When anti-virus scanners meet monitoring tools

Hi everyone,

I’m a bit curious about general dependencies of different anti-virus scanners w.r.t. the checkmk agent / monitoring in general - resulting in strange alerting effects and extra work for troubleshootings. In our site we are monitoring dozens of our customers‘ hosts. Frequently, their security policies or AV behaviour are outside our reference. But in this context, we are lately facing rising alerts because of time-outs due to „missing agent sections“ which again are leading to stale services. Worst of all we observe rising up/down host notifications as well with round trip averages beyond good and evil. We can clearly see a relationship between rising RTA and installation / activation of AV etc.

What are your experiences, solutions or suggestions? Don’t expect there might be a approach in best practice, except “deactivate the AV”?

ask every for test-systems as reference and test every check.

Yes, a very strict approach.
However, very time-consuming and elaborative in practice. Can’t imagine most users will show up with such a sophisticated testing environment though.

And BTW it’s not the checks within checkmk I guess - it’s more or less a rigorous behaviour of some AV scanners incl. their usage of computing power…

than try to monitor the logfiles of the scanner for first hints.
Servers of our customers normally have no scanners because they cause tons of problems.
Protection is organized by strict rules and access-management.