Anti-Malware Software Impact on GIS Processes

I am just adding specific information about an Anti-Malware software exception that I needed to add to my environment in order for address locators with suggestions to be able to be successfully built/rebuilt (I increased both CPU and memory but these changes did not solve the problem - they most likely helped to keep CPU or memory use from spiking).

Under ExploitPrevention for my specific software, I needed to whitelist AfCore.dll.  After making this change I was able to build/rebuild address locators in ArcMap 10.5.1 and 10.7 Pre-Release.

Do you have your GIS environment setup with geocode services built from address locators with suggestions for use in portal (AGOL or on-premises) web apps?

If so, does your update process consist of stopping the geocode service(s), then rebuilding the associated address locator(s), and then starting the geocode service(s)?

In my environment I thought the anti-malware software was just preventing the address locator from being rebuilt, but after finding the dll to whitelist in the anti-malware software for that component, I'm also finding the anti-malware software is not allowing python to stop the geocode service.  As such, I need to research what file (dll most likely) I will need to whitelist in the anti-malware software for python to be able to stop (and subsequently start) the geocode service.

Are you the person at your org responsible for administering the anti-malware software or is that a different IT person?  At my org, one of the anti-malware admins needed to scour the anti-malware logs to discover the file that was being blocked.

Yes, we are using our own arc-tool created geocode service on both portal and AGOL. Our solution to the problem at the time (working with ESRI tech support) was to create and publish a new geocoding service and redirect our apps. I’ve moved on to other things since and haven’t gone back to try a rebuild. I just uninstalled Malwarebytes again this morning (looks like it might be coming back as part of a group policy push), so I’ll keep you posted on anything I see as a result…

Before you ran into this problem, did you have an automated solution to updating your geocode service?  I ask because I have 3 python scripts that are called from a bat file (stop geocode service, rebuild address locator, start geocode service).  I thought the anti-malware software was just blocking the python script to rebuild the address locator, but it is also blocking the stop and start geocode service python scripts as well so I still need to find out what dll to whitelist for those scripts.

This has been quite a pain staking experience to determine the root cause of this issue and I wish ESRI had some general guidelines (There are many anti-malware software packages) or a white paper to help GIS admins setup anti-malware software rules that will work with ESRI's software.

The problem is compounded by the fact that the anti-malware software gets frequent updates with each version having the potential to adversely impact GIS processes.

In speaking with ESRI technical support, they supplied me with this snippet of information about anti-malware software impact on ESRI GIS software:

"Cisco AMP (Anti Malware Protection) barred ArcMap from writing service definition files to the C drive. This would explain why the customer was able to publish when the staging folder was on a network drive. The user disabled Cisco AMP and was able to publish."

Anti-Malware software is in place to protect an organization's assets, so disabling this software is a security risk that many organizations would not agree to so this would not be a practical solution.