Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW

Qlik Sense Folder And Files To Exclude From Anti-Virus Scanning

No ratings
cancel
Showing results for 
Search instead for 
Did you mean: 
Bastien_Laugiero

Qlik Sense Folder And Files To Exclude From Anti-Virus Scanning

Last Update:

Nov 1, 2023 6:03:55 AM

Updated By:

Sonja_Bauernfeind

Created date:

Mar 13, 2017 9:15:24 AM

To eliminate the chance that AntiVirus, AntiMalware, and other security-related software cause corruption or lock up files in the Qlik environment, or cause issues during an installation/upgrade/patch, some folders should be excluded from live scanning.

  • The impact of Anti-virus, Endpoint detection and response (EDR) and Advanced Threat Prevention (ATP) scans locking Qlik-related files (such as .qvf files, as well as NPrinting task files, etc...) can result in loading and refresh failures as well as performance issues.
  • Qlik Sense requires access to predetermined TCP and UDP ports to function. If anti-virus software prevents traffic on these ports, Qlik Sense may not function as expected. This can include running exe files, data connections, etc.
  • Qlik Sense constantly updates several log files and relies on multiple config and binary files to function correctly. If the anti-virus software is scanning these files and folders, then this may cause upgrades/installation to fail, performance issues, or cause the services to fail.

For an example demonstrating exclusions with Symantec, see Antivirus exceptions for Qlik Sense- McAfee, Symantec & Other Anti-Virus exclusions absolutely requi...

The following folders should be considered for an exception:

Note 1: Verify requirements on the Qlik Sense Online Help for the installed version
Note 2: A machine reboot is required after exclusions are made
Note 3: For Qlik Sense Desktop additional locations, see the appropriate Qlik help page for the version being installed. See Installing Qlik Sense Desktop.

  • %ProgramData%\Qlik
  • All executables under %Program Files%\Qlik\Sense
  • All executables under %ProgramFiles%\Common Files\Qlik\Custom Data
  • The PostgreSQL database/data folder: If you have previously unbundled PostgreSQL or have installed a standalone PostgreSQL instance, the relevant \PostgreSQL\ folders should be considered as well. For a setup which was unbundled using QPI, this may be C:\Program Files\PostgreSQL\14. For manually installed instances, see Running & Installing PostgreSQL On Native Windows
  • Any QVD files (or the folder where you save your QVDs) you may use to read/write during your reloads. 
  • The full share root folder location which includes the App folder configured in the Service Cluster. The app folder stores all app files. In latest releases of Qlik Sense, files with .lock extensions are generated, and each binary app file has its own .lock file. These file must be excluded from analysis as well.
  • It is not recommended to exclude the Static Content root folder in the Service Cluster, as this is the target location for end user uploads
  • Make sure that the Antivirus doesn't block  Qlik Sense from updating the keys in C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\ , as this will block the system bootstrap. 

Ports to be excluded from Anti-Virus Monitoring / Blocking

  • See the relevant piece of documentation for your version of Qlik Sense: Help Site > Deploy > Planning your deployment > Architecture > Ports
  • Sophos Antivirus will require 127.0.0.1 *  to be excluded

Certificates

Make sure that the anti-virus is not blocking access to certificates stored in the following location and their private keys: Personal (Local Computer), Trusted Root Certification Authorities (Local Computer), Personal (Current User for the service account)

EDR and ATP 

Please note that usual anti-virus exclusions might not apply to the EDR and ATP setup. Speak to your solution vendor to get the exclusions in place. For example, if you use Microsoft's Advanced Threat Protection (Microsoft Defender for Endpoint), then the exclusion list is handled by Microsoft, and you will need to open a ticket with Microsoft to get an exclusion in place. 

Due to the different versions of Qlik Sense and Enhancement, to obtain a list of exclusions for EDR and ATP, you can use the following commands.

  1. Open a Windows Command line as Administrator. 
  2. Run the following commands to obtain a file list: 
    1. C:\Program Files\Qlik>dir /s *.exe > exclussionfolder1.txt
    2. C:\ProgramData\Qlik>dir /s *.exe > exclussionfolder2.txt 
    3. C:\ProgramData\Qlik\Sense>dir /s *.qvd > exclussionfolder3.txt
    4. C:\ProgramData\Qlik\Sense>dir /s *.qvf > exclussionfolder4.txt
    5. C:\Program Files\Common Files\Qlik>dir /s *.exe > exclussionfolder5.txt

It is best to have the fileserver (SharedFolder) not in the policy for ATP/EDR scan.



Note: Qlik Support cannot provide support and services for any Qlik Servers in which performance issues, port issues, installation, patching, or upgrading problems occur if these directories are not made exempt for any and all Anti-Virus solution. It will be best-effort, as the exclusions of these directories is a prerequisite to Qlik software.

Ref: Qlik Sense Help, Deploy > Troubleshooting - Deployment > Anti-virus software scanning affects performance

 

Labels (2)
Comments
KristofferD
Contributor
Contributor

Great article.

Our anti-virus software requires a more specific definition of: 

  • All executables under %Program Files%\Qlik\Sense
  • All executables under %ProgramFiles%\Common Files\Qlik\Custom Data

Could you explain which files that is included? Is it all *.exe or *.com or *.dll or specific files?

linushansen
Contributor II
Contributor II

I also need a more specific definition of the exectuables under program files. Could you please explain?

Kind Regards

Linus Hansen

Sonja_Bauernfeind
Digital Support
Digital Support

Hello @linushansen and @KristofferD 

The .exe files are the executables pointed out in this article. Depending on your version of Qlik Sense this may vary as we have added services between versions. 

 

All the best,

Sonja

KristofferD
Contributor
Contributor

Thank you @Sonja_Bauernfeind . It is working for us now.

p_verkooijen
Partner - Specialist
Partner - Specialist

@Sonja_Bauernfeind 

Since an unbundled postgresql is its own folder (C:\Program Files\PostgreSQL\14), shouldn't this be added to exclusions

Sonja_Bauernfeind
Digital Support
Digital Support

Hello @p_verkooijen 

I'll look into rephrasing this to cover not only the bundled PostgreSQL and the QPI unbundled one, but other standalone instances as well. Thank you!

All the best,
Sonja 

Version history
Last update:
‎2023-11-01 06:03 AM
Updated by: