KB Article | Forcepoint Support
Support
  1. Home
  2. Knowledgebase

Excluding Forcepoint Endpoint from Antivirus Scanning

  • Article Number: 000007534
  • Products: Forcepoint DLP, Forcepoint DLP Endpoint, Forcepoint One Endpoint, Forcepoint Web Security Endpoint, TRITON AP-ENDPOINT DLP, TRITON AP-ENDPOINT Web
  • Version: 8.6, 8.5, 8.4, 8.3, 8.2, 8.1, 8.0, 20, 19, 18
  • Last Published Date: October 12, 2020

Notes & Warnings

The DLP Endpoint has been renamed several times:

  • TRITON AP-ENDPOINT DLP was renamed to the Forcepoint DLP Endpoint in v8.4.x.
  • Forcepoint DLP Endpoint was renamed to the Forcepoint One Endpoint (DLP) in v18.12.x (released with DLP v8.6 and Web Security v8.5.3)
  • Forcepoint DLP Endpoint is again used in v19.03 and higher.

This KBA refers to all DLP Endpoints by its current name: Forcepoint DLP Endpoint.

The Web Security Endpoint was renamed from TRITON AP-ENDPOINT Web to Forcepoint Web Security Endpoint in v8.4.x.
This KBA refers to all Web Security Endpoints by its current name: Forcepoint Web Security Endpoint.

Problem Description

Antivirus scanning can degrade the performance of Forcepoint components. This article lists folders and files that should be excluded from antivirus scans.

Please note:
  • Forcepoint's recommendation to exclude specific Forcepoint One Endpoint files or folders from antivirus scans is designed to minimize the risk of software conflict between security agents deployed on the same endpoint machine, which could result in an endpoint machine experiencing performance and stability issues.
  • When these files are scanned by an antivirus, performance and operating system reliability problems may occur because of file locking.
  • Do not exclude any files based on the filename extension. For example, do not exclude all files that have a .dit extension.

Refer to your antivirus vendor's documentation for instructions on excluding files from scans.

NOTE During installation of Forcepoint products, disable antivirus software altogether. After installation, re-enable antivirus software.

Resolution

Windows Endpoints

The following directories should be excluded from the antivirus software that is deployed to Windows-based endpoint machines:
  • C:\Program Files\Websense\Websense Endpoint
  • Custom installation directory if defined by the installer
Also exclude the following:

Processes

Forcepoint DLP Endpoint and Forcepoint Web Security Endpoint:
  • ..\Websense\Websense Endpoint\wepsvc.exe
  • ..\Websense\Websense Endpoint\dserui.exe
Forcepoint DLP Endpoint only:
  • ..\Websense\Websense Endpoint\EndpointClassifier.exe
  • ..\Websense\Websense Endpoint\FilterSDK\kvoop.exe
Forcepoint One Endpoint only:
  • ..\Websense\Websense Endpoint\f1eui.exe
  • ..\Websense\Websense Endpoint\fppsvc.exe
Forcepoint Web Security Endpoint only:
  • ..\Websense\Websense Endpoint\tsui.exe (Forcepoint Web Security Direct Connect Endpoint UI process)
  • ..\Websense\Websense Endpoint\proxyui.exe (Forcepoint Web Security Proxy Connect Endpoint UI process)
  • ..\Websense\Websense Endpoint\rfui.exe (Forcepoint Remote Filtering Client UI process)
  • ..\Websense\Websense Endpoint\WEPDiag.exe (Diagnostics tool process.This process only runs on demand. It does not run continuously like the other processes.)
Forcepoint CASB Endpoint only:
  • ..\Websense\Websense Endpoint\SkyfenceSecurityService\certutil.exe
  • ..\Websense\Websense Endpoint\SkyfenceSecurityService\RefreshSettings.exe
  • ..\Websense\Websense Endpoint\SkyfenceSecurityService\sfage.exe
  • ..\Websense\Websense Endpoint\SkyfenceSecurityService\sfsrv.exe

DLL Files

  • C:\Windows\System32\QIPCAP.dll
  • C:\Windows\System32\QIPCAP64.dll
  • C:\Windows\System32\QIPOverlay.dll
  • C:\Windows\SysWOW64\QIPCAP.dll (64-bit Windows)

SYS Files

  • C:\Windows\System32\drivers\cwnep.sys
  • C:\Windows\System32\drivers\FpFile.sys (Forcepoint One Endpoint only)
  • C:\Windows\System32\drivers\FpProcess.sys (Forcepoint One Endpoint only)
  • C:\Windows\System32\drivers\qip.sys
  • C:\Windows\System32\drivers\qiptdi.sys
  • C:\Windows\System32\drivers\rnetcore.sys
  • C:\Windows\System32\drivers\WNetCore.sys
  • C:\Windows\System32\drivers\WFPRedir.sys
  • C:\Windows\System32\drivers\WsNetFlt.sys
  • C:\Windows\System32\drivers\WsOMFlt.sys
  • C:\Windows\System32\drivers\WsWfpRF.sys

Mac Endpoints

The following directories should be excluded from the antivirus software that is deployed to Mac-based endpoint machines:
  • /Library/Application Support/Websense Endpoint
  • /Library/Mail/Bundles/DataSecurityPlugin.mailbundle
  • /Applications/Forcepoint DLP Endpoint.app
  • /Applications/Forcepoint DC Endpoint.app (if Direct Connect Endpoint is installed)
  • /Applications/Forcepoint PC Endpoint.app (if Proxy Connect Endpoint is installed)
  • /Applications/Forcepoint Decryption Utility.app
Also exclude the following:

Libraries

  • /usr/local/lib/libwep
  • /usr/local/lib/libwep_airdrop.dylib
  • /usr/local/lib/libwep_burn.dylib
  • /usr/local/lib/libwep_cbcarbon.dylib
  • /usr/local/lib/libwep_cbcocoa.dylib
  • /usr/local/lib/libwep_dutil.dylib
  • /usr/local/lib/libwep_ff.dylib
  • /usr/local/lib/libwep_hook.dylib
  • /usr/local/lib/libwep_icloud.dylib
  • /usr/local/lib/libwep_mail.dylib
  • /usr/local/lib/libwep_outlook.dylib
  • /usr/local/lib/libwep_post.dylib
  • /usr/local/lib/libwep_printer.dylib
  • /usr/local/lib/libwep_screen.dylib

Utility Tool

  • /usr/local/sbin/wepsvc

Keywords: Endpoint; Windows; MAC; Antivirus Exclusion; Processes; DLL Files; Sys files; Libraries; Utility Tool; Forcepoint One Endpoint; DLP Endpoint; Monitoring Whitelist; MacOS Antivirus Exclusions; McAfee; Tanium; Symantec; Kaspersky

 

Article Feedback



Thank you for the feedback and comments.

Want 24/7 Tech Support?

Learn more