ECM (Docstar) and IDC Antivirus / EDR Exceptions

Anyone have any recommendations for scanning exclusions for ECM (Docstar) and IDC when it comes to antivirus and EDR?

Interested to hear about these. You seeing some issues?

nope. just want to do what is best practice for best performance, that is all.

Right on, let’s here it people!!! @MikeGross … any recommendations?

We use SentinelOne EDR and haven’t had to set any exceptions

We use Carbon Black and have not had to enter any exceptions. However… the IDC v9.11 upgrade notes say this (the first I’ve seen in any ECM Documentation)

EPICOR IDC Antivirus Directory Exclusion List

Most antivirus software such as McAfee or Windows Defender will scan all the temp directories that Epicor IDC writes files to while work in progress. Excluding the following directories and their subdirectories in the antivirus scanning software will improve the performance of system (if they exist on the system).

C:\Users\Public\Epicor IDC
C:\Program Files (x86)\Epicor IDC
(C:\Program Files (x86)\DocStar IDC - if upgraded over existing installation)
Any EPICOR IDC import / export folders

1 Like

Great Endpoint and Email security is key. If you create the images - they are(should be) safe. If you receive images - make sure they are safe before ECM processes them.

We can get into some zero-trust and behavior-based defense strategy discussions here, but generally speaking:

  • all ECM disk activity is simply creating/moving/deleting files which is rarely considered an adverse behavior, so behavior-based AV programs will not have an issue with it (nothing is being executed)
  • good endpoint AV will prevent any bad PDF files from getting around, BUT
  • PDF’s can contain links to bad URLS - that can do damage - and those would not be caught in the manipulations of the PDF itself.
  • all of the ECM config/system data is written in the SQL database or the Web config file (text) which would not be analyzed for executable payloads