-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Kerry,
On 6/1/17 10:47 AM, Kerry Hazelton wrote: > I am attempting to deploy a managed antivirus agent to two > different machines - one runs RHEL 7.3, kernel version 3.10.0-514; > the other runs Microsoft Windows 2012 R2 - and both are hosting web > pages served up by Apache Tomcat 7.0.78. What I’d like to know is > which processes/services, files and/or directories need to be > excluded from the antivirus scans to avoid any potential CPU or > memory utilization spikes (or worse, the AV console falsely > identifies a legit file as “malicious” and quarantines it). You can probably whitelist everything in the CATALINA_HOME and CATALINA_BASE directories, plus the JVM. But the JVM will probably only be scanned once on startup and the same thing is true of everything in CATALINA_HOME and CATALINA_BASE. If the server is being kept up-to-date, you may have to update the antivirus's settings because CATALINA_HOME and the JVM paths will likely change. > I’d also like to know which specific TCP/UDP ports will need to be > whitelisted to permit inbound and outbound traffic from our web > developer workstations, since their VLAN is segregated from the > rest of the network. I already know which ports to open on the > firewall to allow the antivirus agents to talk back to the console; > I just need to figure out the other ports to open. The ports will be dependent upon what the Tomcat administrator has configured in Tomcat. Unless there are some XML includes being used (which is fairly rare, but not unheard of), everything you need will be in CATALINA_BASE/conf/server.xml. Look for lines that look like this: <Connector port="XXX" ...where XXX is the port number being used. Check to see if there is an "address" attribute on the XML element: if there is one and it's something like "127.0.0.1" or "::" then you won't have to open a firewall port, of course. There may be more than one connector. My recommendation would be to speak to the Tomcat administrator(s) to find out what they expect to keep open. > Before I go any further, I’d like to stress the following: > > * I wasn’t the one who set up these servers; I was merely tasked > with getting the antivirus agents deployed on them. The system > administrator who set these up doesn’t know which Linux processes, > Windows services, files or directories to exclude; as he left that > up to me to figure out. Awesome. Who is the admin for Tomcat itself? Same person? If so, tell them to do their job. :( > * I have already contacted the AV vendor's support team, and they > have indicated they have no documentation that specifically covers > any version of Apache Tomcat. That's not terribly surprising. > * The last search on Google I used was “Apache Tomcat 7.x > antivirus exclusions” and I didn’t see any results that were > specific to my query. Same with “Apache Tomcat 7.x firewall > exclusions”. > > * I looked through the Information Security group on Stack Exchange > with the same queries as above, and again I didn’t see anything > promising nor specific to my queries. > > * I attempted to search the mailing list archives using the search > terms “antivirus exclusions” and “firewall permissions”; again, I > didn’t see any answers that were specific to my queries. > > * Yes, I’m aware of the risks involved by excluding specific > processes/services, files and directories. I have tried to > convince the management of these risks but to no avail. They have > agreed to accept them, along with any consequences that may occur. You should try to convince management that virus scanners are completely useless, and save yourself a whole lot of time and resources. Then you'll have one less thing to do. :) You could just let the antivirus do whatever it will do by default, and then open things up individually until things start working again. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJZMDkGAAoJEBzwKT+lPKRY2dYP/0pDPcNHxvFeSAn3uvORc18h qfk36sQGy4UAui+nZ+x+BDi3SkA+ABQhSATz9oXejJaAAODgui0B1m4OoXcDmUNa fUbMu60f+yjn909FgRJNICWbFZIa1ahpYboTtn7T65BWAW//XLn98CXYJiJjhPJk 9/KywVeHOe+9BRCRQPym3I/0ATHO2CT2ik9NxGr1SRF8fc3qIBEerkv1WfnGSq8Y 0UvUlVpIHB4cTGZCMzkUpL+8/RshPWc3qCKFIwAC4XiW0XZKvc33L+krwZLxejVk gATVCPkEwij4mOUqAxx27fp19AUyqmDdr84r/Q8nkOpxZIXZOR3Mg5I1oZQsPpBQ WIwo9Z/N5nLpYvtbs2Tp1qGsAq21TvEn6B+7nS9UtiQlFlVtk0Q2xo3ja+bjnxMR 14BdM4Gsz3ZV/tkTZ9t8lhwOc2eiLsQGwGXPOvd+1hz/JOcO5Yi1evIUCfJMXAbf 3Xj58R0lGd2XlffLZ5qhcc84B9zpxn+5XplijQWVN4opMM/KjFPSoTwwYd7SBU8X hc9QYru+YkQxPe1z1eExuI6nvmYLZL1G2vQ8ftu/I1lo9RWCn7rGrfCHSJnAgOyd voXLtn+kb0QgRvHoZGlHkSk7huL7rfSPiUnqNrnXWh5coq4gb7dsC2xV+RaN4PlW +uT1rtgcmu+r5A8Ax1an =8cAP -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
