Host system security exclusions
To monitor and block unknown host system processes, many organizations use security software, such as host-based firewalls and antivirus detection. To ensure that such software does not interfere with Tanium operations, work with your network and security team to whitelist Tanium folders and processes, so that the software treats them as trusted exclusions. Typically, this means configuring the security software to exclude the Tanium™ Client, Tanium™ Server, Tanium™ Module Server, and Tanium™ Zone Server installation directories from real-time inspection, as well as setting a policy to ignore input and output from Tanium binaries.
Tanium Core Platform servers require host system security exclusions only if they are installed on Windows infrastructure, not on
the Tanium Appliance. Tanium Clients on all operating systems (OSs) require host system security exclusions.
Tanium Core Platform folders
The following table lists Tanium Core Platform folders that antivirus and other host-based security applications must exclude from real-time scans. The listed folder paths are the defaults. Include subfolders of these locations when you create the exclusion rules. If you have changed the defaults, create rules based on the actual locations.
Table 1: Tanium Core Platform folders
| Tanium Server |
Windows 64-bit |
\Program Files\Tanium\Tanium Server\
You might also have to exclude the Tanium Server Downloads directory if it was moved out of the installation directory using the instructions in the KB article Relocate Downloads Directory. |
| Tanium Module Server |
Windows 64-bit |
\Program Files\Tanium\Tanium Module Server\
|
| Tanium Zone Server /
Zone Server Hub |
Windows 64-bit |
\Program Files (x86)\Tanium\Tanium ZoneServer\
|
| Tanium Client |
Windows 32-bit |
\Program Files\Tanium\Tanium Client\
|
| Windows 64-bit |
\Program Files (x86)\Tanium\Tanium Client\
|
| macOS |
/Library/Tanium/TaniumClient
|
| Linux, Solaris, AIX |
/opt/Tanium/TaniumClient
|
Tanium Core Platform system processes
The following table lists Tanium Core Platform system processes that must be allowed (not blocked, quarantined, or otherwise processed).
Table 2: Tanium Core Platform processes
| Tanium Server |
Windows |
TaniumReceiver.exe
|
| Tanium Module Server |
Windows |
7za.exe
TaniumModuleServer.exe |
| Tanium Zone Server / Zone Server Hub |
Windows |
TaniumZoneServer.exe
|
| Tanium Client |
Windows, macOS, Linux |
The <Tanium_Client>\Tools\StdUtils folder or all the files that it contains |
| Windows |
TaniumClient.exe
|
| macOS, Linux |
distribute-tools.sh
|
| macOS, Linux |
TaniumExecWrapper
|
| macOS, Linux, Solaris, AIX |
TaniumClient
taniumclient
|
Notes:
- If you use Microsoft Group Policy Objects (GPO) or other central management tools to manage host firewalls, you might need to create rules to allow inbound and output TCP traffic across port 17472 on any managed endpoints, including the Tanium Server.
- If running McAfee Host Intrusion Prevention System (HIPS), mark the Tanium Client as both Trusted for Firewall and Trusted for IPS, per McAfee KB71704.
- The Tanium Client on Windows uses the Windows Update offline scan file, Wsusscn2.cab, to assess computers for installed or missing OS and application security patches. If your endpoint security solutions scan archive files, refer to the Microsoft KB for information on how to configure those tools to interact appropriately with the Wsusscn2.cab file.
Solution module folders
As a rule, Tanium solution modules are installed in subdirectories of the Tanium Module Server installation directory. This facilitates any exclusion rules you must create: simply exclude the Module Server installation directory and its subdirectories. This requirement applies only to a Module Server installed on Windows infrastructure.
Solution module processes
If you install Tanium modules and shared services, see the following sections for additional processes on the Module Server (Windows infrastructure only) and Tanium Client (all OSs) that you must configure as exclusions in security software.
Asset
Table 3: Asset security exclusions
| Endpoints (Windows) |
<Tanium Client>\Tools\EPI\TaniumEndpointIndex.exe (For integration with Flexera) |
| Endpoints (macOS and Linux) |
<Tanium Client>/Tools/EPI/TaniumEndpointIndex (For integration with Flexera) |
Comply
Table 4: Comply security exclusions
| Module Server |
<Tanium Module Server>\services\comply-service\node.exe
|
| <Tanium Module Server>\services\comply-service\node_modules\ovalindex\ovalindex.exe
|
| Windows endpoints |
<Tanium Client>\Tools\Comply\TaniumExecWrapper.exe
|
| <Tanium Client>\Tools\Comply\jre\bin\java.exe
|
| <Tanium Client>\Tools\Comply\7za.exe
|
| Linux/macOS/AIX
endpoints
|
<Tanium Client>/Tools/Comply/TaniumExecWrapper
|
| <Tanium Client>/Tools/Comply/jre/bin/java
|
| <Tanium Client>/Tools/Comply/7za
|
| <Tanium Client>/Tools/Comply/xsltproc
|
| JovalCM engine |
<Tanium Client>/Tools/Comply/joval/Joval4Tanium.jar
|
| <Tanium Client>/Tools/Comply/joval/Joval-Utilities.jar
|
| CIS-CAT engine |
<Tanium Client>/Tools/Comply/cis-cat/CIS-CAT.jar
|
| <Tanium Client>/Tools/Comply/cis-cat/CIS-CAT.sh (Linux only)
|
| <Tanium Client>/Tools/Comply/cis-cat/CIS-CAT.BAT (Windows only)
|
| SCC engine - Windows endpoints |
<Tanium Client>\Tools\Comply\scc\cscc.exe
|
| <Tanium Client>\Tools\Comply\scc\cscc32.exe
|
| <Tanium Client>\Tools\Comply\scc\cscc64.exe
|
| <Tanium Client>\Tools\Comply\scc\scc.exe
|
| <Tanium Client>\Tools\Comply\scc\scc32.exe
|
| <Tanium Client>\Tools\Comply\scc\scc64.exe
|
| SCC engine - Linux/macOS
endpoints |
<Tanium Client>/Tools/Comply/scc/cscc
|
| <Tanium Client>/Tools/Comply/scc/cscc.bin
|
| <Tanium Client>/Tools/Comply/scc/scc
|
| <Tanium Client>/Tools/Comply/scc/scc.bin
|
Connect
Table 5: Connect security exclusions
| Module Server |
<Tanium Module Server>\services\connect-service\node.exe
|
Deploy
Table 6: Deploy security exclusions
| Module Server |
<Tanium Module Server>\services\deploy-service\node.exe
|
| Endpoints |
<Tanium Client>\Python27\TPython.exe
|
| <Tanium Client>\Tools\Deploy\py\deploy\tools\active-user-sessions.exe
|
Detect
Table 7: Detect security exclusions
| Module Server |
<Tanium Module Server>\services\detect3\node.exe
|
| <Tanium Module Server>\services\detect3\twsm.exe
|
| <Tanium Module Server>\services\event-service\node.exe
|
| <Tanium Module Server>\services\event-service\twsm.exe
|
|
Windows x86 endpoints
|
<Tanium Client>\Tools\Detect3\TaniumDetectEngine.exe
|
|
Windows x64 endpoints
|
<Tanium Client>\Tools\Detect3\TaniumDetectEngine.exe
|
|
Mac OS endpoints
|
<Tanium Client>/Tools/Detect3/TaniumDetectEngine
|
|
Linux x86 endpoints
|
<Tanium Client>/Tools/Detect3/TaniumDetectEngine
|
|
Linux x64 endpoints
|
<Tanium Client>/Tools/Detect3/TaniumDetectEngine
|
Discover
Table 8: Discover security exclusions
| Module Server |
<Tanium Module Server>\services\discover\node.exe
|
| <Tanium Module Server>\plugins\content\discover-proxy\proxyplugin.exe
|
| <Tanium Module Server>\services\twsm-v1\twsm.exe
|
| Endpoints |
C:\Program Files\Npcap
|
| <Tanium Client>\Tools\Discover\nmap\nmap.exe
|
End-User Notifications
Table 9: End-User Notifications security exclusions
| Module Server |
<Tanium Module Server>\services\end-user-notifications-service\node.exe
|
| <Tanium Module Server>\services\twsm-v1\twsm.exe
|
| Endpoints |
<Tanium>\Tanium End User Notification Tools\bin\end-user-notifications.exe
|
| <Tanium>\Tanium End User Notification Tools\ (exclude from on-access or real-time scans) |
Health Check
Table 10: Health Check security exclusions
| Module Server |
<Tanium Module Server>\services\health-service\node.exe
|
| <Tanium Module Server>\services\health-service\twsm.exe
|
Incident Response
Table 11: Incident Response security exclusions
| Windows x86 |
<Tanium Client>\Tools\IR\TaniumPersistenceAnalyzer.exe
|
| <Tanium Client>\Tools\EPI\TaniumExecWrapper.exe
|
| <Tanium Client>\Tools\IR\TaniumExecWrapper.exe
|
| <Tanium Client>\Tools\IR\TanFileInfo.exe
|
| <Tanium Client>\Tools\IR\TaniumHandle.exe
|
| <Tanium Client>\Tools\IR\TanListModules.exe
|
| <Tanium Client>\Tools\EPI\TaniumEndpointIndex.exe
|
| <Tanium Client>\Tools\IR\PowerForensics\PowerForensics.dll
|
| <Tanium Client>\Downloads\Action_nnn\Winpmem.gb414603.exe 1 |
| <Tanium Client>\Downloads\Action_nnn\TaniumFileTransfer.exe1
|
| Windows x64 |
<Tanium Client>\Tools\IR\TaniumPersistenceAnalyzer.exe
|
| <Tanium Client>\Tools\EPI\TaniumExecWrapper.exe
|
| <Tanium Client>\Tools\IR\TaniumExecWrapper.exe
|
| <Tanium Client>\Tools\IR\TanFileInfo.exe
|
| <Tanium Client>\Tools\IR\TaniumHandle.exe
|
| <Tanium Client>\Tools\IR\TanListModules.exe
|
| <Tanium Client>\Tools\EPI\TaniumEndpointIndex.exe
|
| <Tanium Client>\Tools\IR\PowerForensics\PowerForensics.dll
|
| <Tanium Client>\Downloads\Action_nnn\Winpmem.gb414603.exe 1 |
| <Tanium Client>\Downloads\Action_nnn\TaniumFileTransfer.exe1
|
| Mac OS |
<Tanium Client>/Tools/EPI/TaniumExecWrapper
|
| <Tanium Client>/Tools/IR/TaniumExecWrapper
|
| <Tanium Client>/Tools/EPI/TaniumEndpointIndex
|
| <Tanium Client>/Downloads/Action_nnn/surge-collect1,2 |
| <Tanium Client>/Downloads/Action_nnn/surge.dat1,2 |
| <Tanium Client>/Downloads/Action_nnn/osxpmem.app/osxpmem1
|
| <Tanium Client>/Downloads/Action_nnn/TaniumFileTransfer1
|
| Linux x86 |
<Tanium Client>/Tools/EPI/TaniumExecWrapper
|
| <Tanium Client>/Tools/IR/TaniumExecWrapper |
| <Tanium Client>/Tools/EPI/TaniumEndpointIndex |
| <Tanium Client>/Downloads/Action_nnn/surge-collect1,2 |
| <Tanium Client>/Downloads/Action_nnn/surge.dat1,2 |
| <Tanium Client>/Downloads/Action_nnn/linpmem-<version>.bin1
|
| <Tanium Client>/Downloads/Action_nnn/TaniumFileTransfer1
|
| Linux x64 |
<Tanium Client>/Tools/EPI/TaniumExecWrapper
|
| <Tanium Client>/Tools/IR/TaniumExecWrapper
|
| <Tanium Client>/Tools/EPI/TaniumEndpointIndex
|
| <Tanium Client>/Downloads/Action_nnn/surge-collect1,2 |
| <Tanium Client>/Downloads/Action_nnn/surge.dat1,2 |
| <Tanium Client>/Downloads/Action_nnn/linpmem-<version>.bin1
|
| <Tanium Client>/Downloads/Action_nnn/TaniumFileTransfer1
|
Integrity Monitor
Table 12: Integrity Monitor security exclusions
| Module Server |
<Tanium Module Server>\services\integrity-monitor-service\node.exe
|
| Windows x86 endpoints |
<Tanium Client>\Tools\IM\TaniumSQLiteQuery.exe
|
| <Tanium Client>\Tools\IM\TaniumExecWrapper.exe
|
| Windows x64 endpoints |
<Tanium Client>\Tools\IM\TaniumSQLiteQuery.exe
|
| <Tanium Client>\Tools\IM\TaniumExecWrapper.exe
|
| Linux x86 endpoints |
/opt/Tanium/TaniumClient/Tools/Trace/recorder
|
| /opt/Tanium/TaniumClient/Tools/EPI/TaniumEndpointIndex
|
| /opt/Tanium/TaniumClient/Tools/EPI/TaniumExecWrapper
|
| /opt/Tanium/TaniumClient/python27/python
|
| Linux x64 endpoints |
/opt/Tanium/TaniumClient/Tools/Trace/recorder
|
| /opt/Tanium/TaniumClient/Tools/EPI/TaniumEndpointIndex
|
| /opt/Tanium/TaniumClient/Tools/EPI/TaniumExecWrapper
|
| /opt/Tanium/TaniumClient/python27/python
|
Map
Table 13: Map security exclusions
| Module Server |
<Tanium Module Server>\services\map-service\node.exe
|
| Endpoints (all OS) |
<Tanium Client>\Python27\TPython.exe
|
| Endpoints (Linux) |
<Tanium Client>/Tools/Trace/recorder
|
| Endpoints (macOS) |
<Tanium Client>/Tools/Trace/TaniumRecorder
|
Network Quarantine
No additional process exclusions are required.
Patch
Table 14: Patch security exclusions
| Module Server |
<Tanium Module Server>\services\patch-service\node.exe
|
| Windows Endpoints |
<Tanium Client>\Patch\tanium-patch.min.vbs
|
| <Tanium Client>\Patch\scans\Wsusscn2.cab
|
| <Tanium Client>\Patch\tools\active-user-sessions.exe
|
| <Tanium Client>\Patch\tools\TaniumExecWrapper.exe
|
| <Tanium Client>\Patch\tools\TaniumFileInfo.exe
|
| <Tanium Client> (exclude from on-access or real-time scans) |
Performance
Table 15: Performance security exclusions
| Tanium Module Server
|
<Tanium Module Server>\services\performance\node.exe
|
| <Tanium Module Server>\services\event-service\twsm.exe
|
| Windows x86 and x64 endpoints |
<Tanium Client>\Tools\Performance\TaniumTSDB.exe
|
| macOS, and Linux x86 and x64 endpoints |
<Tanium Client>/Tools/Performance/TaniumTSDB
|
Protect
Table 16: Protect security exclusions
| Module Server |
<Tanium Module Server>\services\protect-service\7za.exe
|
| <Tanium Module Server>\services\protect-service\node.exe
|
| Windows x86 endpoints |
<Tanium Client>\Tools\StdUtils\7za.exe
|
| <Tanium Client>\Tools\Protect\LocalPolicyTool.exe (for Anti-Malware, AppLocker, and SRP policies) |
| <Tanium Client>\Tools\LocalPolicyTool.exe (for Windows device control policies) |
| <Tanium Client>\Tools\Protect\devcon32.exe
|
| Windows x64 endpoints |
<Tanium Client>\Tools\StdUtils\7za.ex
|
| <Tanium Client>\Tools\Protect\LocalPolicyTool.exe (for Anti-Malware, AppLocker, and SRP policies) |
| <Tanium Client>\Tools\LocalPolicyTool.exe (for Windows device control policies) |
| <Tanium Client>\Tools\Protect\devcon64.exe
|
Reputation
Table 17: Reputation security exclusions
| Module Server |
<Tanium Module Server>\services\reputation-service\node.exe
|
Reveal
Table 18: Reveal security exclusions
| Module Server |
<Tanium Module Server>\services\reveal-service\node.exe
|
| Windows endpoints |
<Tanium Client>\Tools\EPI\TaniumExecWrapper.exe
|
| <Tanium Client>\Tools\EPI\TaniumEndpointIndex.exe
|
| <Tanium Client>\Tools\Reveal\TaniumReveal.exe
|
| <Tanium Client>\Tools\Trace\TaniumTraceWebsocketClient.exe
|
| Linux/macOS endpoints |
<Tanium Client>/Tools/EPI/TaniumExecWrapper
|
| <Tanium Client>/Tools/EPI/TaniumEndpointIndex
|
| <Tanium Client>/Tools/Reveal/TaniumReveal
|
| <Tanium Client>/Tools/Trace/TaniumTraceWebsocketClient
|
Threat Response
Table 19: Threat Response security exclusions
| Tanium Module Server
|
<Tanium Module Server>\services\trace-service\node.exe
|
| <Tanium Module Server>\services\detect3\node.exe
|
| <Tanium Module Server>\services\detect3\twsm.exe
|
| <Tanium Module Server>\services\event-service\node.exe
|
| <Tanium Module Server>\services\event-service\twsm.exe
|
| <Tanium Module Server>\services\threat-response\node.exe
|
| <Tanium Module Server>\services\twsm-v1\twsm.exe
|
| Tanium Zone Server
|
<Trace Zone Proxy>\proxy\node.exe
|
| Windows x86 and x64 endpoints |
<Tanium Client>\Tools\EPI\TaniumExecWrapper.exe
|
| <Tanium Client>\Tools\IR\TaniumExecWrapper.exe
|
| <Tanium Client>\Tools\IR\TanFileInfo.exe
|
| <Tanium Client>\Tools\IR\TaniumHandle.exe
|
| <Tanium Client>\Tools\IR\TanListModules.exe
|
| <Tanium Client>\Tools\EPI\TaniumEndpointIndex.exe
|
| <Tanium Client>\Tools\Trace\TaniumTraceWebsocketClient.exe
|
| <Tanium Client>\Tools\Recorder\TaniumSQLiteQuery.exe
|
| <Tanium Client>\Tools\Trace\TaniumExecWrapper.exe
|
| <Tanium Client>\Tools\Detect3\TaniumDetectEngine.exe
|
| <Tanium Client>\Downloads\Action_nnn\TaniumFileTransfer.exe
|
| <Tanium Client>\Tools\IR\TaniumPersistenceAnalyzer.exe
|
| <Tanium Client>\Tools\IR\PowerForensics\PowerForensics.dll
|
| <Tanium Client>\Python27\TPython.exe
|
| <Installation Location>\sysmon.exe
|
| Mac OS, and Linux x86 and x64 endpoints |
<Tanium Client>/Tools/EPI/TaniumExecWrapper
|
| <Tanium Client>/Tools/IR/TaniumExecWrapper
|
| <Tanium Client>/Tools/EPI/TaniumEndpointIndex
|
| <Tanium Client>/Tools/Trace/recorder (Linux) |
| <Tanium Client>/Tools/Trace/TaniumRecorder (Mac) |
| <Tanium Client>/Tools/Trace/TaniumTraceWebsocketClient
|
| <Tanium Client>/Tools/Trace/TaniumExecWrapper
|
| <Tanium Client>/Tools/Detect3/TaniumDetectEngine
|
| <Tanium Client>/python27/python
|
| <Tanium Client>/Downloads/Action_nnn/TaniumFileTransfer
|
Trace
Table 20: Trace security exclusions
| Tanium Module Server
|
<Tanium Module Server>\services\trace-service\node.exe
|
| Tanium Zone Proxy |
<Trace Zone Proxy>\proxy\node.exe
|
| Windows x86 endpoints |
<Tanium Client>\Tools\Trace\TaniumTraceWebsocketClient.exe
|
| <Tanium Client>\Tools\Recorder\TaniumSQLiteQuery.exe
|
| <Tanium Client>\Tools\Trace\TaniumExecWrapper.exe
|
| <Installation Location>\sysmon.exe
|
| <Tanium Client>\TaniumTraceCLI.exe
|
| Windows x64 endpoints |
<Tanium Client>\Tools\Trace\TaniumTraceWebsocketClient.exe
|
| <Tanium Client>\Tools\Recorder\TaniumSQLiteQuery.exe
|
| <Tanium Client>\Tools\Trace\TaniumExecWrapper.exe
|
| <Installation Location>\sysmon.exe
|
| <Tanium Client>\TaniumTraceCLI.exe
|
| Mac OS endpoints |
<Tanium Client>/Tools/Trace/TaniumRecorder
|
| <Tanium Client>/Tools/Trace/TaniumTraceWebsocketClient
|
| <Tanium Client>/Tools/Trace/TaniumExecWrapper
|
| Linux x86 endpoints |
<Tanium Client>/Tools/Trace/recorder
|
| <Tanium Client>/Tools/Trace/TaniumTraceWebsocketClient
|
| <Tanium Client>/Tools/Trace/TaniumExecWrapper
|
| Linux x64 endpoints |
<Tanium Client>/Tools/Trace/recorder
|
| <Tanium Client>/Tools/Trace/TaniumTraceWebsocketClient
|
| <Tanium Client>/Tools/Trace/TaniumExecWrapper
|
Trends
Table 21: Trends security exclusions
| Module Server |
<Tanium Module Server>\services\twsm-v1\twsm.exe
|
<Tanium Module Server>\services\trends\node_modules\@tanium
\postgresql\lib\win32\bin\postgres.exe
|
<Tanium Module Server>\services\trends\node_modules\@tanium
\postgresql\lib\win32\bin\pg_ctl.exe
|
Last updated: 10/15/2019 2:27 PM | Feedback
