Best Practices: Antivirus Configuration on IGEL UMS Server

Introduction

This article provides guidance on how to configure antivirus (AV) software for the IGEL Universal Management Suite (UMS) Server. While antivirus protection is critical for system security, incorrect AV configuration may interfere with UMS operations such as database access, firmware distribution, or device communication. This guide outlines recommended best practices for deploying AV solutions on the UMS host without disrupting core functionality.

Legal Note

• This article is based on internal IGEL experience and field feedback. It is not a one-size-fits-all solution.

• You are solely responsible for evaluating, testing (including in pre-production), approving, implementing, and maintaining any changes to your antivirus (AV) solution, allow-lists, exclusions, or other security controls. IGEL does not assume, and expressly disclaims, any responsibility or liability for increased exposure, vulnerabilities, security incidents, non-compliance, degraded protections, data loss, or other adverse outcomes arising from changes you make to your AV or related security posture, whether or not such changes were informed by this guidance.

Environment

• UMS 12.08 or higher; latest version recommended (for improved AV compatibility)

• Supported Operating Systems:

  • IGEL UMS is supported on currently maintained versions of Microsoft Windows Server and major Linux distributions. For an up-to-date list, refer to the UMS Release Notes.

• Database Options:

  • Embedded: Apache Derby (included with UMS)

  • External: For supported versions of PostgreSQL, Oracle, or Microsoft SQL Server, refer to the Universal Management Suite > UMS Release Notes > Notes for Release IGEL UMS > Supported Environment IGEL UMS.

Network Requirements

To ensure successful communication between IGEL UMS, endpoint devices, and the IGEL Cloud Gateway (ICG), proper network access must be configured.

• For required ports and firewall rules, refer to the following official IGEL documentation:

  • IGEL UMS Communication Ports

  • IGEL UMS Network Configuration Overview

Procedure

1. Install an Antivirus Solution on the UMS Host

   • In case you are using an enterprise-grade antivirus solution, ensure it is fully supported on your selected server operating system and correctly configured to avoid interfering with UMS directories or processes.

   • Ensure that the antivirus engine and its signature database are configured to update automatically, either directly from the vendor or via an internal update server. This guarantees continuous protection without requiring manual updates.

2. Exclude UMS Application and File Transfer Directories

• To avoid disruptions, exclude the UMS installation and firmware transfer paths from real-time scanning:

  • Windows:
    C:\Program Files\IGEL\RemoteManager\
    Or if you need a more granular configuration:
    C:\Program Files\IGEL\RemoteManager\rmguiserver\webapps\ums_filetransfer\

  • Linux:
    /opt/IGEL/RemoteManager/
    Or if you need a more granular configuration:
    /opt/IGEL/RemoteManager/rmguiserver/webapps/ums_filetransfer/

Real-time scanning of these directories may result in failed firmware updates or delayed device communication.

3. Exclude App Binary Cache

• Additionally, we recommend excluding the App Binary Cache directory used by the UMS App Proxy service, which stores firmware and package binaries.

  • Windows:
    C:\Program Files (x86)\IGEL\RemoteManager\rmguiserver\persistent\ums-appproxy\files

  • Linux:
    /opt/IGEL/RemoteManager/rmguiserver/persistent/ums-appproxy/files

If the Distributed App Repository option is enabled, we also recommend excluding the corresponding WebDAV directory, as it may contain executable binaries required for proper app delivery.

4. Exclude Database Directories and Processes

• If the embedded UMS database is in use, exclude its storage directories:

  • Windows:
    C:\Program Files\IGEL\RemoteManager\db\

  • Linux:
    /opt/IGEL/RemoteManager/db/

• For external databases (e.g., PostgreSQL, Oracle, Microsoft SQL Server), follow the vendor-specific antivirus best practices for process and data directory exclusions. These configurations are highly product-dependent and beyond the scope of this document.

This prevents antivirus software from interfering with database transactions, which could otherwise lead to corruption or service interruptions.

5. Configure Scheduled Scans Carefully

• Run full-system scans during defined maintenance windows or off-peak hours to minimize impact on UMS server performance.

Real-time protection should remain enabled to maintain security. However, keep in mind that real-time scanning can introduce performance overhead, especially during large firmware transfers or database operations.

• To mitigate this:

  • Follow your antivirus vendor’s optimization guidelines for excluding low-risk but high-traffic directories (e.g., ums_filetransfer, database paths).

  • Consider performing a risk analysis if your AV product lacks granular tuning options.

  • If performance remains affected, increase server resources (CPU, memory, disk I/O) to handle the AV load.

As we cannot reflect each customer’s environment in this document, it remains the customer’s responsibility to assess and balance performance, protection, and operational reliability in accordance with their specific requirements.

6. Test Antivirus Behavior Before Rollout

   • After configuring exclusions, restart the UMS services (Windows: IGEL RMGUIServer / Linux: igelRMserver) to ensure that they start without delay or error.

   • Validate that critical operations such as firmware distribution, endpoint registration, and database access work as expected with the antivirus enabled.
     This step helps detect misconfigurations before they impact production systems.

7. Monitor and Review Logs Regularly

   • Review antivirus logs to ensure that no UMS-related files or processes are falsely flagged as malicious. Likewise, monitor UMS logs to confirm that there are no disruptions in service.

   • Configure antivirus alerts to notify administrators if actions such as quarantining or blocking occur, allowing quick response before business operations are affected.

Notes

• Ensure consistent AV configurations across all UMS nodes in High Availability (HA) and / or Distributed UMS environments to avoid behavioral drift.

• When performing UMS upgrades, you may disable real-time AV scanning on the installation path to avoid blocked operations.

Warnings

• Do not scan or quarantine UMS database or firmware transfer directories. Doing so may result in service failure, corrupted firmware files, or loss of device connectivity. Always configure the recommended exclusions to prevent these risks.

• Avoid installing multiple antivirus products on the same UMS host. This can lead to performance degradation, scanning conflicts, or critical system liability. Use a single, well-supported enterprise solution and configure it according to the best practices.