Your enterprise environment might include factors that can interfere with the correct operation of OpenFin software. These include domains that users are blocked from accessing and antivirus software.
To run an OpenFin application, the user must be able to access both the Application Provider’s and OpenFin’s domains. The following is a list of domains to allow access to:
- app provider's domain
workspace.openfin.co(required for OpenFin Workspace, Notification Center)
You can use a match pattern to allow the
app-directory subdomains for OpenFin. For example, using
*.openfin.co allows all of these domains, eliminating the need to list them individually. This method also works for the app provider domain if several domains or subdomains exist. Using a match pattern permits an application provider to group allowed domains for a group of domains/subdomains.
If you are using a match pattern, it is still required to allow
ingest.openfin.coindividually, as this domain is not assimilated with the match pattern. the subdomain
ingest.openfin.cois used for RVM analytics. Read more about RVM analytics here.
By default, OpenFin installs the RVM and Runtime to the user’s home directory under the following locations:
%USERNAME%\Local Settings\Application Data\OpenFin
Windows 7, 8, & 10:
OpenFin uses behavior that is sometimes flagged as suspicious by antivirus software.
In particular, OpenFin is built on the Chromium project, which includes the Chromium Sandbox, which runs its renderer process in low level integrity. OpenFin’s browser process is also run in the same Chromium Sandbox and therefore inherits the same low level integrity for its processes.
Antivirus software providers have been known to use the low level integrity as a simplistic approach to identify “virus like” behavior. In these cases, the two most commonly seen side effects are the when the antivirus provider software does the following:
- Terminates the renderer process
- Impacts application performance while a scan is actively run
[01/01/2018 01:01:01]-[FATAL:sandbox_win.cc(486)] Check failed: !(basic_info.GrantedAccess & kDangerousMask). You are attempting to duplicate a privileged handle into a sandboxed process. Please contact [email protected] for assistance.
If something in the environment appears to be affecting OpenFin software, it is worth ruling out your antivirus software.
Where this has been the case, OpenFin has worked with its customers to detect why their antivirus provider is negatively impacting their applications. Given the vast number of antivirus providers, possible configurations, and variable causes, OpenFin customers (and their customers, such as external deployments) have found that a preferred approach for sorting through their antivirus environment issues. This approach is to add
OpenFin.exe to the list of applications that is allowed to operate without interference.
Additionally, OpenFin leverages VirusTotal for virus detection in its automated build process for each new version of OpenFin. We provide scan results on our versions page. Executables are digitally signed and have a valid certificate from Comodo. OpenFin’s CDN uses a SSL connection to protect from security attacks that target downloads.
OpenFin works with antivirus software vendors to allow the
openfin.exe process and installer to eliminate false positives; that is, incidents where antivirus programs mistake OpenFin and the Chromium Sandbox for malicious code. Elimination of all antivirus false-positives is a complicated problem due to the sheer number of security configurations within financial institutions.
OpenFin recommends asking clients prior to installation if they use any type of security or antivirus software. Validate that the OpenFin software can run without issue within a customers environment. If any of the above behaviors are found, OpenFin recommends allowing the
openfin.exe processes and certificates with the security software.
Updated 5 months ago