Anyone using Sentinel One in an environment with FSLogix Clo World of EUC #

Anyone using Sentinel One in an environment with F...

François-Xavier Rigaud

06/21/2024, 10:53 AM

Anyone using Sentinel One in an environment with FSLogix Cloud Cache? It has been observed that the agent spends the majority of its time monitoring frxccds.exe.

Kasper Johansen

06/21/2024, 1:03 PM

Have you configured the recommended FSLogix antivirus exclusions?

François-Xavier Rigaud

06/21/2024, 1:05 PM

Yes, but it doesn't change much, Cloud Cache's multiple file operations always seem to be analysed, hence my question.

Balint Oberrauch

06/21/2024, 2:08 PM

have you excluded the driver?

Balint Oberrauch

06/21/2024, 2:09 PM

MS states that only the files have to be excluded, experience tells a different story.

👍 1

Kasper Johansen

06/21/2024, 2:11 PM

Back in the day when I was still doing FSLogix I always excluded the VHD/VHX files, various FSLogix related folders and the FSLogix sys files/drivers, kept me and my customers out of troubles 😄

Balint Oberrauch

06/21/2024, 2:31 PM

In my projects, I'm still referring to this website and not the official MS documentation: https://download.parallels.com/ras/v18/docs/en_US/Parallels-RAS-18-Administrators-Guide/47728.htm Exclude files:

%Programfiles%\FSLogix\Apps\frxdrv.sys

%Programfiles%\FSLogix\Apps\frxdrvvt.sys

%Programfiles%\FSLogix\Apps\frxccd.sys

%TEMP%*.VHD

%TEMP%*.VHDX

%Windir%\TEMP*.VHD

%Windir%\TEMP*.VHDX

`\\`storageaccount.file.core.windows.net`\share**.VHD` `\\`storageaccount.file.core.windows.net`\share**.VHDX` Exclude processes:

%Programfiles%\FSLogix\Apps\frxccd.exe

%Programfiles%\FSLogix\Apps\frxccds.exe

%Programfiles%\FSLogix\Apps\frxsvc.exe

👍 1

💯 1

Balint Oberrauch

06/21/2024, 2:35 PM

Please add also the following files: •

\\server-name\share-name\*\*.VHD.lock

•

\\server-name\share-name\*\*.VHD.meta

•

\\server-name\share-name\*\*.VHD.metadata

•

\\server-name\share-name\*\*.VHDX.lock

•

\\server-name\share-name\*\*.VHDX.meta

•

\\server-name\share-name\*\*.VHDX.metadata

And, if using Cloud Cache, you need also the ProgramData Folder: • Cloud Cache specific exclusions •

%ProgramData%\FSLogix\Cache\*

(folder and files) •

%ProgramData%\FSLogix\Proxy\*

(folder and files) Note If you change the default location of the cache or proxy folder, adjust the exclusions accordingly. See: https://learn.microsoft.com/en-us/fslogix/overview-prerequisites

👍 4

👍🏻 1

François-Xavier Rigaud

06/26/2024, 5:46 AM

I've opened an incident with support, so we'll see what they come up with.

Steve Noel

08/23/2024, 6:23 PM

@François-Xavier Rigaud curious if you got anywhere with this?

François-Xavier Rigaud

08/23/2024, 6:42 PM

@Steve Noel S1 Agent upgrade and some more agressive exclusions on FSLogix process

Steve Noel

08/23/2024, 7:10 PM

were they just related to cloud cache VHDX/meta files? or did you end up excluding processes?

François-Xavier Rigaud

08/28/2024, 7:18 AM

Process and folder related to Cloud Cache

Open in Slack

Previous Next