Does anyone run MalwareBytes Endpoint Protection on their servers that are running Epicor? We recently rolled out MalwareBytes Endpoint Protection on all of our servers and the ones running Epicor all started to have strange issues. The issues ranged from sql locks, IIS hanging and needing to be recycled, and the Task agent hanging and only responding after we kill the process and launch it again.
As soon as we uninstalled the program, not a single issue since. Just curious if anyone has run into this issue before.
The first question I would ask is did you exclude MDF and LDF type files from Auto-Scanning? We have a substantial list of items that get ignored by our AV platform and ANYTHING to do with SQL is on that list. I would start there. Also what is the core reason for running AV type software on your Application servers? They should be locked down and hardened at a firewall level not an AV level. I know we all have our opinions on running AV on servers but with the exception of File Servers I avoid running AV unless an express reason is there. Like an application server where uncontrolled uploads would be happening.
I believe Epicor recommends (or used to recommend I haven’t checked recently)
To explicitly exclude all Epicor Folders and Programs from your malware detection software as well as anything related to SQL as @EarlGrei mentions.
Frankly there should but a single digit count of people in your organization that ever touch this box and nobody should ever run a browser in-there. Your infection vector is fairly low, if security is setup correctly in your environment.
I don’t run any AV in our Epicor Box. (but that’s a controversial stance)
Good Backups (Off Site, On Site, and Off Line)
No one with access to the box (as few people as possible)
and Tight Permissions on the Box.
Becoming less controversial as AV products have become attack vectors since they link deep into the kernel. Look for Microsoft to start blocking this type of activity in the future. They are going to make their AV product work in a sandbox and that will most-likely become the standard for all AV products in two-three years.
It is always a debate on how we guard our networks. I tend to lean on the side of more security than too little. Helps when crap hits the fan and they hold you accountable.
We have tight permissions on the servers, good backups (offsite, onsite), very limited access to the servers, and log monitoring. I just want a little more on the servers themselves for added protection. Just one little vulnerability that gets through could jeopardize everything. (not that we do but if you needed to be PCI compliant, it is a requirement that the servers have AV / Endpoint protection installed.)
I was just curious if anyone else had experience with MalwareBytes and Epicor. Or in general, what endpoint protection do people run where they don’t see any adverse affects on Epicor (server side)?
We used it for a while, didnt experience any issues. Then we purchased Sophos Endpoint and even before excluding certain paths, havent experienced any issues.
You make some valid points about AV on the Epicor servers but surely the same logic for mitigation (single digit access, controlled by permissions, read access, good backups) would apply to creating SSRS reports using SQL server queries which you have frequently evangelised your legitimate opposition to, for a variety of reasons one of which is SQL injection attacks.
At a fundamental level the Epicor servers are on the network so are still vulnerable to anything that gets onto your network through a single point of failure elsewhere, particularly anything that can propagate and exploit without user interaction. Wannacry exposed the fallacy of your assumption of reducing the attack vector - running a legacy app on windows xp controlling a medical scanner (it’s a $1 million to replace the software), locked it down and vlanned so it can’t access the internet, removed the browsers and user account used on it has restricted access on the lan only. Problem was once Wannacry was on the lan elsewhere all those reasonable countermeasures became useless.
As others have said build in the exceptions to the AV.
EMS runs Symantec on our app and db servers. Shoot, now I should ask if they are following their own best practice and excluding sql and the Epicor application dirs
EMS is (mostly) outside of Azure. I wonder if the Azure ops are using Microsoft’s ATP. If you haven’t seen the Security and Compliance Center in Office 365, you’re in for a treat - especially if you have SOX/GDPR requirements.
If anyone is curious, the reason we went away from Malwarebytes Endpoint is because their Detection Engine wasn’t as powerful atleast 1yr ago… Their Desktop Version would find Emotet (Bitcoiner Miner) but Endpoint didn’t etc… Heck even Trend Micro found stuff Malwarebytes Endpoint didnt.
I think it has to mature more as a product… In Sophos we have more control, settings (more mature product).
