Host system security exclusions
To monitor and block unknown host system processes, many organizations use security software, such as host-based firewalls and antivirus detection. To ensure that such software does not interfere with Tanium operations, work with your network and security team to whitelist Tanium folders and processes, so that the software treats them as trusted exclusions. Typically, this means configuring the security software to exclude the Tanium™ Client, Tanium™ Server, Tanium™ Module Server, and Tanium™ Zone Server installation directories from real-time inspection, as well as setting a policy to ignore input and output from Tanium binaries.
Tanium Core Platform servers require host system security exclusions only if they are installed on Windows infrastructure, not on the Tanium Appliance. Tanium Clients on all operating systems (OSs) require host system security exclusions.
Tanium Core Platform folders
The following table lists Tanium Core Platform folders that antivirus and other host-based security applications must exclude from real-time scans. The listed folder paths are the defaults. Include subfolders of these locations when you create the exclusion rules. If you have changed the defaults, create rules based on the actual locations.
| Component | OS | Installation folder |
|---|---|---|
| Tanium Server | Windows 64-bit | \Program Files\Tanium\Tanium Server\
You might also have to exclude the Tanium Server Downloads directory if it was moved out of the installation directory using the instructions in the KB article Relocate Downloads Directory. |
| Tanium Module Server | Windows 64-bit | \Program Files\Tanium\Tanium Module Server\ |
| Tanium Zone Server /
Zone Server Hub |
Windows 64-bit | \Program Files (x86)\Tanium\Tanium ZoneServer\ |
| Tanium Client | Windows 32-bit | \Program Files\Tanium\Tanium Client\ |
| Windows 64-bit | \Program Files (x86)\Tanium\Tanium Client\ | |
| macOS | /Library/Tanium/TaniumClient | |
| Linux, Solaris, AIX | /opt/Tanium/TaniumClient |
Tanium Core Platform system processes
The following table lists Tanium Core Platform system processes that must be allowed (not blocked, quarantined, or otherwise processed).
Notes:
- If you use Microsoft Group Policy Objects (GPO) or other central management tools to manage host firewalls, you might need to create rules to allow inbound and output TCP traffic across port 17472 on any managed endpoints, including the Tanium Server.
- If running McAfee Host Intrusion Prevention System (HIPS), mark the Tanium Client as both Trusted for Firewall and Trusted for IPS, per McAfee KB71704.
- The Tanium Client on Windows uses the Windows Update offline scan file, Wsusscn2.cab, to assess computers for installed or missing OS and application security patches. If your endpoint security solutions scan archive files, refer to the Microsoft KB for information on how to configure those tools to interact appropriately with the Wsusscn2.cab file.
Solution module folders
As a rule, Tanium solution modules are installed in subdirectories of the Tanium Module Server installation directory. This facilitates any exclusion rules you must create: simply exclude the Module Server installation directory and its subdirectories. This requirement applies only to a Module Server installed on Windows infrastructure.
Solution module processes
If you install Tanium modules and shared services, see the following sections for additional processes on the Module Server (Windows infrastructure only) and Tanium Client (all OSs) that you must configure as exclusions in security software.
- Asset
- Comply
- Connect
- Deploy
- Detect
- Discover
- End-User Notifications
- Health Check
- Incident Response
- Integrity Monitor
- Map
- Network Quarantine
- Patch
- Performance
- Protect
- Reputation
- Reveal
- Threat Response
- Trace
- Trends
Asset
| Target Device | Process |
|---|---|
| Endpoints (Windows) | <Tanium Client>\Tools\EPI\TaniumEndpointIndex.exe (For integration with Flexera) |
| Endpoints (macOS and Linux) | <Tanium Client>/Tools/EPI/TaniumEndpointIndex (For integration with Flexera) |
Comply
| Target Device | Process |
|---|---|
| Module Server | <Module Server>\services\comply-service\node.exe |
| <Module Server>\services\comply-service\node_modules\ovalindex\ovalindex.exe | |
| Windows endpoints | <Tanium Client>\Tools\Comply\TaniumExecWrapper.exe |
| <Tanium Client>\Tools\Comply\jre\bin\java.exe | |
| <Tanium Client>\Tools\Comply\7za.exe | |
| Linux/macOS/AIX endpoints | <Tanium Client>/Tools/Comply/TaniumExecWrapper |
| <Tanium Client>/Tools/Comply/jre/bin/java | |
| <Tanium Client>/Tools/Comply/7za | |
| <Tanium Client>/Tools/Comply/xsltproc | |
| Tanium Scan Engine | <Tanium Client>/Tools/Comply/joval/Joval4Tanium.jar |
| <Tanium Client>/Tools/Comply/joval/Joval-Utilities.jar | |
| CIS-CAT engine | <Tanium Client>/Tools/Comply/cis-cat/CIS-CAT.jar |
| <Tanium Client>/Tools/Comply/cis-cat/CIS-CAT.sh (Linux only) | |
| <Tanium Client>/Tools/Comply/cis-cat/CIS-CAT.BAT (Windows only) | |
| SCC engine - Windows endpoints | <Tanium Client>\Tools\Comply\scc\cscc.exe |
| <Tanium Client>\Tools\Comply\scc\cscc32.exe | |
| <Tanium Client>\Tools\Comply\scc\cscc64.exe | |
| <Tanium Client>\Tools\Comply\scc\scc.exe | |
| <Tanium Client>\Tools\Comply\scc\scc32.exe | |
| <Tanium Client>\Tools\Comply\scc\scc64.exe | |
| SCC engine - Linux/macOS endpoints | <Tanium Client>/Tools/Comply/scc/cscc |
| <Tanium Client>/Tools/Comply/scc/cscc.bin | |
| <Tanium Client>/Tools/Comply/scc/scc | |
| <Tanium Client>/Tools/Comply/scc/scc.bin |
Connect
| Target device | Process |
|---|---|
| Module Server | <Tanium Module Server>\services\connect-service\node.exe |
Deploy
| Target device | Process |
|---|---|
| Module Server | <Tanium Module Server>\services\deploy-service\node.exe |
| Endpoints | <Tanium Client>\Python27\TPython.exe |
| <Tanium Client>\Tools\Deploy\py\deploy\tools\active-user-sessions.exe |
Detect
| Target device | Process |
|---|---|
| Module Server | <Tanium Module Server>\services\detect3\node.exe |
| <Tanium Module Server>\services\detect3\twsm.exe | |
| <Tanium Module Server>\services\event-service\node.exe | |
| <Tanium Module Server>\services\event-service\twsm.exe | |
| Windows x86 endpoints | <Tanium Client>\Tools\Detect3\TaniumDetectEngine.exe |
| Windows x64 endpoints | <Tanium Client>\Tools\Detect3\TaniumDetectEngine.exe |
| Mac OS endpoints | <Tanium Client>/Tools/Detect3/TaniumDetectEngine |
| Linux x86 endpoints | <Tanium Client>/Tools/Detect3/TaniumDetectEngine |
| Linux x64 endpoints | <Tanium Client>/Tools/Detect3/TaniumDetectEngine |
Discover
| Target Device | Process |
|---|---|
| Module Server | <Module Server>\services\discover\node.exe |
| <Module Server>\plugins\content\discover-proxy\proxyplugin.exe | |
| <Module Server>\services\twsm-v1\twsm.exe | |
| Endpoints (Windows) | C:\Program Files\Npcap (Level 3 and 4 profiles only) |
| <Tanium Client>Tools\Discover\nmap\nmap.exe (Level 3 and 4 profiles only) | |
| Endpoints (macOS, Linux) | <Tanium Client>/Tools/Discover/nmap/nmap (Level 3 and 4 profiles only) |
End-User Notifications
| Target Device | Process |
|---|---|
| Module Server | <Module Server>\services\end-user-notifications-service\node.exe |
| <Module Server>\services\twsm-v1\twsm.exe | |
| Endpoints | <Tanium>\Tanium End User Notification Tools\UserSessionProxy.exe |
| <Tanium>\Tanium End User Notification Tools\bin\end-user-notifications.exe | |
| <Tanium>\Tanium End User Notification Tools\ (exclude from on-access or real-time scans) |
Health Check
| Target Device | Process |
|---|---|
| Module Server | <Module Server>\services\health-service\node.exe |
| <Module Server>\services\health-service\twsm.exe |
Incident Response
| Target Device | Process |
|---|---|
| Windows x86 | <Tanium Client>\Tools\IR\TaniumPersistenceAnalyzer.exe |
| <Tanium Client>\Tools\EPI\TaniumExecWrapper.exe | |
| <Tanium Client>\Tools\IR\TaniumExecWrapper.exe | |
| <Tanium Client>\Tools\IR\TanFileInfo.exe | |
| <Tanium Client>\Tools\IR\TaniumHandle.exe | |
| <Tanium Client>\Tools\IR\TanListModules.exe | |
| <Tanium Client>\Tools\EPI\TaniumEndpointIndex.exe | |
| <Tanium Client>\Tools\IR\PowerForensics\PowerForensics.dll | |
| <Tanium Client>\Downloads\Action_nnn\Winpmem.gb414603.exe 1 | |
| <Tanium Client>\Downloads\Action_nnn\TaniumFileTransfer.exe1 | |
| Windows x64 | <Tanium Client>\Tools\IR\TaniumPersistenceAnalyzer.exe |
| <Tanium Client>\Tools\EPI\TaniumExecWrapper.exe | |
| <Tanium Client>\Tools\IR\TaniumExecWrapper.exe | |
| <Tanium Client>\Tools\IR\TanFileInfo.exe | |
| <Tanium Client>\Tools\IR\TaniumHandle.exe | |
| <Tanium Client>\Tools\IR\TanListModules.exe | |
| <Tanium Client>\Tools\EPI\TaniumEndpointIndex.exe | |
| <Tanium Client>\Tools\IR\PowerForensics\PowerForensics.dll | |
| <Tanium Client>\Downloads\Action_nnn\Winpmem.gb414603.exe 1 | |
| <Tanium Client>\Downloads\Action_nnn\TaniumFileTransfer.exe1 | |
| Mac OS | <Tanium Client>/Tools/EPI/TaniumExecWrapper |
| <Tanium Client>/Tools/IR/TaniumExecWrapper | |
| <Tanium Client>/Tools/EPI/TaniumEndpointIndex | |
| <Tanium Client>/Downloads/Action_nnn/surge-collect1,2 | |
| <Tanium Client>/Downloads/Action_nnn/surge.dat1,2 | |
| <Tanium Client>/Downloads/Action_nnn/osxpmem.app/osxpmem1 | |
| <Tanium Client>/Downloads/Action_nnn/TaniumFileTransfer1 | |
| Linux x86 | <Tanium Client>/Tools/EPI/TaniumExecWrapper |
| <Tanium Client>/Tools/IR/TaniumExecWrapper | |
| <Tanium Client>/Tools/EPI/TaniumEndpointIndex | |
| <Tanium Client>/Downloads/Action_nnn/surge-collect1,2 | |
| <Tanium Client>/Downloads/Action_nnn/surge.dat1,2 | |
| <Tanium Client>/Downloads/Action_nnn/linpmem-<version>.bin1 | |
| <Tanium Client>/Downloads/Action_nnn/TaniumFileTransfer1 | |
| Linux x64 | <Tanium Client>/Tools/EPI/TaniumExecWrapper |
| <Tanium Client>/Tools/IR/TaniumExecWrapper | |
| <Tanium Client>/Tools/EPI/TaniumEndpointIndex | |
| <Tanium Client>/Downloads/Action_nnn/surge-collect1,2 | |
| <Tanium Client>/Downloads/Action_nnn/surge.dat1,2 | |
| <Tanium Client>/Downloads/Action_nnn/linpmem-<version>.bin1 | |
| <Tanium Client>/Downloads/Action_nnn/TaniumFileTransfer1 | |
|
1 = Where nnn corresponds to the action ID. 2 = Exception is required if Volexity Surge is used for memory collection. |
|
Integrity Monitor
| Target device | Process |
|---|---|
| Module Server | <Module Server>\services\integrity-monitor-service\node.exe |
| Windows x86 endpoints | <Tanium Client>\Tools\IM\TaniumSQLiteQuery.exe |
| <Tanium Client>\Tools\IM\TaniumExecWrapper.exe | |
| Windows x64 endpoints | <Tanium Client>\Tools\IM\TaniumSQLiteQuery.exe |
| <Tanium Client>\Tools\IM\TaniumExecWrapper.exe | |
| Linux x86 endpoints | <Tanium Client>/Tools/Trace/recorder |
| <Tanium Client>/Tools/EPI/TaniumEndpointIndex | |
| <Tanium Client>/Tools/EPI/TaniumExecWrapper | |
| <Tanium Client>/python27/python | |
| Linux x64 endpoints | <Tanium Client>/Tools/Trace/recorder |
| <Tanium Client>/Tools/EPI/TaniumEndpointIndex | |
| <Tanium Client>/Tools/EPI/TaniumExecWrapper | |
| <Tanium Client>/python27/python |
Map
| Target Device | Process |
|---|---|
| Module Server | <Tanium Module Server>\services\map-service\node.exe |
| Endpoints (all OS) | <Tanium Client>\Python27\TPython.exe |
| Endpoints (Linux) | <Tanium Client>/Tools/Trace/recorder |
| Endpoints (macOS) | <Tanium Client>/Tools/Trace/TaniumRecorder |
Network Quarantine
No additional process exclusions are required.
Patch
| Target device | Process |
|---|---|
| Module Server | <Module Server>\services\patch-service\node.exe |
| Windows Endpoints | <Tanium Client>\Patch\tanium-patch.min.vbs |
| <Tanium Client>\Patch\scans\Wsusscn2.cab | |
| <Tanium Client>\Patch\tools\active-user-sessions.exe | |
| <Tanium Client>\Patch\tools\TaniumExecWrapper.exe | |
| <Tanium Client>\Patch\tools\TaniumFileInfo.exe | |
| <Tanium Client> (exclude from on-access or real-time scans) | |
| Linux Endpoints | /opt/Tanium/TaniumClient/python27/python |
Performance
| Target device | Process |
|---|---|
| Tanium Module Server | <Tanium Module Server>\services\performance\node.exe |
| <Tanium Module Server>\services\event-service\twsm.exe | |
| Windows x86 and x64 endpoints | <Tanium Client>\Tools\Performance\TaniumTSDB.exe |
| macOS, and Linux x86 and x64 endpoints | <Tanium Client>/Tools/Performance/TaniumTSDB |
Protect
| Target Device | Process |
|---|---|
| Module Server | <Tanium Module Server>\services\protect-service\7za.exe |
| <Tanium Module Server>\services\protect-service\node.exe | |
| Windows x86 endpoints | <Tanium Client>\Tools\StdUtils\7za.exe |
| <Tanium Client>\Tools\Protect\LocalPolicyTool.exe (for Anti-Malware, AppLocker, and SRP policies) | |
| <Tanium Client>\Tools\LocalPolicyTool.exe (for Windows device control policies) | |
| <Tanium Client>\Tools\Protect\devcon32.exe | |
| Windows x64 endpoints | <Tanium Client>\Tools\StdUtils\7za.ex |
| <Tanium Client>\Tools\Protect\LocalPolicyTool.exe (for Anti-Malware, AppLocker, and SRP policies) | |
| <Tanium Client>\Tools\LocalPolicyTool.exe (for Windows device control policies) | |
| <Tanium Client>\Tools\Protect\devcon64.exe |
Reputation
| Target Device | Process |
|---|---|
| Module Server | <Module Server>\services\reputation-service\node.exe |
Reveal
| Target Device | Process |
|---|---|
| Module Server | <Tanium Module Server>\services\reveal-service\node.exe |
| Windows endpoints | <Tanium Client>\Tools\EPI\TaniumExecWrapper.exe |
| <Tanium Client>\Tools\EPI\TaniumEndpointIndex.exe | |
| <Tanium Client>\Tools\Reveal\TaniumReveal.exe | |
| <Tanium Client>\Tools\Trace\TaniumTraceWebsocketClient.exe | |
| Linux/macOS endpoints | <Tanium Client>/Tools/EPI/TaniumExecWrapper |
| <Tanium Client>/Tools/EPI/TaniumEndpointIndex | |
| <Tanium Client>/Tools/Reveal/TaniumReveal | |
| <Tanium Client>/Tools/Trace/TaniumTraceWebsocketClient |
Threat Response
| Target device | Process |
|---|---|
| Tanium Module Server | <Module Server>\services\trace-service\node.exe |
| <Module Server>\services\detect3\node.exe | |
| <Module Server>\services\detect3\twsm.exe | |
| <Module Server>\services\event-service\node.exe | |
| <Module Server>\services\event-service\twsm.exe | |
| <Module Server>\services\threat-response\node.exe | |
| <Module Server>\services\twsm-v1\twsm.exe | |
| Tanium Zone Server | <Zone Server>\proxy\node.exe |
| Windows x86 and x64 endpoints | <Tanium Client>\Tools\EPI\TaniumExecWrapper.exe |
| <Tanium Client>\Tools\IR\TaniumExecWrapper.exe | |
| <Tanium Client>\Tools\IR\TanFileInfo.exe | |
| <Tanium Client>\Tools\IR\TaniumFileInfo.exe | |
| <Tanium Client>\Tools\IR\TaniumHandle.exe | |
| <Tanium Client>\Tools\IR\TanListModules.exe | |
| <Tanium Client>\Tools\EPI\TaniumEndpointIndex.exe | |
| <Tanium Client>\Tools\Trace\TaniumTraceWebsocketClient.exe | |
| <Tanium Client>\Tools\Trace\TaniumTraceWebsocketClient64.exe | |
| <Tanium Client>\Tools\Recorder\TaniumSQLiteQuery.exe | |
| <Tanium Client>\Tools\Trace\TaniumExecWrapper.exe | |
| <Tanium Client>\Tools\Detect3\TaniumDetectEngine.exe | |
| <Tanium Client>\extensions\TaniumRecorder.dll | |
| <Tanium Client>\extensions\recorder\proc.bin | |
| <Tanium Client>\extensions\recorder\recorder.db | |
| <Tanium Client>\extensions\TaniumRecorder.dll.sig | |
| <Tanium Client>\extensions\recorder\recorder.db-shm | |
| <Tanium Client>\extensions\recorder\recorder.db-wal | |
| <Tanium Client>\TaniumClientExtensions.dll | |
| <Tanium Client>\TaniumClientExtensions.dll.sig | |
| <Tanium Client>\extensions\TaniumThreatResponse.dll | |
| <Tanium Client>\extensions\TaniumThreatResponse.dll.sig | |
| <Tanium Client>\Downloads\Action_nnn\TaniumFileTransfer.exe | |
| <Tanium Client>\Tools\IR\TaniumPersistenceAnalyzer.exe | |
| <Tanium Client>\Tools\IR\PowerForensics\PowerForensics.dll | |
| <Tanium Client>\Python27\TPython.exe | |
| <Installation Location>\sysmon.exe | |
| Linux x86 and x64 endpoints | <Tanium Client>/Tools/EPI/TaniumExecWrapper |
| <Tanium Client>/Tools/IR/TaniumExecWrapper | |
| <Tanium Client>/Tools/EPI/TaniumEndpointIndex | |
| <Tanium Client>/Tools/Trace/TaniumTraceWebsocketClient | |
| <Tanium Client>/Tools/Trace/TaniumExecWrapper | |
| <Tanium Client>/Tools/Detect3/TaniumDetectEngine | |
| <Tanium Client>/python27/python | |
| <Tanium Client>/Downloads/Action_nnn/TaniumFileTransfer | |
| <Tanium Client>/libTaniumClientExtensions.so | |
| <Tanium Client>/libTaniumClientExtensions.so.sig | |
| <Tanium Client>/extensions/libTaniumThreatResponse.so | |
| <Tanium Client>/extensions/libTaniumThreatResponse.so.sig | |
| <Tanium Client>/extensions/libTaniumRecorder.so | |
| <Tanium Client>/extensions/recorder/proc.bin | |
| <Tanium Client>/extensions/recorder/recorder.db | |
| <Tanium Client>/extensions/libTaniumRecorder.dylib.sig | |
| <Tanium Client>/extensions/recorder/recorder.db-shm | |
| <Tanium Client>/extensions/recorder/recorder.db-wal | |
| <Tanium Client>/extensions/recorder/recorder.auditpipe | |
| Mac OS endpoints | <Tanium Client>/Tools/EPI/TaniumExecWrapper |
| <Tanium Client>/Tools/IR/TaniumExecWrapper | |
| <Tanium Client>/Tools/EPI/TaniumEndpointIndex | |
| <Tanium Client>/Tools/Trace/TaniumTraceWebsocketClient | |
| <Tanium Client>/Tools/Trace/TaniumExecWrapper | |
| <Tanium Client>/Tools/Detect3/TaniumDetectEngine | |
| <Tanium Client>/python27/python | |
| <Tanium Client>/Downloads/Action_nnn/TaniumFileTransfer | |
| <Tanium Client>/libTaniumClientExtensions.dylib | |
| <Tanium Client>/libTaniumClientExtensions.dylib.sig | |
| <Tanium Client>/extensions/libTaniumThreatResponse.dylib | |
| <Tanium Client>/extensions/libTaniumThreatResponse.dylib.sig | |
| <Tanium Client>/extensions/libTaniumRecorder.dylib | |
| <Tanium Client>/extensions/recorder/proc.bin | |
| <Tanium Client>/extensions/recorder/recorder.db | |
| <Tanium Client>/extensions/libTaniumRecorder.dylib.sig | |
| <Tanium Client>/extensions/recorder/recorder.db-shm | |
| <Tanium Client>/extensions/recorder/recorder.db-wal | |
| <Tanium Client>/extensions/recorder/recorder.auditpipe |
Trace
| Target device | Process |
|---|---|
| Tanium Module Server | <Tanium Module Server>\services\trace-service\node.exe |
| Tanium Zone Proxy | <Trace Zone Proxy>\proxy\node.exe |
| Windows x86 endpoints | <Tanium Client>\Tools\Trace\TaniumTraceWebsocketClient.exe |
| <Tanium Client>\Tools\Recorder\TaniumSQLiteQuery.exe | |
| <Tanium Client>\Tools\Trace\TaniumExecWrapper.exe | |
| <Installation Location>\sysmon.exe | |
| <Tanium Client>\TaniumTraceCLI.exe | |
| Windows x64 endpoints | <Tanium Client>\Tools\Trace\TaniumTraceWebsocketClient.exe |
| <Tanium Client>\Tools\Recorder\TaniumSQLiteQuery.exe | |
| <Tanium Client>\Tools\Trace\TaniumExecWrapper.exe | |
| <Installation Location>\sysmon.exe | |
| <Tanium Client>\TaniumTraceCLI.exe | |
| Mac OS endpoints | <Tanium Client>/Tools/Trace/TaniumRecorder |
| <Tanium Client>/Tools/Trace/TaniumTraceWebsocketClient | |
| <Tanium Client>/Tools/Trace/TaniumExecWrapper | |
| Linux x86 endpoints | <Tanium Client>/Tools/Trace/recorder |
| <Tanium Client>/Tools/Trace/TaniumTraceWebsocketClient | |
| <Tanium Client>/Tools/Trace/TaniumExecWrapper | |
| Linux x64 endpoints | <Tanium Client>/Tools/Trace/recorder |
| <Tanium Client>/Tools/Trace/TaniumTraceWebsocketClient | |
| <Tanium Client>/Tools/Trace/TaniumExecWrapper |
Trends
| Target Device | Process |
|---|---|
| Module Server | <Tanium Module Server>\services\twsm-v1\twsm.exe |
| <Tanium Module Server>\services\trends\node_modules\@tanium \postgresql\lib\win32\bin\postgres.exe |
|
| <Tanium Module Server>\services\trends\node_modules\@tanium \postgresql\lib\win32\bin\pg_ctl.exe |
Last updated: 12/4/2019 4:10 PM | Feedback