Host system security exclusions

To monitor and block unknown host system processes, many organizations use security software, such as host-based firewalls and antivirus detection. To ensure that such software does not interfere with Tanium operations, work with your network and security team to whitelist Tanium folders and processes, so that the software treats them as trusted exclusions. Typically, this means configuring the security software to exclude the Tanium™ Client, Tanium™ Server, Tanium™ Module Server, and Tanium™ Zone Server installation directories from real-time inspection, as well as setting a policy to ignore input and output from Tanium binaries.

Tanium Core Platform servers require host system security exclusions only if they are installed on Windows infrastructure, not on the Tanium Appliance. Tanium Clients on all operating systems (OSs) require host system security exclusions.

Tanium Core Platform folders

The following table lists Tanium Core Platform folders that antivirus and other host-based security applications must exclude from real-time scans. The listed folder paths are the defaults. Include subfolders of these locations when you create the exclusion rules. If you have changed the defaults, create rules based on the actual locations.

Table 1:   Tanium Core Platform folders
Component OS Installation folder
Tanium Server Windows 64-bit \Program Files\Tanium\Tanium Server\

You might also have to exclude the Tanium Server Downloads directory if it was moved out of the installation directory using the instructions in the KB article Relocate Downloads Directory.

Tanium Module Server Windows 64-bit \Program Files\Tanium\Tanium Module Server\
Tanium Zone Server /

Zone Server Hub

Windows 64-bit \Program Files (x86)\Tanium\Tanium ZoneServer\
Tanium Client Windows 32-bit \Program Files\Tanium\Tanium Client\
Windows 64-bit \Program Files (x86)\Tanium\Tanium Client\
macOS /Library/Tanium/TaniumClient
Linux, Solaris, AIX /opt/Tanium/TaniumClient

Tanium Core Platform system processes

The following table lists Tanium Core Platform system processes that must be allowed (not blocked, quarantined, or otherwise processed).

Table 2:   Tanium Core Platform processes
Component OS Process
Tanium Server Windows TaniumReceiver.exe
Tanium Module Server Windows 7za.exe
TaniumModuleServer.exe
Tanium Zone Server / Zone Server Hub Windows TaniumZoneServer.exe
Tanium Client Windows, macOS, Linux The <Tanium_Client>\Tools\StdUtils folder or all the files that it contains
Windows TaniumClient.exe
macOS, Linux distribute-tools.sh
macOS, Linux TaniumExecWrapper
macOS, Linux, Solaris, AIX TaniumClient

taniumclient


Notes:

  • If you use Microsoft Group Policy Objects (GPO) or other central management tools to manage host firewalls, you might need to create rules to allow inbound and output TCP traffic across port 17472 on any managed endpoints, including the Tanium Server.
  • If running McAfee Host Intrusion Prevention System (HIPS), mark the Tanium Client as both Trusted for Firewall and Trusted for IPS, per McAfee KB71704.
  • The Tanium Client on Windows uses the Windows Update offline scan file, Wsusscn2.cab, to assess computers for installed or missing OS and application security patches. If your endpoint security solutions scan archive files, refer to the Microsoft KB for information on how to configure those tools to interact appropriately with the Wsusscn2.cab file.

Solution module folders

As a rule, Tanium solution modules are installed in subdirectories of the Tanium Module Server installation directory. This facilitates any exclusion rules you must create: simply exclude the Module Server installation directory and its subdirectories. This requirement applies only to a Module Server installed on Windows infrastructure.

Solution module processes

If you install Tanium modules and shared services, see the following sections for additional processes on the Module Server (Windows infrastructure only) and Tanium Client (all OSs) that you must configure as exclusions in security software.

Asset

Table 3:   Asset security exclusions
Target Device Process
Endpoints (Windows) <Tanium Client>\Tools\EPI\TaniumEndpointIndex.exe (For integration with Flexera)
Endpoints (macOS and Linux) <Tanium Client>/Tools/EPI/TaniumEndpointIndex (For integration with Flexera)

Comply

Table 4:   Comply security exclusions
Target Device Process
Module Server <Tanium Module Server>\services\comply-service\node.exe
<Tanium Module Server>\services\comply-service\node_modules\ovalindex\ovalindex.exe
Windows endpoints <Tanium Client>\Tools\Comply\TaniumExecWrapper.exe
<Tanium Client>\Tools\Comply\jre\bin\java.exe
<Tanium Client>\Tools\Comply\7za.exe
Linux/macOS/AIX endpoints <Tanium Client>/Tools/Comply/TaniumExecWrapper
<Tanium Client>/Tools/Comply/jre/bin/java
<Tanium Client>/Tools/Comply/7za
<Tanium Client>/Tools/Comply/xsltproc
JovalCM engine <Tanium Client>/Tools/Comply/joval/Joval4Tanium.jar
<Tanium Client>/Tools/Comply/joval/Joval-Utilities.jar
CIS-CAT engine <Tanium Client>/Tools/Comply/cis-cat/CIS-CAT.jar
<Tanium Client>/Tools/Comply/cis-cat/CIS-CAT.sh (Linux only)
<Tanium Client>/Tools/Comply/cis-cat/CIS-CAT.BAT (Windows only)
SCC engine - Windows endpoints <Tanium Client>\Tools\Comply\scc\cscc.exe
<Tanium Client>\Tools\Comply\scc\cscc32.exe
<Tanium Client>\Tools\Comply\scc\cscc64.exe
<Tanium Client>\Tools\Comply\scc\scc.exe
<Tanium Client>\Tools\Comply\scc\scc32.exe
<Tanium Client>\Tools\Comply\scc\scc64.exe
SCC engine - Linux/macOS endpoints <Tanium Client>/Tools/Comply/scc/cscc
<Tanium Client>/Tools/Comply/scc/cscc.bin
<Tanium Client>/Tools/Comply/scc/scc
<Tanium Client>/Tools/Comply/scc/scc.bin

Connect

Table 5:   Connect security exclusions
Target device Process
Module Server <Tanium Module Server>\services\connect-service\node.exe

Deploy

Table 6:   Deploy security exclusions
Target device Process
Module Server <Tanium Module Server>\services\deploy-service\node.exe
Endpoints <Tanium Client>\Python27\TPython.exe
<Tanium Client>\Tools\Deploy\py\deploy\tools\active-user-sessions.exe

Detect

Table 7:   Detect security exclusions
Target device Process
Module Server <Tanium Module Server>\services\detect3\node.exe
<Tanium Module Server>\services\detect3\twsm.exe
<Tanium Module Server>\services\event-service\node.exe
<Tanium Module Server>\services\event-service\twsm.exe
Windows x86 endpoints <Tanium Client>\Tools\Detect3\TaniumDetectEngine.exe
Windows x64 endpoints <Tanium Client>\Tools\Detect3\TaniumDetectEngine.exe
Mac OS endpoints <Tanium Client>/Tools/Detect3/TaniumDetectEngine
Linux x86 endpoints <Tanium Client>/Tools/Detect3/TaniumDetectEngine
Linux x64 endpoints <Tanium Client>/Tools/Detect3/TaniumDetectEngine

Discover

Table 8:   Discover security exclusions
Target Device Process
Module Server <Tanium Module Server>\services\discover\node.exe
<Tanium Module Server>\plugins\content\discover-proxy\proxyplugin.exe
<Tanium Module Server>\services\twsm-v1\twsm.exe
Endpoints C:\Program Files\Npcap
<Tanium Client>\Tools\Discover\nmap\nmap.exe

End-User Notifications

Table 9:   End-User Notifications security exclusions
Target Device Process
Module Server <Tanium Module Server>\services\end-user-notifications-service\node.exe
<Tanium Module Server>\services\twsm-v1\twsm.exe
Endpoints <Tanium>\Tanium End User Notification Tools\bin\end-user-notifications.exe
<Tanium>\Tanium End User Notification Tools\ (exclude from on-access or real-time scans)

Health Check

Table 10:   Health Check security exclusions
Target Device Process
Module Server <Tanium Module Server>\services\health-service\node.exe
<Tanium Module Server>\services\health-service\twsm.exe

Incident Response

Table 11:   Incident Response security exclusions
Target Device Process
Windows x86 <Tanium Client>\Tools\IR\TaniumPersistenceAnalyzer.exe
<Tanium Client>\Tools\EPI\TaniumExecWrapper.exe
<Tanium Client>\Tools\IR\TaniumExecWrapper.exe
<Tanium Client>\Tools\IR\TanFileInfo.exe
<Tanium Client>\Tools\IR\TaniumHandle.exe
<Tanium Client>\Tools\IR\TanListModules.exe
<Tanium Client>\Tools\EPI\TaniumEndpointIndex.exe
<Tanium Client>\Tools\IR\PowerForensics\PowerForensics.dll
<Tanium Client>\Downloads\Action_nnn\Winpmem.gb414603.exe 1
<Tanium Client>\Downloads\Action_nnn\TaniumFileTransfer.exe1
Windows x64 <Tanium Client>\Tools\IR\TaniumPersistenceAnalyzer.exe
<Tanium Client>\Tools\EPI\TaniumExecWrapper.exe
<Tanium Client>\Tools\IR\TaniumExecWrapper.exe
<Tanium Client>\Tools\IR\TanFileInfo.exe
<Tanium Client>\Tools\IR\TaniumHandle.exe
<Tanium Client>\Tools\IR\TanListModules.exe
<Tanium Client>\Tools\EPI\TaniumEndpointIndex.exe
<Tanium Client>\Tools\IR\PowerForensics\PowerForensics.dll
<Tanium Client>\Downloads\Action_nnn\Winpmem.gb414603.exe 1
<Tanium Client>\Downloads\Action_nnn\TaniumFileTransfer.exe1
Mac OS <Tanium Client>/Tools/EPI/TaniumExecWrapper
<Tanium Client>/Tools/IR/TaniumExecWrapper
<Tanium Client>/Tools/EPI/TaniumEndpointIndex
<Tanium Client>/Downloads/Action_nnn/surge-collect1,2
<Tanium Client>/Downloads/Action_nnn/surge.dat1,2
<Tanium Client>/Downloads/Action_nnn/osxpmem.app/osxpmem1
<Tanium Client>/Downloads/Action_nnn/TaniumFileTransfer1
Linux x86 <Tanium Client>/Tools/EPI/TaniumExecWrapper
<Tanium Client>/Tools/IR/TaniumExecWrapper 
<Tanium Client>/Tools/EPI/TaniumEndpointIndex 
<Tanium Client>/Downloads/Action_nnn/surge-collect1,2
<Tanium Client>/Downloads/Action_nnn/surge.dat1,2
<Tanium Client>/Downloads/Action_nnn/linpmem-<version>.bin1
<Tanium Client>/Downloads/Action_nnn/TaniumFileTransfer1
Linux x64 <Tanium Client>/Tools/EPI/TaniumExecWrapper
<Tanium Client>/Tools/IR/TaniumExecWrapper
<Tanium Client>/Tools/EPI/TaniumEndpointIndex
<Tanium Client>/Downloads/Action_nnn/surge-collect1,2
<Tanium Client>/Downloads/Action_nnn/surge.dat1,2
<Tanium Client>/Downloads/Action_nnn/linpmem-<version>.bin1
<Tanium Client>/Downloads/Action_nnn/TaniumFileTransfer1

1 = Where nnn corresponds to the action ID.

2 = Exception is required if Volexity Surge is used for memory collection.

Integrity Monitor

Table 12:   Integrity Monitor security exclusions
Target device Process
Module Server <Tanium Module Server>\services\integrity-monitor-service\node.exe
Windows x86 endpoints <Tanium Client>\Tools\IM\TaniumSQLiteQuery.exe
<Tanium Client>\Tools\IM\TaniumExecWrapper.exe
Windows x64 endpoints <Tanium Client>\Tools\IM\TaniumSQLiteQuery.exe
<Tanium Client>\Tools\IM\TaniumExecWrapper.exe
Linux x86 endpoints /opt/Tanium/TaniumClient/Tools/Trace/recorder
/opt/Tanium/TaniumClient/Tools/EPI/TaniumEndpointIndex
/opt/Tanium/TaniumClient/Tools/EPI/TaniumExecWrapper
/opt/Tanium/TaniumClient/python27/python
Linux x64 endpoints /opt/Tanium/TaniumClient/Tools/Trace/recorder
/opt/Tanium/TaniumClient/Tools/EPI/TaniumEndpointIndex
/opt/Tanium/TaniumClient/Tools/EPI/TaniumExecWrapper
/opt/Tanium/TaniumClient/python27/python

Map

Table 13:   Map security exclusions
Target Device Process
Module Server <Tanium Module Server>\services\map-service\node.exe
Endpoints (all OS) <Tanium Client>\Python27\TPython.exe
Endpoints (Linux) <Tanium Client>/Tools/Trace/recorder
Endpoints (macOS) <Tanium Client>/Tools/Trace/TaniumRecorder

Network Quarantine

No additional process exclusions are required.

Patch

Table 14:   Patch security exclusions
Target device Process
Module Server <Tanium Module Server>\services\patch-service\node.exe
Windows Endpoints <Tanium Client>\Patch\tanium-patch.min.vbs
<Tanium Client>\Patch\scans\Wsusscn2.cab
<Tanium Client>\Patch\tools\active-user-sessions.exe
<Tanium Client>\Patch\tools\TaniumExecWrapper.exe
<Tanium Client>\Patch\tools\TaniumFileInfo.exe
<Tanium Client> (exclude from on-access or real-time scans)

Performance

Table 15:   Performance security exclusions
Target device Process
Tanium Module Server <Tanium Module Server>\services\performance\node.exe
<Tanium Module Server>\services\event-service\twsm.exe
Windows x86 and x64 endpoints <Tanium Client>\Tools\Performance\TaniumTSDB.exe
macOS, and Linux x86 and x64 endpoints <Tanium Client>/Tools/Performance/TaniumTSDB

Protect

Table 16:   Protect security exclusions
Target Device Process
Module Server <Tanium Module Server>\services\protect-service\7za.exe
<Tanium Module Server>\services\protect-service\node.exe
Windows x86 endpoints <Tanium Client>\Tools\StdUtils\7za.exe
<Tanium Client>\Tools\Protect\LocalPolicyTool.exe (for Anti-Malware, AppLocker, and SRP policies)
<Tanium Client>\Tools\LocalPolicyTool.exe (for Windows device control policies)
<Tanium Client>\Tools\Protect\devcon32.exe
Windows x64 endpoints <Tanium Client>\Tools\StdUtils\7za.ex
<Tanium Client>\Tools\Protect\LocalPolicyTool.exe (for Anti-Malware, AppLocker, and SRP policies)
<Tanium Client>\Tools\LocalPolicyTool.exe (for Windows device control policies)
<Tanium Client>\Tools\Protect\devcon64.exe

Reputation

Table 17:   Reputation security exclusions
Target Device Process
Module Server <Tanium Module Server>\services\reputation-service\node.exe

Reveal

Table 18:   Reveal security exclusions
Target Device Process
Module Server <Tanium Module Server>\services\reveal-service\node.exe
Windows endpoints <Tanium Client>\Tools\EPI\TaniumExecWrapper.exe
<Tanium Client>\Tools\EPI\TaniumEndpointIndex.exe
<Tanium Client>\Tools\Reveal\TaniumReveal.exe
<Tanium Client>\Tools\Trace\TaniumTraceWebsocketClient.exe
Linux/macOS endpoints <Tanium Client>/Tools/EPI/TaniumExecWrapper
<Tanium Client>/Tools/EPI/TaniumEndpointIndex
<Tanium Client>/Tools/Reveal/TaniumReveal
<Tanium Client>/Tools/Trace/TaniumTraceWebsocketClient

Threat Response

Table 19:   Threat Response security exclusions
Target device Process
Tanium Module Server <Tanium Module Server>\services\trace-service\node.exe
<Tanium Module Server>\services\detect3\node.exe
<Tanium Module Server>\services\detect3\twsm.exe
<Tanium Module Server>\services\event-service\node.exe
<Tanium Module Server>\services\event-service\twsm.exe
<Tanium Module Server>\services\threat-response\node.exe
<Tanium Module Server>\services\twsm-v1\twsm.exe
Tanium Zone Server <Trace Zone Proxy>\proxy\node.exe
Windows x86 and x64 endpoints <Tanium Client>\Tools\EPI\TaniumExecWrapper.exe
<Tanium Client>\Tools\IR\TaniumExecWrapper.exe
<Tanium Client>\Tools\IR\TanFileInfo.exe
<Tanium Client>\Tools\IR\TaniumHandle.exe
<Tanium Client>\Tools\IR\TanListModules.exe
<Tanium Client>\Tools\EPI\TaniumEndpointIndex.exe
<Tanium Client>\Tools\Trace\TaniumTraceWebsocketClient.exe
<Tanium Client>\Tools\Recorder\TaniumSQLiteQuery.exe
<Tanium Client>\Tools\Trace\TaniumExecWrapper.exe
<Tanium Client>\Tools\Detect3\TaniumDetectEngine.exe
<Tanium Client>\Downloads\Action_nnn\TaniumFileTransfer.exe
<Tanium Client>\Tools\IR\TaniumPersistenceAnalyzer.exe
<Tanium Client>\Tools\IR\PowerForensics\PowerForensics.dll
<Tanium Client>\Python27\TPython.exe
<Installation Location>\sysmon.exe
Mac OS, and Linux x86 and x64 endpoints <Tanium Client>/Tools/EPI/TaniumExecWrapper
<Tanium Client>/Tools/IR/TaniumExecWrapper
<Tanium Client>/Tools/EPI/TaniumEndpointIndex
<Tanium Client>/Tools/Trace/recorder (Linux)
<Tanium Client>/Tools/Trace/TaniumRecorder (Mac)
<Tanium Client>/Tools/Trace/TaniumTraceWebsocketClient
<Tanium Client>/Tools/Trace/TaniumExecWrapper
<Tanium Client>/Tools/Detect3/TaniumDetectEngine
<Tanium Client>/python27/python
<Tanium Client>/Downloads/Action_nnn/TaniumFileTransfer

Trace

Table 20:   Trace security exclusions
Target device Process
Tanium Module Server <Tanium Module Server>\services\trace-service\node.exe
Tanium Zone Proxy <Trace Zone Proxy>\proxy\node.exe
Windows x86 endpoints <Tanium Client>\Tools\Trace\TaniumTraceWebsocketClient.exe
<Tanium Client>\Tools\Recorder\TaniumSQLiteQuery.exe
<Tanium Client>\Tools\Trace\TaniumExecWrapper.exe
<Installation Location>\sysmon.exe
<Tanium Client>\TaniumTraceCLI.exe
Windows x64 endpoints <Tanium Client>\Tools\Trace\TaniumTraceWebsocketClient.exe
<Tanium Client>\Tools\Recorder\TaniumSQLiteQuery.exe
<Tanium Client>\Tools\Trace\TaniumExecWrapper.exe
<Installation Location>\sysmon.exe
<Tanium Client>\TaniumTraceCLI.exe
Mac OS endpoints <Tanium Client>/Tools/Trace/TaniumRecorder
<Tanium Client>/Tools/Trace/TaniumTraceWebsocketClient
<Tanium Client>/Tools/Trace/TaniumExecWrapper
Linux x86 endpoints <Tanium Client>/Tools/Trace/recorder
<Tanium Client>/Tools/Trace/TaniumTraceWebsocketClient
<Tanium Client>/Tools/Trace/TaniumExecWrapper
Linux x64 endpoints <Tanium Client>/Tools/Trace/recorder
<Tanium Client>/Tools/Trace/TaniumTraceWebsocketClient
<Tanium Client>/Tools/Trace/TaniumExecWrapper

Trends

Table 21:   Trends security exclusions
Target Device Process
Module Server <Tanium Module Server>\services\twsm-v1\twsm.exe
<Tanium Module Server>\services\trends\node_modules\@tanium
\postgresql\lib\win32\bin\postgres.exe
<Tanium Module Server>\services\trends\node_modules\@tanium
\postgresql\lib\win32\bin\pg_ctl.exe

Last updated: 10/15/2019 2:27 PM | Feedback