Skip to main content

Recommended antivirus exclusions, firewall setup and UAC settings for MassLynx - WKB21150

Article number: 21150


List of the MassLynx folders that should be excluded from real-time antivirus scanning.


  • MassLynx
  • Antivirus software - all vendors


Waters recommends the following:

  • Full antivirus scans should be scheduled for times when samples are not being run on the instrument.
  • Exclude the following folders from real-time scanning:
    C:\MassLynx - and all its subfolders
    C:\OALogin (if OALogin is in use)
    C:\OAToolkit (If OAToolkit is in use)
    and any other application folders such as TargetLynx etc
    C:\program files (x86)\Waters instruments
    C:\program files (x86)\Micromass utilities
    And any folder where MassLynx projects are stored.
  • Disable real-time automatic antivirus updates and configure Windows so that the user is alerted to download and install antivirus updates manually. Only download and install antivirus updates (including definitions updates) when not acquiring data.


Anti-Virus Software

MassLynx is tested with either the current version of Symantec Endpoint Protection or (from 2021) or with Cortex XDR Advanced Endpoint Protection Enabled (Anti-Exploit and Anti-Malware Protection), as specified in the SCN release notes.

For Symantec Endpoint, turn off 'Network Threat Protection'.

If Trend micro Officescan is being used, de-select 'Behaviour Monitoring'.  

Depending on what applications are installed, exclude the following folders from antivirus scans, in addition the folders listed above:

  • C:\PLGS3.0.3\ (or other version of PLGS as appropriate)
  • C:\Program Files (x86)\Nonlinear Dynamics\
  • C:\Program Files\Waters\ (this includes the DynamX installation folder)
  • C:\BiopharmaLynx1.3.x\
  • C:\Driftscope\
  • C:\MSeDataviewer\
  • C:\OALogin\
  • C:\MassFragment\
  • The locations of all PLGS3 databases, including C:\ProgramData\Waters\


Note: Some customers tell us that they are unable to schedule full virus scan for times when data are not being acquired. The response to these customers is that an anti-virus scan puts considerable stress on the CPU and hard drive of the instrument PC. We do not test our instrument PCs to validate that they perform correctly under such an additional load. Therefore this is a risk that the customer must be made aware of.

Note: In some cases, it is necessary to completely remove the AV software in order to install MassLynx software. Once MassLynx has been installed, then configure the above exceptions.



Make sure all firewalls are disabled on the instrument LAN, including both the Windows firewall and any proprietary firewall included in the security software installed. Note that in some security software the firewall has a different name, for example Network Threat Protection in Symantec is effectively a firewall.

  • The Windows PC firewall can occasionally be re-enabled by windows updates, so after every Windows update the firewall should be checked to ensure it is still disabled.
  • If there are other firewall restrictions on the customer's network it may be necessary to configure the firewall to allow all MassLynx associated processes through, and also java processes (PLGS and BPL are java based), if data is being read / written across the network.


User Account Control

During both the installation and ongoing use of MassLynx, the 'User Account Control Settings' (UAC) slider in the Control Panel > System and Security > Action Centre should be set to the lowest setting. Higher UAC settings stop any account with administrative privileges being able run processes with administrator privileges. This can cause problems installing software and / or configuring ACQUITY modules.

Note: Setting the UAC slider in the Windows Control Panel to the lowest setting is equivalent to disabling the following local security policy: 'UAC: Run all administrators in Admin Approval Mode'.
Note: Always reboot the PC after modifying the UAC setting.

MassLynx should be installed as the built in local Administrator. On a 3rd-party PC, ensure that the following local security policy is disabled, to ensure that the Administrator runs all applications and processes with full administrator privilege: UAC: Admin Approval Mode for the built-in Administrator’

This security policy can be found as follows:

  • In the Windows Search field, enter 'secpol.msc' and then click on the program 'secpol.msc'.
  • Double-click Local Policies
  • Double-click Security Options
  • Scroll down to 'User Access Control: Admin Approval Mode for the built-in Administrator’ and ensure that the group policy is disabled.







Not able to find a solution? Click here to request help.