Antivirus and access controls

Your enterprise environment might include factors that can interfere with the correct operation of Here Core software. These include domains that users are blocked from accessing and antivirus software.

Allowing access to Here™ domains

To run a Here Core application, the user must be able to access domains of both the application provider and Here™ domains.

The following is a list of domains to allow access to:

• app provider's domain

• app-directory.openfin.co (for RVM 7.1 or lower)

• cdn.openfin.co

• config.openfin.co (starting with RVM 8.0)

• dl.openfin.co

• ingest.openfin.co

• install.openfin.co

• of.os.openfin.co

• start.openfin.co

• workspace.openfin.co (required for Here Core UI Components)

You can use a match pattern to allow the dl, cdn, install, and app-directory subdomains for Here™ domains. For example, using *.openfin.co allows all of these domains, eliminating the need to list them individually. This method also works for the app provider domain if several domains or subdomains exist. Using a match pattern permits an application provider to group allowed domains for a group of domains/subdomains.

🚧 Warning

If you are using a match pattern, you must still allow ingest.openfin.co individually, because this domain is not assimilated with the match pattern. The subdomain ingest.openfin.co is used for RVM analytics. Read more about RVM.

By default, Here Core installs the RVM and Runtime to the user’s home directory under the following locations:

• Windows XP: %USERNAME%\Local Settings\Application Data\OpenFin

• Windows 7, 8, & 10: %LOCALAPPDATA%\OpenFin

Security or antivirus software

Here Core uses behavior that is sometimes flagged as suspicious by antivirus software. In particular, Here Core is built on the Chromium project, which includes the Chromium Sandbox, which runs its renderer process in low level integrity. The Here Core UI Browser process is also run in the same Chromium Sandbox and therefore inherits the same low level integrity for its processes.

Common behaviors

Antivirus software providers have been known to use the low level integrity as a simplistic approach to identify “virus like” behavior. In these cases, the two most commonly seen side effects are the when the antivirus provider software does the following:

• Terminates the renderer process

• Impacts application performance while a scan is actively run

[01/01/2018 01:01:01]-[FATAL:sandbox_win.cc(486)] Check failed: 
!(basic_info.GrantedAccess & kDangerousMask). You are 
attempting to duplicate a privileged handle into a sandboxed process.
 Please contact security@chromium.org for assistance.

📘 Note

If something in the environment appears to be affecting Here Core software, it is worth ruling out your antivirus software.

How Here™ helps

Where this has been the case, Here™ has worked with its customers to detect why their antivirus provider is negatively impacting their applications. Given the vast number of antivirus providers, possible configurations, and variable causes, Here™ customers (and their customers, such as external deployments) have found that a preferred approach for sorting through their antivirus environment issues. This approach is to add OpenFin.exe to the list of applications that is allowed to operate without interference.

Virus scans and signatures

Additionally, Here Core leverages VirusTotal for virus detection in its automated build process for each new version of Here Core Runtime. We provide scan results on our versions page. Executables are digitally signed and have a valid certificate from Comodo. The Here™ CDN uses a SSL connection to protect from security attacks that target downloads.

Antivirus providers

Here™ works with antivirus software vendors to allow the openfin.exe process and installer to eliminate false positives; that is, incidents where antivirus programs mistake Here Core and the Chromium Sandbox for malicious code. Elimination of all antivirus false-positives is a complicated problem due to the sheer number of security configurations within enterprise institutions.

Recommendations

Here™ recommends asking clients prior to installation if they use any type of security or antivirus software. Validate that the Here Core software can run without issue within a customer's environment. If any of the above behaviors are found, Here™ recommends allowing the openfin.exe processes and certificates with the security software.