoint


Windows endpoints

The following directories should be excluded from the antivirus software that is deployed to Windows-based endpoint machines:
  • C:\Program Files\Websense\Websense Endpoint
  • Custom folder location defined by the customer
Also exclude the following:

Processes

Forcepoint DLP Endpoint and Forcepoint Web Security Endpoint:
  • ..\Websense\Websense Endpoint\wepsvc.exe
  • ..\Websense\Websense Endpoint\dserui.exe
Forcepoint DLP Endpoint only:
  • ..\Websense\Websense Endpoint\EndpointClassifier.exe
  • ..\Websense\Websense Endpoint\FilterSDK\kvoop.exe
Forcepoint One Endpoint only:
  • ..\Websense\Websense Endpoint\f1eui.exe
  • ..\Websense\Websense Endpoint\fppsvc.exe
Forcepoint Web Security Endpoint only:
  • ..\Websense\Websense Endpoint\tsui.exe (Forcepoint Web Security Direct Connect Endpoint UI process)
  • ..\Websense\Websense Endpoint\proxyui.exe (Forcepoint Web Security Proxy Connect Endpoint UI process)
  • ..\Websense\Websense Endpoint\rfui.exe (Forcepoint Remote Filtering Client UI process)
  • ..\Websense\Websense Endpoint\WEPDiag.exe (Diagnostics tool process.This process only runs on demand. It does not run continuously like the other processes.)

DLL files

  • C:\Windows\System32\QIPCAP.dll
  • C:\Windows\System32\QIPCAP64.dll
  • C:\Windows\System32\QIPOverlay.dll

SYS files

  • C:\Windows\System32\drivers\cwnep.sys
  • C:\Windows\System32\drivers\FpFile.sys (Forcepoint One Endpoint only)
  • C:\Windows\System32\drivers\FpProcess.sys (Forcepoint One Endpoint only)
  • C:\Windows\System32\drivers\qip.sys
  • C:\Windows\System32\drivers\qiptdi.sys
  • C:\Windows\System32\drivers\rnetcore.sys
  • C:\Windows\System32\drivers\WNetCore.sys
  • C:\Windows\System32\drivers\WFPRedir.sys
  • C:\Windows\System32\drivers\WsNetFlt.sys
  • C:\Windows\System32\drivers\WsOMFlt.sys
  • C:\Windows\System32\drivers\WsWfpRF.sys

Mac endpoints

The following directories should be excluded from the antivirus software that is deployed to Mac-based endpoint machines:
  • /Library/Application Support/Websense Endpoint
  • /Library/Mail/Bundles/DataSecurityPlugin.mailbundle
  • /Applications/Forcepoint DLP Endpoint.app
  • /Applications/Forcepoint DC Endpoint.app (if Direct Connect Endpoint is installed)
  • /Applications/Forcepoint PC Endpoint.app (if Proxy Connect Endpoint is installed)
  • /Applications/Forcepoint Decryption Utility.app
Also exclude the following:

Libraries

  • /usr/local/lib/libwep
  • /usr/local/lib/libwep_airdrop.dylib
  • /usr/local/lib/libwep_burn.dylib
  • /usr/local/lib/libwep_cbcarbon.dylib
  • /usr/local/lib/libwep_cbcocoa.dylib
  • /usr/local/lib/libwep_dutil.dylib
  • /usr/local/lib/libwep_ff.dylib
  • /usr/local/lib/libwep_hook.dylib
  • /usr/local/lib/libwep_icloud.dylib
  • /usr/local/lib/libwep_mail.dylib
  • /usr/local/lib/libwep_outlook.dylib
  • /usr/local/lib/libwep_post.dylib
  • /usr/local/lib/libwep_printer.dylib
  • /usr/local/lib/libwep_screen.dylib

Utility tool

  • /usr/local/sbin/wepsvc

 

Article Feedback



Thank you for the feedback and comments.

Want 24/7 Tech Support?

Learn more