Tomcat 7 antivirus exclusions, firewall exclusions?

[Kerry Hazelton <ke...@gmail.com>]

All,



I am attempting to deploy a managed antivirus agent to two different
machines - one runs RHEL 7.3, kernel version 3.10.0-514; the other runs
Microsoft Windows 2012 R2 - and both are hosting web pages served up by
Apache Tomcat 7.0.78.  What I’d like to know is which processes/services,
files and/or directories need to be excluded from the antivirus scans to
avoid any potential CPU or memory utilization spikes (or worse, the AV
console falsely identifies a legit file as “malicious” and quarantines it).



I’d also like to know which specific TCP/UDP ports will need to be
whitelisted to permit inbound and outbound traffic from our web developer
workstations, since their VLAN is segregated from the rest of the network.
I already know which ports to open on the firewall to allow the antivirus
agents to talk back to the console; I just need to figure out the other
ports to open.



Before I go any further, I’d like to stress the following:



* I wasn’t the one who set up these servers; I was merely tasked with
getting the antivirus agents deployed on them.  The system administrator
who set these up doesn’t know which Linux processes, Windows services,
files or directories to exclude; as he left that up to me to figure out.

* I have already contacted the AV vendor's support team, and they have
indicated they have no documentation that specifically covers any version
of Apache Tomcat.

* The last search on Google I used was “Apache Tomcat 7.x antivirus
exclusions” and I didn’t see any results that were specific to my query.
Same with “Apache Tomcat 7.x firewall exclusions”.

* I looked through the Information Security group on Stack Exchange with
the same queries as above, and again I didn’t see anything promising nor
specific to my queries.

* I attempted to search the mailing list archives using the search terms
“antivirus exclusions” and “firewall permissions”; again, I didn’t see any
answers that were specific to my queries.

* Yes, I’m aware of the risks involved by excluding specific
processes/services, files and directories.  I have tried to convince the
management of these risks but to no avail.  They have agreed to accept
them, along with any consequences that may occur.



Any insight on this would be appreciated.  Thanks.

Re: Tomcat 7 antivirus exclusions, firewall exclusions?

[Kerry Hazelton <ke...@gmail.com>]

Awesome, this will point me in the right direction on where to look and how
to get this deployed.  Thanks!

On Thu, Jun 1, 2017 at 11:55 AM, Christopher Schultz <
chris@christopherschultz.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Kerry,
>
> On 6/1/17 10:47 AM, Kerry Hazelton wrote:
> > I am attempting to deploy a managed antivirus agent to two
> > different machines - one runs RHEL 7.3, kernel version 3.10.0-514;
> > the other runs Microsoft Windows 2012 R2 - and both are hosting web
> > pages served up by Apache Tomcat 7.0.78.  What I’d like to know is
> > which processes/services, files and/or directories need to be
> > excluded from the antivirus scans to avoid any potential CPU or
> > memory utilization spikes (or worse, the AV console falsely
> > identifies a legit file as “malicious” and quarantines it).
>
> You can probably whitelist everything in the CATALINA_HOME and
> CATALINA_BASE directories, plus the JVM. But the JVM will probably
> only be scanned once on startup and the same thing is true of
> everything in CATALINA_HOME and CATALINA_BASE.
>
> If the server is being kept up-to-date, you may have to update the
> antivirus's settings because CATALINA_HOME and the JVM paths will
> likely change.
>
> > I’d also like to know which specific TCP/UDP ports will need to be
> > whitelisted to permit inbound and outbound traffic from our web
> > developer workstations, since their VLAN is segregated from the
> > rest of the network. I already know which ports to open on the
> > firewall to allow the antivirus agents to talk back to the console;
> > I just need to figure out the other ports to open.
>
> The ports will be dependent upon what the Tomcat administrator has
> configured in Tomcat. Unless there are some XML includes being used
> (which is fairly rare, but not unheard of), everything you need will
> be in CATALINA_BASE/conf/server.xml. Look for lines that look like this:
>
> <Connector port="XXX"
>
> ...where XXX is the port number being used. Check to see if there is
> an "address" attribute on the XML element: if there is one and it's
> something like "127.0.0.1" or "::" then you won't have to open a
> firewall port, of course.
>
> There may be more than one connector.
>
> My recommendation would be to speak to the Tomcat administrator(s) to
> find out what they expect to keep open.
>
> > Before I go any further, I’d like to stress the following:
> >
> > * I wasn’t the one who set up these servers; I was merely tasked
> > with getting the antivirus agents deployed on them.  The system
> > administrator who set these up doesn’t know which Linux processes,
> > Windows services, files or directories to exclude; as he left that
> > up to me to figure out.
>
> Awesome. Who is the admin for Tomcat itself? Same person? If so, tell
> them to do their job. :(
>
> > * I have already contacted the AV vendor's support team, and they
> > have indicated they have no documentation that specifically covers
> > any version of Apache Tomcat.
>
> That's not terribly surprising.
>
> > * The last search on Google I used was “Apache Tomcat 7.x
> > antivirus exclusions” and I didn’t see any results that were
> > specific to my query. Same with “Apache Tomcat 7.x firewall
> > exclusions”.
> >
> > * I looked through the Information Security group on Stack Exchange
> > with the same queries as above, and again I didn’t see anything
> > promising nor specific to my queries.
> >
> > * I attempted to search the mailing list archives using the search
> > terms “antivirus exclusions” and “firewall permissions”; again, I
> > didn’t see any answers that were specific to my queries.
> >
> > * Yes, I’m aware of the risks involved by excluding specific
> > processes/services, files and directories.  I have tried to
> > convince the management of these risks but to no avail.  They have
> > agreed to accept them, along with any consequences that may occur.
>
> You should try to convince management that virus scanners are
> completely useless, and save yourself a whole lot of time and
> resources. Then you'll have one less thing to do. :)
>
> You could just let the antivirus do whatever it will do by default,
> and then open things up individually until things start working again.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJZMDkGAAoJEBzwKT+lPKRY2dYP/0pDPcNHxvFeSAn3uvORc18h
> qfk36sQGy4UAui+nZ+x+BDi3SkA+ABQhSATz9oXejJaAAODgui0B1m4OoXcDmUNa
> fUbMu60f+yjn909FgRJNICWbFZIa1ahpYboTtn7T65BWAW//XLn98CXYJiJjhPJk
> 9/KywVeHOe+9BRCRQPym3I/0ATHO2CT2ik9NxGr1SRF8fc3qIBEerkv1WfnGSq8Y
> 0UvUlVpIHB4cTGZCMzkUpL+8/RshPWc3qCKFIwAC4XiW0XZKvc33L+krwZLxejVk
> gATVCPkEwij4mOUqAxx27fp19AUyqmDdr84r/Q8nkOpxZIXZOR3Mg5I1oZQsPpBQ
> WIwo9Z/N5nLpYvtbs2Tp1qGsAq21TvEn6B+7nS9UtiQlFlVtk0Q2xo3ja+bjnxMR
> 14BdM4Gsz3ZV/tkTZ9t8lhwOc2eiLsQGwGXPOvd+1hz/JOcO5Yi1evIUCfJMXAbf
> 3Xj58R0lGd2XlffLZ5qhcc84B9zpxn+5XplijQWVN4opMM/KjFPSoTwwYd7SBU8X
> hc9QYru+YkQxPe1z1eExuI6nvmYLZL1G2vQ8ftu/I1lo9RWCn7rGrfCHSJnAgOyd
> voXLtn+kb0QgRvHoZGlHkSk7huL7rfSPiUnqNrnXWh5coq4gb7dsC2xV+RaN4PlW
> +uT1rtgcmu+r5A8Ax1an
> =8cAP
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Re: Tomcat 7 antivirus exclusions, firewall exclusions?

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Kerry,

On 6/1/17 10:47 AM, Kerry Hazelton wrote:
> I am attempting to deploy a managed antivirus agent to two
> different machines - one runs RHEL 7.3, kernel version 3.10.0-514;
> the other runs Microsoft Windows 2012 R2 - and both are hosting web
> pages served up by Apache Tomcat 7.0.78.  What I’d like to know is
> which processes/services, files and/or directories need to be
> excluded from the antivirus scans to avoid any potential CPU or
> memory utilization spikes (or worse, the AV console falsely
> identifies a legit file as “malicious” and quarantines it).

You can probably whitelist everything in the CATALINA_HOME and
CATALINA_BASE directories, plus the JVM. But the JVM will probably
only be scanned once on startup and the same thing is true of
everything in CATALINA_HOME and CATALINA_BASE.

If the server is being kept up-to-date, you may have to update the
antivirus's settings because CATALINA_HOME and the JVM paths will
likely change.

> I’d also like to know which specific TCP/UDP ports will need to be 
> whitelisted to permit inbound and outbound traffic from our web
> developer workstations, since their VLAN is segregated from the
> rest of the network. I already know which ports to open on the
> firewall to allow the antivirus agents to talk back to the console;
> I just need to figure out the other ports to open.

The ports will be dependent upon what the Tomcat administrator has
configured in Tomcat. Unless there are some XML includes being used
(which is fairly rare, but not unheard of), everything you need will
be in CATALINA_BASE/conf/server.xml. Look for lines that look like this:

<Connector port="XXX"

...where XXX is the port number being used. Check to see if there is
an "address" attribute on the XML element: if there is one and it's
something like "127.0.0.1" or "::" then you won't have to open a
firewall port, of course.

There may be more than one connector.

My recommendation would be to speak to the Tomcat administrator(s) to
find out what they expect to keep open.

> Before I go any further, I’d like to stress the following:
> 
> * I wasn’t the one who set up these servers; I was merely tasked
> with getting the antivirus agents deployed on them.  The system
> administrator who set these up doesn’t know which Linux processes,
> Windows services, files or directories to exclude; as he left that
> up to me to figure out.

Awesome. Who is the admin for Tomcat itself? Same person? If so, tell
them to do their job. :(

> * I have already contacted the AV vendor's support team, and they
> have indicated they have no documentation that specifically covers
> any version of Apache Tomcat.

That's not terribly surprising.

> * The last search on Google I used was “Apache Tomcat 7.x
> antivirus exclusions” and I didn’t see any results that were
> specific to my query. Same with “Apache Tomcat 7.x firewall
> exclusions”.
> 
> * I looked through the Information Security group on Stack Exchange
> with the same queries as above, and again I didn’t see anything
> promising nor specific to my queries.
> 
> * I attempted to search the mailing list archives using the search
> terms “antivirus exclusions” and “firewall permissions”; again, I
> didn’t see any answers that were specific to my queries.
> 
> * Yes, I’m aware of the risks involved by excluding specific 
> processes/services, files and directories.  I have tried to
> convince the management of these risks but to no avail.  They have
> agreed to accept them, along with any consequences that may occur.

You should try to convince management that virus scanners are
completely useless, and save yourself a whole lot of time and
resources. Then you'll have one less thing to do. :)

You could just let the antivirus do whatever it will do by default,
and then open things up individually until things start working again.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZMDkGAAoJEBzwKT+lPKRY2dYP/0pDPcNHxvFeSAn3uvORc18h
qfk36sQGy4UAui+nZ+x+BDi3SkA+ABQhSATz9oXejJaAAODgui0B1m4OoXcDmUNa
fUbMu60f+yjn909FgRJNICWbFZIa1ahpYboTtn7T65BWAW//XLn98CXYJiJjhPJk
9/KywVeHOe+9BRCRQPym3I/0ATHO2CT2ik9NxGr1SRF8fc3qIBEerkv1WfnGSq8Y
0UvUlVpIHB4cTGZCMzkUpL+8/RshPWc3qCKFIwAC4XiW0XZKvc33L+krwZLxejVk
gATVCPkEwij4mOUqAxx27fp19AUyqmDdr84r/Q8nkOpxZIXZOR3Mg5I1oZQsPpBQ
WIwo9Z/N5nLpYvtbs2Tp1qGsAq21TvEn6B+7nS9UtiQlFlVtk0Q2xo3ja+bjnxMR
14BdM4Gsz3ZV/tkTZ9t8lhwOc2eiLsQGwGXPOvd+1hz/JOcO5Yi1evIUCfJMXAbf
3Xj58R0lGd2XlffLZ5qhcc84B9zpxn+5XplijQWVN4opMM/KjFPSoTwwYd7SBU8X
hc9QYru+YkQxPe1z1eExuI6nvmYLZL1G2vQ8ftu/I1lo9RWCn7rGrfCHSJnAgOyd
voXLtn+kb0QgRvHoZGlHkSk7huL7rfSPiUnqNrnXWh5coq4gb7dsC2xV+RaN4PlW
+uT1rtgcmu+r5A8Ax1an
=8cAP
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org