CrowdStrike Falcon security settings can be configured on the computers that have the Windows File Archiver agent installed. It allows for scanning of processes that are running on the servers. By default these processes are scanned in real-time for known viruses as and when the files are being processed for archiving. The "Scanning Phase" of archiving keeps triggering the scanning process of the antivirus, which is very resource intensive.
However, CrowdStrike Falcon security can be configured to avoid scanning the archived files.
Configure Windows Registry
Add exclusion for all Commvault processes and install dirs in the CrowdStrike software.
-
Start the Registry Editor on the computer where the file archiver agent is installed.
-
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cvmhsm\Parameters\.
-
Right-click Parameters, point at New and click String Value.
-
In the Value Name box type ExcludeProcessX.
Where X is the next consecutive number in the list (i.e. ExcludeProcess1, ExcludeProcess2, etc.)) for any process that should not initiate recalls.
All ExcludeProcess names must be truncated to a maximum 15 character string value or the Windows OS Kernel Mode will not process the exclusion properly. This would result in the exclusion being ignored, unexpected recalls occurring and other unexplained stub activities.
For example:
Processnamelong (Truncated from Processnamelongerthen15characters.exe to meet 15 character limit)
-
Add the following list of AV processes to be excluded at Commvault's driver for file recalls:
-
CSFalconService
-
CSFalconContain
-
-
After the exclusions are added, recycle the Client Manager Service (CLMgrS).
-
Restart the Commvault services for the registry to take its effect.