From 9ce16d122903424e14f37bc68c4905908c5fe971 Mon Sep 17 00:00:00 2001 From: Benjamin Ironside Goldstein Date: Fri, 8 Dec 2023 16:44:20 -0800 Subject: [PATCH 1/5] Adds new page about allowlisting Elastic Endpoint --- .../allowlist-endpoint-3rd-party-av.asciidoc | 53 +++++++++++++++++++ docs/management/manage-intro.asciidoc | 1 + 2 files changed, 54 insertions(+) create mode 100644 docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc diff --git a/docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc b/docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc new file mode 100644 index 0000000000..5f5d23aa53 --- /dev/null +++ b/docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc @@ -0,0 +1,53 @@ +[[allowlist-endpoint-3rd-party-av-apps]] += Allowlist Elastic Endpoint in third-party antivirus apps + +Third-party antivirus (AV) applications may identify the expected behavior of {elastic-endpoint} as a potential threat. Add {elastic-endpoint}'s digital signatures and file paths to your AV software's allowlist to ensure {elastic-endpoint} continues to function as intended. + +NOTE: Your AV software may refer to allowlisted processes as process exclusions, ignored processes, or trusted processes. + +NOTE: We recommend you allowlist both the file paths and digital signatures, if applicable. + +[discrete] +== Allowlist {elastic-endpoint} on Windows + +File paths: + +* ELAM driver: `c:\Windows\system32\drivers\elastic-endpoint-driver.sys (ELAM driver)` +* Driver: `c:\Windows\system32\drivers\ElasticElam.sys` +* Executable: `c:\Program Files\Elastic\Endpoint\elastic-endpoint.exe` ++ +NOTE: The executable runs as `elastic-endpoint.exe` + +Digital signatures: + +* `Elasticsearch, Inc.` +* `Elasticsearch B.V.` + +For additional information about allowlisting on Windows, refer to https://github.com/elastic/endpoint/blob/main/PerformanceIssues-Windows.md#trusting-elastic-defend-in-other-software[Trusting Elastic Defend in other software]. + +[discrete] +== Allowlist {elastic-endpoint} on macOS + +File paths: + +* System extension (recursive directory structure): `/Applications/ElasticEndpoint.app/` ++ +NOTE: The system extension runs as `co.elastic.systemextension`. + +* Executable: `/Library/Elastic/Endpoint/elastic-endpoint` ++ +NOTE: The executable runs as `elastic-endpoint.exe`. + +Digital signatures: + +* Authority/Developer ID Application: `Elasticsearch, Inc (2BT3HPN62Z)` +* Team ID: `2BT3HPN62Z` + +[discrete] +== Allowlist {elastic-endpoint} on Linux + +File path: + +* Executable: `/opt/Elastic/Endpoint/elastic-endpoint` ++ +NOTE: The executable runs as `elastic-endpoint` \ No newline at end of file diff --git a/docs/management/manage-intro.asciidoc b/docs/management/manage-intro.asciidoc index c89cc11ff5..25ee38ef44 100644 --- a/docs/management/manage-intro.asciidoc +++ b/docs/management/manage-intro.asciidoc @@ -15,3 +15,4 @@ include::{security-docs-root}/docs/management/admin/event-filters.asciidoc[level include::{security-docs-root}/docs/management/admin/host-isolation-exceptions.asciidoc[leveloffset=+1] include::{security-docs-root}/docs/management/admin/blocklist.asciidoc[leveloffset=+1] include::{security-docs-root}/docs/management/admin/endpoint-artifacts.asciidoc[leveloffset=+1] +include::{security-docs-root}/docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc[leveloffset=+1] \ No newline at end of file From 3cf9d957556989f7eb02ecdbb9e8a5d75eb8d4b8 Mon Sep 17 00:00:00 2001 From: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> Date: Mon, 11 Dec 2023 12:43:32 -0800 Subject: [PATCH 2/5] Update docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc Co-authored-by: Daniel Ferullo <56368752+ferullo@users.noreply.github.com> --- docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc b/docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc index 5f5d23aa53..a98fdf4787 100644 --- a/docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc +++ b/docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc @@ -12,7 +12,7 @@ NOTE: We recommend you allowlist both the file paths and digital signatures, if File paths: -* ELAM driver: `c:\Windows\system32\drivers\elastic-endpoint-driver.sys (ELAM driver)` +* ELAM driver: `c:\Windows\system32\drivers\elastic-endpoint-driver.sys` * Driver: `c:\Windows\system32\drivers\ElasticElam.sys` * Executable: `c:\Program Files\Elastic\Endpoint\elastic-endpoint.exe` + From 903d60bcd072af9d00f38b4708a28e3bf9daad9f Mon Sep 17 00:00:00 2001 From: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> Date: Mon, 11 Dec 2023 12:43:41 -0800 Subject: [PATCH 3/5] Update docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc Co-authored-by: Daniel Ferullo <56368752+ferullo@users.noreply.github.com> --- docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc b/docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc index a98fdf4787..b4294e6712 100644 --- a/docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc +++ b/docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc @@ -36,7 +36,7 @@ NOTE: The system extension runs as `co.elastic.systemextension`. * Executable: `/Library/Elastic/Endpoint/elastic-endpoint` + -NOTE: The executable runs as `elastic-endpoint.exe`. +NOTE: The executable runs as `elastic-endpoint`. Digital signatures: From 09f651873fea4c629512ca04bb9d5b44e8621ac9 Mon Sep 17 00:00:00 2001 From: Benjamin Ironside Goldstein Date: Wed, 13 Dec 2023 11:57:08 -0800 Subject: [PATCH 4/5] incorporates feedback --- .../admin/allowlist-endpoint-3rd-party-av.asciidoc | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc b/docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc index b4294e6712..9abc83e12d 100644 --- a/docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc +++ b/docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc @@ -1,12 +1,11 @@ [[allowlist-endpoint-3rd-party-av-apps]] = Allowlist Elastic Endpoint in third-party antivirus apps -Third-party antivirus (AV) applications may identify the expected behavior of {elastic-endpoint} as a potential threat. Add {elastic-endpoint}'s digital signatures and file paths to your AV software's allowlist to ensure {elastic-endpoint} continues to function as intended. +Third-party antivirus (AV) applications may identify the expected behavior of {elastic-endpoint} as a potential threat. Add {elastic-endpoint}'s digital signatures and file paths to your AV software's allowlist to ensure {elastic-endpoint} continues to function as intended. We recommend you allowlist both the file paths and digital signatures, if applicable. NOTE: Your AV software may refer to allowlisted processes as process exclusions, ignored processes, or trusted processes. -NOTE: We recommend you allowlist both the file paths and digital signatures, if applicable. - +[[allowlist-endpoint-on-windows]] [discrete] == Allowlist {elastic-endpoint} on Windows @@ -16,7 +15,7 @@ File paths: * Driver: `c:\Windows\system32\drivers\ElasticElam.sys` * Executable: `c:\Program Files\Elastic\Endpoint\elastic-endpoint.exe` + -NOTE: The executable runs as `elastic-endpoint.exe` +NOTE: The executable runs as `elastic-endpoint.exe`. Digital signatures: @@ -25,6 +24,7 @@ Digital signatures: For additional information about allowlisting on Windows, refer to https://github.com/elastic/endpoint/blob/main/PerformanceIssues-Windows.md#trusting-elastic-defend-in-other-software[Trusting Elastic Defend in other software]. +[[allowlist-endpoint-on-macos]] [discrete] == Allowlist {elastic-endpoint} on macOS @@ -34,7 +34,7 @@ File paths: + NOTE: The system extension runs as `co.elastic.systemextension`. -* Executable: `/Library/Elastic/Endpoint/elastic-endpoint` +* Executable: `/Library/Elastic/Endpoint/elastic-endpoint.app/Contents/MacOS/elastic-endpoint` + NOTE: The executable runs as `elastic-endpoint`. @@ -43,6 +43,7 @@ Digital signatures: * Authority/Developer ID Application: `Elasticsearch, Inc (2BT3HPN62Z)` * Team ID: `2BT3HPN62Z` +[[allowlist-endpoint-on-linux]] [discrete] == Allowlist {elastic-endpoint} on Linux @@ -50,4 +51,4 @@ File path: * Executable: `/opt/Elastic/Endpoint/elastic-endpoint` + -NOTE: The executable runs as `elastic-endpoint` \ No newline at end of file +NOTE: The executable runs as `elastic-endpoint`. \ No newline at end of file From 4e0061ec2d19431bd3eb43b325588c607c47052a Mon Sep 17 00:00:00 2001 From: Benjamin Ironside Goldstein Date: Wed, 20 Dec 2023 09:54:50 -0800 Subject: [PATCH 5/5] incorporates Gabriel Landau's feedback --- docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc b/docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc index 9abc83e12d..3a53338b53 100644 --- a/docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc +++ b/docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc @@ -3,7 +3,7 @@ Third-party antivirus (AV) applications may identify the expected behavior of {elastic-endpoint} as a potential threat. Add {elastic-endpoint}'s digital signatures and file paths to your AV software's allowlist to ensure {elastic-endpoint} continues to function as intended. We recommend you allowlist both the file paths and digital signatures, if applicable. -NOTE: Your AV software may refer to allowlisted processes as process exclusions, ignored processes, or trusted processes. +NOTE: Your AV software may refer to allowlisted processes as process exclusions, ignored processes, or trusted processes. It is important to note that file, folder, and path-based exclusions/exceptions are distinct from trusted applications and will not achieve the same result. This page explains how to ignore actions taken by processes, not how to ignore the files that spawned those processes. [[allowlist-endpoint-on-windows]] [discrete]