Avid Security Guidelines and Best Practices

ReadMe for Endpoint Security

Endpoint Security Solutions

Endpoint detection and response solutions, such as CrowdStrike® Falcon, offer a different approach to
security than traditional anti-virus applications. While client-based anti-virus solutions protect the local
system, endpoint solutions provide a more holistic approach by protecting the network, all endpoints, and
itself from attacks. Another benefit of this alternative protection method is that the local endpoint agent is
often much less resource intensive than a traditional “thick” anti-virus client — which in turn results in
better performance for other local applications.

To learn more about endpoint security, review the “Fundamentals of Endpoint Protection” on the
CrowdStrike website at: https://www.crowdstrike.com/cybersecurity-101/.

Due to the evolving nature of next-generation Endpoint Detection and Response (EDR), it is imperative
that you follow IT best practices when deploying any security solution on your production environment.
Avid suggests that you test your preferred solution in a controlled environment first, base-line your
performance, and then follow your organization’s change management processes to reduce the risk of
any negative performance or compatibility issues. Regardless of your selection, Avid encourages you to
obtain a service agreement with your security vendor so that you can access their support resources if the
need arises.

c Avid does not recommend, qualify, or certify any specific endpoint protection or anti-virus system
for use with Avid products. As an Avid customer, it is your responsibility to identify, implement, and
qualify the solution of your choice. While this document describes aspects of Avid's internal endpoint
solution vendor (CrowdStrike), this information is not meant to imply any qualification of this system
for Avid customers or products.

1
Back-End Configuration
Avid adheres to the CrowdStrike Technical Account Management team’s best-practices when configuring
prevention policies settings. As Avid cannot publicly share this data, customers are encouraged to contact
the CrowdStrike TAM team or your preferred vendor to obtain settings for your organization.

When it comes to software updates, you might consider following an N-1 deployment method in which
systems are divided into two groups: test/lab (N), and production (-1). You can apply the latest updates to
the test group, while the production systems follow -1 version behind the monthly updates. When the
following month’s updates are released, you can apply them to the test group and configure the system
to automatically push the previous month’s policies to the production systems. This “rolling” deployment
method might work for some organizations, while others might have more stringent change control
policies in which a static version is required. If you are unsure about which deployment policy might work
best for your organization, contact your security provider's representative for additional guidance.

c While Avid makes a best effort to communicate breaking changes, the flexible nature of Avid’s
software offerings make it impossible to test all potential workflows. Customers must maintain an
awareness of all updates and be responsible for continued testing within their own organization. If
you identify an issue, you might be required to assist in coordinating the efforts of multiple parties —
including your security system provider, your operating system vendor, and/or Avid.

Media Composer
Depending on your endpoint protection system, you might need to create process exclusions for the
following on Microsoft Windows:
l AvidMediaComposer.exe
Failure to add this exclusion might result in issues during ingest and/or Send to Playback.
l If you installed the Avid NEXIS Client on your Media Composer system, create exclusions for the
following:
– AvidMediaComposer.exe
– AvidLoggingService.exe
– AvidFos_Service.exe
– AvidNEXISClientManager.exe
Failure to add these exclusions might result in poor playback performance from within Media
Composer for assets located on Avid shared storage, or for assets that you stream using Media
Composer's NewTek NDI option.
MediaCentral Production Management
Depending on your endpoint protection system, you might need to create an exclusion for the following
process:
l MediaCentral Transcode: TranscodeServiceWorker.exe
Failure to add this exclusion might result in issues during Send to Playback from Media Composer.
MediaCentral Asset Management
Avid MediaCentral Asset Management uses Internet Information Services (IIS) to serve web pages used in
both administrative and user workflows. During normal system operation, the Avid services use the IIS
worker to spawn sub-processes for certain maintenance tasks — such as an upgrade to .NET Framework,
or the execution of certain Python tasks. When triggered, your endpoint protection system might generate
false positive “Initial Access via Exploit Public-Facing Application” detections. The following illustration
provides an example of a false-positive that was generated by CrowdStrike for Asset Management.

2
The following list provides additional examples of known flagged processes:
l File name: vcredist-vc11-x64-11.0.61030.0.exe
File path: \Device\HarddiskVolume2\Windows\Temp\zgfkl1bd.4nq\Runtimes\VS2012\vcredist-vc11-
x64-11.0.61030.0.exe
Command line: "C:\Windows\TEMP\zgfkl1bd.4nq\Runtimes\VS2012\vcredist-vc11-x64-
11.0.61030.0.exe" /install /quiet /norestart
l File name: vcredist_x86.exe
File path: \Device\HarddiskVolume2\Users\svc_usr\AppData\Local\Temp\irb4aofe.lny\Visual C++
Runtime\VS2010\vcredist_x86.exe
Command line: "C:\Users\svc_usr\AppData\Local\Temp\irb4aofe.lny\Visual C++ Runtime\
VS2010\vcredist_x86.exe" /install /quiet
l File name: Transfer.exe
File path: \Device\HarddiskVolume2\Program Files\Avid\MediaAssetManager\System_Site\
EssenceTransferServer\Transfer\Transfer.exe
Command line: "C:\Program Files\Avid\MediaAssetManager\System_Site\EssenceTransfer
Server\Transfer\Transfer.exe" -u net.pipe://localhost/<ID>/transferservice -i <ID>

n Note that the file path might change for different processes, and that new processes might be
flagged as the MediaCentral Asset Management software evolves.

Since CrowdStrike does not block Asset Management processes due to this being cloud-based Indicator of
Attack (IOA) detections, by default, there is no impact to the Avid systems or workflows. However, you can
create exclusions for the Asset Management host servers to quiet these warnings.

To create CrowdStrike exclusions:

1. Log into the CrowdStrike Falcon website and refer to the documentation and CrowdStrike posted
best-practices for creating exclusions. The following link is provided for convenience and could
change without notice:

3
 https://falcon.crowdstrike.com/login/?next=%2Fsupport%2Fdocumentation%2F68%2Fdetection-
and-prevention-policies#exclusions
2. Use the CrowdStrike system to create an IOA exclusion.

3. Follow the prompts to add an exclusion to a host group that contains only servers running the Asset
Management software. As shown in the following illustration, you can replace varying 'temp' folders
with a wildcard as these folder names can change frequently.

n CrowdStrike might identify false positive warnings with multiple different IOA Names such as
ISSChildWroteAndExecuted & IISWroteAndExecuted for several components like Python and vc_
redist. As such, you might be required to repeat these steps for each warning type.

4
Legal Notices
Product specifications are subject to change without notice and do not represent a commitment on the part of Avid Technology, Inc.

This product is subject to the terms and conditions of a software license agreement provided with the software. The product may only be used in accordance
with the license agreement.

This product may be protected by one or more U.S. and non-U.S patents. Details are available at https://www.avid.com/legal/patent-marking.

No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording, for
any purpose without the express written permission of Avid Technology, Inc.

Copyright © 2024 Avid Technology, Inc. and its licensors. All rights reserved.

Portions © Copyright 2003-2007 of MOG Solutions.

Attn. Government User(s). Restricted Rights Legend

U.S. GOVERNMENT RESTRICTED RIGHTS. This Software and its documentation are “commercial computer software” or “commercial computer software
documentation.” In the event that such Software or documentation is acquired by or on behalf of a unit or agency of the U.S. Government, all rights with
respect to this Software and documentation are subject to the terms of the License Agreement, pursuant to FAR §12.212(a) and/or DFARS §227.7202-1(a), as
applicable.

Trademarks

Avid, the Avid Logo, Avid Everywhere, Avid DNXHD, Avid DNXHR, Avid NEXIS, Avid NEXIS | Cloudspaces, AirSpeed, Eleven, EUCON, Interplay, iNEWS, ISIS, Mbox,
MediaCentral, Media Composer, NewsCutter, Pro Tools, ProSet and RealSet, Maestro, PlayMaker, Sibelius, Symphony, and all related product names and
logos, are registered or unregistered trademarks of Avid Technology, Inc. in the United States and/or other countries. The Interplay name is used with the
permission of the Interplay Entertainment Corp. which bears no responsibility for Avid products. All other trademarks are the property of their respective
owners. For a full list of Avid trademarks, see: https://www.avid.com/legal/trademarks-and-other-notices.

Avid Security Guidelines and Best Practices • Revised Wednesday, July 10, 2024 • This document is distributed by Avid in online (electronic)
form only, and is not available for purchase in printed form.