Awesome, this will point me in the right direction on where to look and how to get this deployed. Thanks!
On Thu, Jun 1, 2017 at 11:55 AM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Kerry, > > On 6/1/17 10:47 AM, Kerry Hazelton wrote: > > I am attempting to deploy a managed antivirus agent to two > > different machines - one runs RHEL 7.3, kernel version 3.10.0-514; > > the other runs Microsoft Windows 2012 R2 - and both are hosting web > > pages served up by Apache Tomcat 7.0.78. What I’d like to know is > > which processes/services, files and/or directories need to be > > excluded from the antivirus scans to avoid any potential CPU or > > memory utilization spikes (or worse, the AV console falsely > > identifies a legit file as “malicious” and quarantines it). > > You can probably whitelist everything in the CATALINA_HOME and > CATALINA_BASE directories, plus the JVM. But the JVM will probably > only be scanned once on startup and the same thing is true of > everything in CATALINA_HOME and CATALINA_BASE. > > If the server is being kept up-to-date, you may have to update the > antivirus's settings because CATALINA_HOME and the JVM paths will > likely change. > > > I’d also like to know which specific TCP/UDP ports will need to be > > whitelisted to permit inbound and outbound traffic from our web > > developer workstations, since their VLAN is segregated from the > > rest of the network. I already know which ports to open on the > > firewall to allow the antivirus agents to talk back to the console; > > I just need to figure out the other ports to open. > > The ports will be dependent upon what the Tomcat administrator has > configured in Tomcat. Unless there are some XML includes being used > (which is fairly rare, but not unheard of), everything you need will > be in CATALINA_BASE/conf/server.xml. Look for lines that look like this: > > <Connector port="XXX" > > ...where XXX is the port number being used. Check to see if there is > an "address" attribute on the XML element: if there is one and it's > something like "127.0.0.1" or "::" then you won't have to open a > firewall port, of course. > > There may be more than one connector. > > My recommendation would be to speak to the Tomcat administrator(s) to > find out what they expect to keep open. > > > Before I go any further, I’d like to stress the following: > > > > * I wasn’t the one who set up these servers; I was merely tasked > > with getting the antivirus agents deployed on them. The system > > administrator who set these up doesn’t know which Linux processes, > > Windows services, files or directories to exclude; as he left that > > up to me to figure out. > > Awesome. Who is the admin for Tomcat itself? Same person? If so, tell > them to do their job. :( > > > * I have already contacted the AV vendor's support team, and they > > have indicated they have no documentation that specifically covers > > any version of Apache Tomcat. > > That's not terribly surprising. > > > * The last search on Google I used was “Apache Tomcat 7.x > > antivirus exclusions” and I didn’t see any results that were > > specific to my query. Same with “Apache Tomcat 7.x firewall > > exclusions”. > > > > * I looked through the Information Security group on Stack Exchange > > with the same queries as above, and again I didn’t see anything > > promising nor specific to my queries. > > > > * I attempted to search the mailing list archives using the search > > terms “antivirus exclusions” and “firewall permissions”; again, I > > didn’t see any answers that were specific to my queries. > > > > * Yes, I’m aware of the risks involved by excluding specific > > processes/services, files and directories. I have tried to > > convince the management of these risks but to no avail. They have > > agreed to accept them, along with any consequences that may occur. > > You should try to convince management that virus scanners are > completely useless, and save yourself a whole lot of time and > resources. Then you'll have one less thing to do. :) > > You could just let the antivirus do whatever it will do by default, > and then open things up individually until things start working again. > > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBCAAGBQJZMDkGAAoJEBzwKT+lPKRY2dYP/0pDPcNHxvFeSAn3uvORc18h > qfk36sQGy4UAui+nZ+x+BDi3SkA+ABQhSATz9oXejJaAAODgui0B1m4OoXcDmUNa > fUbMu60f+yjn909FgRJNICWbFZIa1ahpYboTtn7T65BWAW//XLn98CXYJiJjhPJk > 9/KywVeHOe+9BRCRQPym3I/0ATHO2CT2ik9NxGr1SRF8fc3qIBEerkv1WfnGSq8Y > 0UvUlVpIHB4cTGZCMzkUpL+8/RshPWc3qCKFIwAC4XiW0XZKvc33L+krwZLxejVk > gATVCPkEwij4mOUqAxx27fp19AUyqmDdr84r/Q8nkOpxZIXZOR3Mg5I1oZQsPpBQ > WIwo9Z/N5nLpYvtbs2Tp1qGsAq21TvEn6B+7nS9UtiQlFlVtk0Q2xo3ja+bjnxMR > 14BdM4Gsz3ZV/tkTZ9t8lhwOc2eiLsQGwGXPOvd+1hz/JOcO5Yi1evIUCfJMXAbf > 3Xj58R0lGd2XlffLZ5qhcc84B9zpxn+5XplijQWVN4opMM/KjFPSoTwwYd7SBU8X > hc9QYru+YkQxPe1z1eExuI6nvmYLZL1G2vQ8ftu/I1lo9RWCn7rGrfCHSJnAgOyd > voXLtn+kb0QgRvHoZGlHkSk7huL7rfSPiUnqNrnXWh5coq4gb7dsC2xV+RaN4PlW > +uT1rtgcmu+r5A8Ax1an > =8cAP > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
