Question about whitelisting directories

I have a system that I would like to run elastic endpoint on that has a large network mounted file share.
Every time I install it in the fleet policy, it causes the system to deadlock. I believe this is due to endpoint trying to run a discovery across this large networked filesystem.

How can I prevent elastic endpoint from scanning this directory/mount? Most antiviruses have this feature but I'm having trouble finding documentation around this topic.

Any help would be much appreciated!

1 Like


Could you tell us some basic information about your environment.

  • What kind of OS and version are you using?
  • What kind of network file system is it?
  • Elastic version

Elastic Endpoint won't sift through your files with no reason. When it checks a file it's because some activity was initiated for it.

By the way, most likely the reason for the deadlock is logged by Endpoint, so could you also attach the log file?
For Linux you can find it at: /opt/Elastic/Endpoint/state/log/
For Windows: C:\Program Files\Elastic\Endpoint\state\log\

CentOS 7.6
Elastic 7.16.3

Additionally, I currently have an unsigned certificate for TLS. This is the beginning section of the logfile before I removed the antivirus functionality in a different fleet policy. After removing the anti-virus, the endpoint no longer deadlocked.
See log here: state.log -

This information is very helpful. In fact we've never seen LustreFS thus it's possible there is an issue with this file system. We will test it.

In the mean time, we would like to further clarify things:

  • is the endpoint actually 7.16.3 or any older? Could you post the output of the command /opt/Elastic/Endpoint/elastic-endpoint version
  • what do you mean by 'the system deadlocked', was the whole system locked so you had to do reset?

In case of a system deadlock, the full endpoint log up to the point of system reset would be interesting to us.

Yes the endpoint is running 7.16.3. Installed from tarball elastic-agent-7.16.3-linux-x86_64.tar.gz.

When I push a default endpoint integration in a fleet policy the system load spikes and the cpu usage drops. No additional processes can be created/brought out of sleep. The resultant symptom I noticed first was I could not SSH into the system. An existent SSH connection would still function, albeit very slowly.
I recovered from this bad state by pushing a policy with the malware protections completely disabled in the endpoint integration. This relived the system load and I was able to create new SSH sessions etc.

I suppose deadlock may be a bit too severe of a word. The system performance was impaired for sure.

thank you for the details!

We are working on the fix, it will be included in 7.17.x and newer releases.

Unfortunately, for current versions running on systems with LustreFS mounts, disabling malware protections is necessary.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.