Submitting your feedback...
Knowledge Base Article
KB01062 - Anti-virus Software and the PI System
Product: PI AF / PI DataLink / Notifications / PI Data Archive / Asset Analytics
Version(s): 3.x
 

Issue

With the increasing threat of cyber attacks, it is important to have a properly implemented solution for malicious code execution prevention as part of your defense-in-depth security strategy for the PI System.  

Solution

Antivirus/antimalware and application whitelisting technologies are important to identify and block malicious applications. Guidance on implementing basic application whitelisting policies with the PI Server by leveraging AppLocker is covered in KB00994. This article will focus primarily on antivirus with PI System applications. File exclusions are recommended for certain kinds of files in the PI System when implementing antivirus. The recommendations below are provided as a guide. Your approach must take into account your business requirements and operational realities. Please test any new configuration in a non-production environment whenever possible.

Types of file exclusion

When excluding files from antivirus scans, there are typically 3 filter types: file-level, folder-level and file-class. Not all antivirus software supports all of these filter types. Consult your antivirus documentation for details regarding its supported filters.
  • File-level filtering. Exclude individual files.
  • Folder-level filtering. Exclude every file and sub-folder within a particular folder.
  • File-class filtering. Exclude a particular file type by using a wildcard symbol with the file type extension (for example: *.dat to exclude any files with the dat file extension).

OSIsoft recommends using file-class and folder-level filtering in tandem. Filtering types are listed in order of preference:
  • Best: Use file-class and folder level filtering. Use file-class filtering for each of the specified file types (archives, queues, and logs), but apply this exclusion only to specific folders.
  • Good: Use file-class filtering only. Use file-class filtering to exclude all files with a certain extension of name pattern. Caution: other software may use the same file extensions and those files will be excluded from scans as well.
  • Acceptable: Use folder-level filtering only. Use folder-level filtering to exclude folders from being scanned. Excluding entire folders is not recommended and is particularly dangerous if the folder contains binary or executable files.

Types of PI System files to exclude

Any PI System-related archive, buffer queue, event queue, or message log file should be excluded from scans.

Table 1 - Types of PI System Files that should be excluded from anti-virus scans
 
  Archive, Annotation Buffer Queue Event Queue Message Log Failover Sync File Index
PI Data Archive X   X X    
Interface Node   X   X X  
PI applications w/ buffering   X   X    
PI Web API           X
All other PI software       X    
 

Defining exclusion rules for PI System files

The following steps assume default installation directories. In particular, PI Server archives and event queues are often located in a different location. Determine non-default locations by checking both of the following tuning parameters from PI System Management Tools (SMT):
  • Snapshot_EventQueuePath for the event queue location
  • Archive_AutoArchiveFileRoot (PI Server version 3.4 and above) and/or Archive_AutoArchiveFileExt (PI Server 2012 and above) if auto archive creation is configured for the archive location
To create an exclusion rule:
  1. Find the PI software you have installed in Table 1 and determine file type(s) that will need to have an AV exclusion rule.
  2. For each of the file types from step one, determine the appropriate extension for file-class filtering.
     
    File Type Extension
    Archive *.arc
    Archive Annotation *.arc.ann
    Buffer Queue *.dat
    Event Queue *.dat
    Message Log *.dat
    Failover Sync File *.dat
  3. Determine the appropriate file location of the files.
     
    File Type Default File Location
    Archive %piserver%dat (Note: Archive and annotation files are often moved to a separate drive, check the list of registered archive files for location(s))
    Archive Annotation %piserver%dat (Note: Archive and annotation files are often moved to a separate drive, check the list of registered archive files for location(s))
    Event Queue %piserver%dat (Note: Event queue files are often moved to a separate drive, check the value of tuning parameter Snapshot_EventQueuePath)
    Buffer Queue (pibufss 4.3 and later) %ProgramData%OSIsoft\buffering
    Buffer Queue (pibufss 3.4.380 and before) %pihome%\dat
    Buffer Files (PI Cloud Connect) %AppData%Roaming\OSIsoft\IXS.Service\ 
    (AppData refers to value for service identity.)
    Message Log (PI Data Archive) %piserver%log
    PIPC Message Logs (all other PI products) %pihome64%log
    Failover Sync File no default location
    (The user determines the location of the Failover Sync File during setup. Check ICU or the interface's .bat file for the location of the Failover Sync File.)
    PI Web API Search folder %ProgramData%OSIsoft\WebAPI\Search
    PI Connector Configuration folder %pihome64%Connectors\connectorName\Configuration
    PI Connector Program Data %ProgramData%OSIsoft\Tau
    PI Connector Relay Configuration folder  %pihome64%Connector Relay\Relay\Configuration
    PI Connector Relay Program Data %ProgramData%OSIsoft\Tau
    Data Collection Manager Configuration folder %pihome64%Data Collection Manager\DataCollectionManager\Configuration
    Data Collection Manager Program Data %ProgramData%OSIsoft\Tau
    Asset Analytics Logs %ProgramData%OSIsoft\PIAnalysisNotifications\Logs
    (You can choose to exclude only .txt files)
    Asset Analytics main folder %ProgramData%OSIsoft\PIAnalysisNotifications
    Notifications Logs %ProgramData%OSIsoft\PINotifications\Logs
    (You can choose to exclude only .txt files)
    Notifications Data %ProgramData%OSIsoft\PINotifications\Data
    Managed PI %ProgramData%OSIsoft\PIDiagnostics
    Managed PI Agent %ProgramData%OSIsoft\PI Agent
  4. Build the complete exclusion rule, and then add the rule to your AV software configuration. The exclusion rule will take the form <File Location>\<Extension >. For example:
C:\Program Files\PI\dat\*.arc

Example: PI Server Standard Installation

In this example, we show the steps necessary to exclude files on a standard PI Server installation.
 
Step What To Do Example
1 Identify file types for exclusion rules Archive, Archive annotation, event queue and message log
2 Determine file extensions of files to be excluded *.arc *.arc.ann *.dat
3 Determine directory location C:\Program Files\PI\dat\
4 Create exclusion rule using file-class and folder-level filtering C:\Program Files\PI\dat\*.arc
5 Add exclusion rule to anti-virus software and repeats steps 2-4 for other file types identified in step 1 C:\Program Files\PI\dat\*.arc.ann
C:\Program Files\PI\dat\*.dat
C:\Program Files\PI\log\*.dat
 

Below is an exclusion rule example in System Center Endpoint Protection. Your AV solution may have a different look and syntax.

st-widget-{image: SDriscoll_AV_Exclusion_Rule_Example.png}
 

Client Node Considerations

For clients leveraging PI DataLink, the .NET shadow copy folders may need to be whitelisted. The folders are located within %LocalAppData%\assembly\dl3. The full path is specified in the registry key \\HKCU\Software\Microsoft\Fusion\DownloadCacheLocation.
 

Frequently Asked Questions

Why would I need to exclude PI System files from my antivirus software?

Antivirus software checks to see if any part of a file binary code has a sequence of bits that match a known malware signature. If so, the AV will flag the file and perform some action to protect the system. Antivirus software is known to have issues with transitory files, or files whose bit patterns are constantly changing. Problems arise due to the constant need to re-scan as well as the possibility of random bit patterns matching a virus signature. This can have an impact on performance and can even lead to quarantine of files. Antivirus exclusion rules are generally an accepted practice to mitigate these issues. For example, see:
The PI System core functionality is data collection, storage, manipulation, and visualization. Many PI System files are transitory in nature, so they are susceptible to the issues described above, most notably performance issues. However, in addition, if a binary sequence in part of a PI System file that holds data matches a known virus signature, the file may be flagged and quarantined.  Consequently, improperly configured AV software can result in the following:
  • Data loss. If a PI data file is flagged by anti-virus it can potentially be altered in such a way that data is unrecoverable.
  • Poor system performance. PI data files can be quite large and change often. If the anti-virus attempts to lock and/or re-scan every time the file changes then system resources can be over-utilized.

Does OSIsoft recommend any specific antimalware/antivirus solutions?

Enterprise management infrastructure for antimalware/antivirus is usually the dominant factor, we recommend leveraging your existing investment. Alternately, we recommend maximizing the capability built into the platform.  The integrated Windows Defender, DeviceGuard and AppLocker services are recommended. For the best compatibility, check the Windows Server Catalog for security solutions that are certified for your operating system. 

What is the relationship between application whitelisting and antimalware?

Antimalware broadly includes antivirus, application whitelisting, and host based intrusion detection agents. These security solution categories are considered complementary.

What should I do if antivirus detects a PI System file as infected?

Don't panic! Antivirus is frequently used to scan files downloaded from the internet and the methods used are imperfect. Any detection related to PI System files should be reported to your security team and OSIsoft technical support. A coordinated triage approach between your company and OSIsoft is used to determine the root cause of the detection and next steps as appropriate.

Caution: Please do not blindly upload a sample to an aggregate site, such as VirusTotal; check if the file hash is already present first.  In the event that a file has been tampered with, uploading it could inadvertently alert adversaries about the detection.
 

Has OSIsoft identified any potential conflicts with antivirus solutions?

Some antivirus solutions make use of a Layered Service Provider (LSP) to integrate with networked applications or the Detours library for Buffer Overflow Protection and data control.  Use of these techniques has in some cases been observed to effect performance of PI Data Archive client connections.  Antivirus solutions typically allow for process exclusions for these features.  The PI Data Archive should be considered for exclusion as DEP and other defenses are enabled, as shown in Table 2 of KB00833, PI Data Archive Leveraging Microsoft Software Security Defenses.
 

Where can I learn more about PI System cyber security?

For more information on security for OSIsoft products, see the PI System Cyber Security page.
 
Article ID: KB01062 Created: 2014-07-21
Article Type: Informational Last Updated: 2018-06-15