Antivirus and access controls
Your enterprise environment might include factors that can interfere with the correct operation of OpenFin software. These include domains that users are blocked from accessing and antivirus software.
Allowing access to OpenFin domains
To run an OpenFin application, the user must be able to access both the Application Provider’s and OpenFin’s domains. The following is a list of domains to allow access to:
-
app provider's domain
-
app-directory.openfin.co
(for RVM 7.1 or lower) -
cdn.openfin.co
-
config.openfin.co
(starting with RVM 8.0) -
dl.openfin.co
-
ingest.openfin.co
-
install.openfin.co
-
of.os.openfin.co
-
start.openfin.co
-
workspace.openfin.co
(required for OpenFin Workspace, Notification Center)
You can use a match pattern to allow the dl
, cdn
, install
, and app-directory
subdomains for OpenFin. For example, using *.openfin.co
allows all of these domains, eliminating the need to list them individually. This method also works for the app provider domain if several domains or subdomains exist. Using a match pattern permits an application provider to group allowed domains for a group of domains/subdomains.
Warning
If you are using a match pattern, it is still required to allow
ingest.openfin.co
individually, as this domain is not assimilated with the match pattern. The subdomainingest.openfin.co
is used for RVM analytics. Read more about RVM.
Additional information
By default, OpenFin installs the RVM and Runtime to the user’s home directory under the following locations:
- Windows XP:
%USERNAME%\Local Settings\Application Data\OpenFin
- Windows 7, 8, & 10:
%LOCALAPPDATA%\OpenFin
Security or antivirus software
OpenFin uses behavior that is sometimes flagged as suspicious by antivirus software.
In particular, OpenFin is built on the Chromium project, which includes the Chromium Sandbox, which runs its renderer process in low level integrity. OpenFin’s browser process is also run in the same Chromium Sandbox and therefore inherits the same low level integrity for its processes.
Common behaviors
Antivirus software providers have been known to use the low level integrity as a simplistic approach to identify “virus like” behavior. In these cases, the two most commonly seen side effects are the when the antivirus provider software does the following:
-
Terminates the renderer process
-
Impacts application performance while a scan is actively run
[01/01/2018 01:01:01]-[FATAL:sandbox_win.cc(486)] Check failed:
!(basic_info.GrantedAccess & kDangerousMask). You are
attempting to duplicate a privileged handle into a sandboxed process.
Please contact [email protected] for assistance.
Note
If something in the environment appears to be affecting OpenFin software, it is worth ruling out your antivirus software.
OpenFin steps
Where this has been the case, OpenFin has worked with its customers to detect why their antivirus provider is negatively impacting their applications. Given the vast number of antivirus providers, possible configurations, and variable causes, OpenFin customers (and their customers, such as external deployments) have found that a preferred approach for sorting through their antivirus environment issues. This approach is to add OpenFin.exe
to the list of applications that is allowed to operate without interference.
Virus scans and signatures
Additionally, OpenFin leverages VirusTotal for virus detection in its automated build process for each new version of OpenFin. We provide scan results on our versions page. Executables are digitally signed and have a valid certificate from Comodo. OpenFin’s CDN uses a SSL connection to protect from security attacks that target downloads.
Antivirus providers
OpenFin works with antivirus software vendors to allow the openfin.exe
process and installer to eliminate false positives; that is, incidents where antivirus programs mistake OpenFin and the Chromium Sandbox for malicious code. Elimination of all antivirus false-positives is a complicated problem due to the sheer number of security configurations within financial institutions.
Recommendations
OpenFin recommends asking clients prior to installation if they use any type of security or antivirus software. Validate that the OpenFin software can run without issue within a customers environment. If any of the above behaviors are found, OpenFin recommends allowing the openfin.exe
processes and certificates with the security software.
Updated about 1 year ago