Antivirus and access controls

Your enterprise environment might include factors that can interfere with the correct operation of OpenFin software. These include domains that users are blocked from accessing and antivirus software.

Allowing access to OpenFin domains

To run an OpenFin application, the user must be able to access both the Application Provider’s and OpenFin’s domains. The following is a list of domains to allow access to:

  • app provider's domain
  • dl.openfin.co
  • cdn.openfin.co
  • install.openfin.co
  • app-directory.openfin.co
  • ingest.openfin.co
  • of.os.openfin.co
  • start.openfin.co
  • workspace.openfin.co (required for OpenFin Workspace, Notification Center)

You can use a match pattern to allow the dl, cdn, install, and app-directory subdomains for OpenFin. For example, using *.openfin.co allows all of these domains, eliminating the need to list them individually. This method also works for the app provider domain if several domains or subdomains exist. Using a match pattern permits an application provider to group allowed domains for a group of domains/subdomains.

❗️

Warning

If you are using a match pattern, it is still required to allow ingest.openfin.co individually, as this domain is not assimilated with the match pattern. the subdomain ingest.openfin.co is used for RVM analytics. Read more about RVM analytics here.

Additional information

By default, OpenFin installs the RVM and Runtime to the user’s home directory under the following locations:

Windows XP: %USERNAME%\Local Settings\Application Data\OpenFin
Windows 7, 8, & 10: %LOCALAPPDATA%\OpenFin

Security or antivirus software

OpenFin uses behavior that is sometimes flagged as suspicious by antivirus software.
In particular, OpenFin is built on the Chromium project, which includes the Chromium Sandbox, which runs its renderer process in low level integrity. OpenFin’s browser process is also run in the same Chromium Sandbox and therefore inherits the same low level integrity for its processes.

Common Behaviors

Antivirus software providers have been known to use the low level integrity as a simplistic approach to identify “virus like” behavior. In these cases, the two most commonly seen side effects are the when the antivirus provider software does the following:

  • Terminates the renderer process
  • Impacts application performance while a scan is actively run
[01/01/2018 01:01:01]-[FATAL:sandbox_win.cc(486)] Check failed: !(basic_info.GrantedAccess & kDangerousMask). You are attempting to duplicate a privileged handle into a sandboxed process.
 Please contact [email protected] for assistance.

📘

Note

If something in the environment appears to be affecting OpenFin software, it is worth ruling out your antivirus software.

OpenFin steps

Where this has been the case, OpenFin has worked with its customers to detect why their antivirus provider is negatively impacting their applications. Given the vast number of antivirus providers, possible configurations, and variable causes, OpenFin customers (and their customers, such as external deployments) have found that a preferred approach for sorting through their antivirus environment issues. This approach is to add OpenFin.exe to the list of applications that is allowed to operate without interference.

Virus scans and signatures

Additionally, OpenFin leverages VirusTotal for virus detection in its automated build process for each new version of OpenFin. We provide scan results on our versions page. Executables are digitally signed and have a valid certificate from Comodo. OpenFin’s CDN uses a SSL connection to protect from security attacks that target downloads.

Antivirus providers

OpenFin works with antivirus software vendors to allow the openfin.exe process and installer to eliminate false positives; that is, incidents where antivirus programs mistake OpenFin and the Chromium Sandbox for malicious code. Elimination of all antivirus false-positives is a complicated problem due to the sheer number of security configurations within financial institutions.

Recommendations

OpenFin recommends asking clients prior to installation if they use any type of security or antivirus software. Validate that the OpenFin software can run without issue within a customers environment. If any of the above behaviors are found, OpenFin recommends allowing the openfin.exe processes and certificates with the security software.


Did this page help you?