Anti-Malware Software Impact on GIS Processes

840
7
03-07-2019 11:54 AM
MichaelVolz
Esteemed Contributor

I would just like to start a discussion to get a Knowledge Base about the impacts of running Anti-Malware software on GIS processes on Windows Servers.

Recently my organization had to implement Anti-Malware software on Windows Servers and it has had some detrimental results where processes such as building/rebuilding address locators with suggestions (memory hog) no longer work.  As such, I was wondering if other organizations ran across similar issues and had to re-configure their Anti-Malware software (e.g. white-listing exes and dlls) and/or modifying server architecture (e.g. increase RAM, CPU).

Any help or hints about whatever other organizations needed to do to fix issues associated with implementing Anti-Malware software on GIS-based Windows Servers would be greatly appreciated.

7 Replies
MichaelVolz
Esteemed Contributor

Here is another post I have about anti-malware software and it's impact on GIS processes:

https://community.esri.com/message/815725-re-agol-packaging-failed?commentID=815725#comment-815725 

This issue looked like it was resolved by white-listing a file, but now the anti-malware software is preventing any new data from being published up to AGOL from ArcMap (Data that is already up in AGOL can be successfully overwritten though).

It's hard to believe my organization is the only one having issues with anti-malware software interfering with GIS processes.

0 Kudos
MichaelVolz
Esteemed Contributor

I am just adding specific information about an Anti-Malware software exception that I needed to add to my environment in order for address locators with suggestions to be able to be successfully built/rebuilt (I increased both CPU and memory but these changes did not solve the problem - they most likely helped to keep CPU or memory use from spiking).

Under ExploitPrevention for my specific software, I needed to whitelist AfCore.dll.  After making this change I was able to build/rebuild address locators in ArcMap 10.5.1 and 10.7 Pre-Release.

0 Kudos
EddBlaine
New Contributor III

Hi Michael,

I don't have anything specific in response to your post but I'm beginning to suspect the installation and use of Malwarebytes to be the cause of many ArcGIS Server problems that we've been having recently. And that's exactly how it started in our environment - address locators started failing to provide a suggestion list and were no longer rebuild-able. Also, our servers have been failing periodically (services no longer rendered even though the server resource monitor was still showing plenty of resources available, remote control interface was VERY slow, rebooting yesterday afternoon and this morning took FOREVER for everything to come back up, etc...) and I noticed that Malwarebytes was consuming a very high percentage of processor resources on a reboot this morning, which held up the start of ESRI's Java services and the gazillion arcsoc.exe processes that needed to crank back up. And I'm talking a 15-20 minute wait time before everything ArcGIS Server-wise came back up. If there are any ESRI staff out there, please chime in on this issue. Especially if there's any malware current testing being done for ArcGIS Enterprise environments. It's making our GIS services environment unreliable. 

0 Kudos
MichaelVolz
Esteemed Contributor

Do you have your GIS environment setup with geocode services built from address locators with suggestions for use in portal (AGOL or on-premises) web apps?

If so, does your update process consist of stopping the geocode service(s), then rebuilding the associated address locator(s), and then starting the geocode service(s)?

In my environment I thought the anti-malware software was just preventing the address locator from being rebuilt, but after finding the dll to whitelist in the anti-malware software for that component, I'm also finding the anti-malware software is not allowing python to stop the geocode service.  As such, I need to research what file (dll most likely) I will need to whitelist in the anti-malware software for python to be able to stop (and subsequently start) the geocode service.

Are you the person at your org responsible for administering the anti-malware software or is that a different IT person?  At my org, one of the anti-malware admins needed to scour the anti-malware logs to discover the file that was being blocked.

0 Kudos
EddBlaine
New Contributor III

Yes, we are using our own arc-tool created geocode service on both portal and AGOL. Our solution to the problem at the time (working with ESRI tech support) was to create and publish a new geocoding service and redirect our apps. I’ve moved on to other things since and haven’t gone back to try a rebuild. I just uninstalled Malwarebytes again this morning (looks like it might be coming back as part of a group policy push), so I’ll keep you posted on anything I see as a result…

0 Kudos
MichaelVolz
Esteemed Contributor

Before you ran into this problem, did you have an automated solution to updating your geocode service?  I ask because I have 3 python scripts that are called from a bat file (stop geocode service, rebuild address locator, start geocode service).  I thought the anti-malware software was just blocking the python script to rebuild the address locator, but it is also blocking the stop and start geocode service python scripts as well so I still need to find out what dll to whitelist for those scripts.

This has been quite a pain staking experience to determine the root cause of this issue and I wish ESRI had some general guidelines (There are many anti-malware software packages) or a white paper to help GIS admins setup anti-malware software rules that will work with ESRI's software.

The problem is compounded by the fact that the anti-malware software gets frequent updates with each version having the potential to adversely impact GIS processes.

0 Kudos
MichaelVolz
Esteemed Contributor

In speaking with ESRI technical support, they supplied me with this snippet of information about anti-malware software impact on ESRI GIS software:

"Cisco AMP (Anti Malware Protection) barred ArcMap from writing service definition files to the C drive. This would explain why the customer was able to publish when the staging folder was on a network drive. The user disabled Cisco AMP and was able to publish."

Anti-Malware software is in place to protect an organization's assets, so disabling this software is a security risk that many organizations would not agree to so this would not be a practical solution.

0 Kudos