To eliminate the chance that AntiVirus, AntiMalware, and other security-related software cause corruption or lock up files in the Qlik environment, or...
To eliminate the chance that AntiVirus, AntiMalware, and other security-related software cause corruption or lock up files in the Qlik environment, or cause issues during an installation/upgrade/patch, some folders should be excluded from live scanning.
- The impact of Anti-virus, Endpoint detection and response (EDR) and Advanced Threat Prevention (ATP) scans locking Qlik-related files (such as .qvf files, as well as NPrinting task files, etc...) can result in loading and refresh failures as well as performance issues.
- Qlik Sense requires access to predetermined TCP and UDP ports to function. If anti-virus software prevents traffic on these ports, Qlik Sense may not function as expected. This can include running exe files, data connections, etc.
- Qlik Sense constantly updates several log files and relies on multiple config and binary files to function correctly. If the anti-virus software is scanning these files and folders, then this may cause upgrades/installation to fail, performance issues, or cause the services to fail.
For an example demonstrating exclusions with Symantec, see Antivirus exceptions for Qlik Sense- McAfee, Symantec & Other Anti-Virus exclusions absolutely required
The following folders should be considered for an exception:
Note 1: Verify requirements on the Qlik Sense Online Help for the installed version
Note 2: A machine reboot is required after exclusions are made
Note 3: For Qlik Sense Desktop additional locations, see the appropriate Qlik help page for the version being installed. See Installing Qlik Sense Desktop.
- All executables under %Program Files%\Qlik\Sense
- All executables under %ProgramFiles%\Common Files\Qlik\Custom Data
- The PostgreSQL database/data folder: If you have previously unbundled PostgreSQL or have installed a standalone PostgreSQL instance, the relevant \PostgreSQL\ folders should be considered as well. For a setup which was unbundled using QPI, this may be C:\Program Files\PostgreSQL\14. For manually installed instances, see Running & Installing PostgreSQL On Native Windows
- Any QVD files (or the folder where you save your QVDs) you may use to read/write during your reloads.
- The full share root folder location which includes the App folder configured in the Service Cluster. The app folder stores all app files. In latest releases of Qlik Sense, files with .lock extensions are generated, and each binary app file has its own .lock file. These file must be excluded from analysis as well.
- It is not recommended to exclude the Static Content root folder in the Service Cluster, as this is the target location for end user uploads
- Make sure that the Antivirus doesn't block Qlik Sense from updating the keys in C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\ , as this will block the system bootstrap.
Ports to be excluded from Anti-Virus Monitoring / Blocking
- See the relevant piece of documentation for your version of Qlik Sense: Help Site > Deploy > Planning your deployment > Architecture > Ports
- Sophos Antivirus will require 127.0.0.1 * to be excluded
Make sure that the anti-virus is not blocking access to certificates stored in the following location and their private keys: Personal (Local Computer), Trusted Root Certification Authorities (Local Computer), Personal (Current User for the service account)
EDR and ATP
Please note that usual anti-virus exclusions might not apply to the EDR and ATP setup. Speak to your solution vendor to get the exclusions in place. For example, if you use Microsoft's Advanced Threat Protection (Microsoft Defender for Endpoint), then the exclusion list is handled by Microsoft, and you will need to open a ticket with Microsoft to get an exclusion in place.
Due to the different versions of Qlik Sense and Enhancement, to obtain a list of exclusions for EDR and ATP, you can use the following commands.
- Open a Windows Command line as Administrator.
- Run the following commands to obtain a file list:
- C:\Program Files\Qlik>dir /s *.exe > exclussionfolder1.txt
- C:\ProgramData\Qlik>dir /s *.exe > exclussionfolder2.txt
- C:\ProgramData\Qlik\Sense>dir /s *.qvd > exclussionfolder3.txt
- C:\ProgramData\Qlik\Sense>dir /s *.qvf > exclussionfolder4.txt
- C:\Program Files\Common Files\Qlik>dir /s *.exe > exclussionfolder5.txt
It is best to have the fileserver (SharedFolder) not in the policy for ATP/EDR scan.
Note: Qlik Support cannot provide support and services for any Qlik Servers in which performance issues, port issues, installation, patching, or upgrading problems occur if these directories are not made exempt for any and all Anti-Virus solution. It will be best-effort, as the exclusions of these directories is a prerequisite to Qlik software.
Ref: Qlik Sense Help, Deploy > Troubleshooting - Deployment > Anti-virus software scanning affects performance