Skip to main content
Waters Employee Login
 
Waters

Recommended antivirus exclusions, firewall setup and UAC settings for MassLynx - WKB21150

  1. Last updated
  2. Save as PDF
Article number: 21150

OBJECTIVE or GOAL

List of the MassLynx folders that should be excluded from real-time antivirus scanning.

ENVIRONMENT

  • MassLynx
  • Antivirus software - all vendors

PROCEDURE

Waters recommends the following:

  • Exclude all files that have the Waters digital signature from real-time scanning. 
  • If possible, also exclude the following folders:

    C:\MassLynx and sub-folders
    C:\Program Files (x86)\Waters Instruments
    Any folder where MassLynx projects are stored.

  • Exclude C:\OALogin if OALogin is in use.
  • Exclude C:\OAToolkit if OAToolkit is in use. 
  • Full antivirus scans should be scheduled for times when samples are not being run on the instrument.
  • Disable real-time automatic antivirus updates and configure Windows so that the user is alerted to download and install antivirus updates manually. Only download and install antivirus updates (including definitions updates) when not acquiring data.

ADDITIONAL INFORMATION

Anti-Virus Software

MassLynx is tested with Cortex XDR Advanced Endpoint Protection Enabled (Anti-Exploit and Anti-Malware Protection), as specified in the SCN release notes. 

If the customer is using Cortex XDR, all files that have been signed with the Waters digital signature must be excluded from scanning. 

If Symantec Endpoint is being used, turn off 'Network Threat Protection'.

If Trend micro Office Scan is being used, de-select 'Behaviour Monitoring'.  

In addition to the exclusions mentioned above, exclude the following folders from anti-virus scans if these applications are installed:

  • C:\PLGS3.0.3\ (or other version of PLGS as appropriate)
  • C:\Program Files (x86)\Nonlinear Dynamics\
  • C:\Program Files\Waters\ (this includes the DynamX installation folder)
  • C:\BiopharmaLynx1.3.x\
  • C:\Driftscope\
  • C:\MSeDataviewer\
  • C:\MassFragment\
  • The locations of all PLGS3 databases, including C:\ProgramData\Waters\

Note: Some customers tell us that they are unable to schedule full virus scan for times when data are not being acquired. The response to these customers is that an anti-virus scan puts considerable stress on the CPU and hard drive of the instrument PC. We do not test our instrument PCs to validate that they perform correctly under such an additional load. Therefore this is a risk that the customer must be made aware of.

Note: In some cases, it is necessary to completely remove the AV software in order to install MassLynx software. Once MassLynx has been installed, re-install the AV software then configure the above exceptions.

Waters is not responsible for installing and maintaining AV software on customer workstations. It the customer wishes to connect the workstsation to the domain and install AV software, that is their responsibility. Waters can provide general advice on the setup of AV software, but we cannot test every type of AV software that is on the market with MassLynx.

Firewall

Make sure all firewalls are disabled on the Instrument LAN (Public domain) , including both the Windows firewall and any proprietary firewall included in the security software installed. Note that in some security software the firewall has a different name, for example Network Threat Protection in Symantec is effectively a firewall.

  • The Windows PC firewall can occasionally be re-enabled by Windows updates, so after every Windows update the firewall should be checked to ensure it is still disabled.
  • If there are other firewall restrictions on the customer's network it may be necessary to configure the firewall to allow all MassLynx associated processes through, and also java processes (PLGS and BPL are java based), if data is being read / written across the network.

User Account Control

During both the installation and ongoing use of MassLynx, the 'User Account Control Settings' (UAC) slider in the Control Panel > System and Security > Action Centre should be set to the lowest setting (Never Notify). Higher UAC settings stop any account with administrative privileges being able run processes with administrator privileges. This can cause problems installing software and / or configuring ACQUITY modules.

Note: Setting the UAC slider in the Windows Control Panel to the lowest setting is equivalent to disabling the following local security policy: 'UAC: Run all administrators in Admin Approval Mode'.
Note: Always reboot the PC after modifying the UAC setting.

MassLynx should be installed as the built in local Administrator. On a 3rd-party PC, ensure that the following local security policy is disabled, to ensure that the Administrator runs all applications and processes with full administrator privilege:

UAC: 'Admin Approval Mode for the built-in Administrator’

This security policy can be found as follows:

  • In the Windows Search field, enter 'secpol.msc' and then click on the program 'secpol.msc'.
  • Double-click Local Policies
  • Double-click Security Options
  • Scroll down to 'User Access Control: Admin Approval Mode for the built-in Administrator’ and ensure that the group policy is disabled.

id21150, MLYNX, MLYNXV41, SUPMM

Not able to find a solution? Click here to request help.