Anti-virus Best Practices

This section describes the exclusions required for the Ivanti Workspace Control and its components such as the Workspace Control Console, Agents and Relay Servers. The recommendations apply to real-time scanning by anti-virus products or monitoring software.

In environments running Workspace Control and anti-virus products, it is important to achieve a balance between both. This is necessary to maintain a secure environment with stable servers without interference in performance. As virus scanning is one of the most common causes of performance issues, Ivanti recommends to implement the correct exclusions.

It is important to understand the anti-virus exclusion recommendations presented in this section might expose computers in your Workspace Control environment to a variety of real security threats. However, the following guidelines represent the best balance between security and performance. Ivanti recommends to test the configuration changes before applying them to a production environment.

When excluding the folders and processes described in this section from real-time and/or on-access scanning, these areas must be scanned on a regular basis. This can be done by setting up a scheduled scan at a convenient time to prevent any performance impact. Ivanti recommends to exclude any executables available in the installation directory to not slow down or interfere with Workspace Control.

Exclusions

By default, on 64-bit operating systems the Workspace Control installation directory exists in %programfiles(x86)% instead of %programfiles%. The default installation directory for new installs is Ivanti\Workspace Control. The system variable %respfdir% presents the combination of your Program Files directory and Workspace Control installation folder.

Consider the following:

  • Most anti-virus software work best if all processes are added separately to the real-time and behavior exclusion lists.

  • For some products, multiple exclusion lists can be configured.

  • Try turning off extra features that don't have the option to make exclusions. For example, Trend Micro > Behavior Monitoring > Predictive Machine Learning.

  • Some products do not accept variables and therefor full paths need to be used.

  • If Ivanti Automation is used, Ivanti recommends to also include the exclusions from the following KB article:

    Ivanti Automation Antivirus Best Practices.

  • Be aware that each vendor has its own way of implementing exclusion rules and how to handle the process exclusions.

    For example: in Windows Defender, setting up Process Exclusions via a GPO ensures that each file accessed by an excluded process is not scanned. However, this behavior is not what needs to be configured. The behavior needs to be that the excluded process is left alone, but the files used by the excluded process are still scanned. For Windows Defender this needs to be set up as Path Exclusions. Always check the vendor's documentation on how to implement the correct behavior.

Third-party documentation

Further reading is recommended from the following third-parties: