Configure antivirus exceptions for Agent Client Collector - Support and Troubleshooting

Configure antivirus exceptions for Agent Client Collector Summary .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } .kb-wrapper{font-family:'Lato',sans-serif;font-size:12pt;line-height:1.7;color:#000;max-width:100%} .kb-wrapper p{margin:0 0 12px 0} .kb-wrapper ul{margin:0 0 12px 0;padding-left:24px} .kb-wrapper li{margin-bottom:8px} .kb-wrapper code{background:#e6f0f5;color:#032D42;border:1px solid #b8cfd8;padding:1px 4px;border-radius:3px;font-family:monospace;font-size:11pt} Learn how to configure antivirus exceptions for Agent Client Collector (ACC) to prevent endpoint security tools from blocking ACC operations on Windows, Linux, and macOS.

ACC binaries fall into two categories that may require antivirus exceptions:

Installer-delivered binaries — The ACC main binary and embedded Ruby interpreter are installed by the platform installer (MSI on Windows, RPM or DEB on Linux, PKG on macOS). Antivirus products should allow these signed binaries, but application control tools may block them without explicit exceptions. Agent-downloaded binaries — The osquery binary (osqueryi) is not included in the installation package. After ACC first connects to the ServiceNow instance, the agent downloads it and places it in the cache directory. Because it arrives in a writable directory after installation, application control tools and antivirus products that monitor new executables routinely block it. Facts .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } .kb-wrapper{font-family:'Lato',sans-serif;font-size:12pt;line-height:1.7;color:#000;max-width:100%} .kb-wrapper ul{margin:0 0 12px 0;padding-left:24px} .kb-wrapper li{margin-bottom:8px} Applies to Agent Client Collector (ACC) on Windows, Linux, and macOS osqueryi is absent from a freshly installed agent — it is downloaded from the ServiceNow instance on the agent's first policy sync Admin access to the endpoint security tool is required to configure exclusions Release .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } .kb-wrapper{font-family:'Lato',sans-serif;font-size:12pt;line-height:1.7;color:#000;max-width:100%} .kb-wrapper p{margin:0 0 12px 0} All versions

Instructions .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } .kb-wrapper{font-family:'Lato',sans-serif;font-size:12pt;line-height:1.7;color:#000;max-width:100%} .kb-wrapper p{margin:0 0 12px 0} .kb-wrapper ul{margin:0 0 12px 0;padding-left:24px} .kb-wrapper li{margin-bottom:8px} .kb-wrapper h2{font-size:14pt;font-weight:900;border-bottom:2px solid #e8fce4;padding-bottom:4px;margin:28px 0 10px 0} .kb-wrapper h3{font-size:12pt;font-weight:900;border-bottom:2px solid #e8fce4;padding-bottom:4px;margin:20px 0 8px 0} .kb-wrapper .note{border-left:4px solid #52B8FF;background:#e6f4ff;padding:10px 14px;margin:14px 0} .kb-wrapper code{background:#e6f0f5;color:#032D42;border:1px solid #b8cfd8;padding:1px 4px;border-radius:3px;font-family:monospace;font-size:11pt} .kb-wrapper table{width:100%;border-collapse:collapse;margin:14px 0;font-size:12pt} .kb-wrapper th{background:#032D42;color:#fff;padding:9px 12px;text-align:left;font-weight:700} .kb-wrapper td{padding:8px 12px;border-bottom:1px solid #ddd;vertical-align:top} .kb-wrapper tr:nth-child(even) td{background:#e8fce4} To configure antivirus exceptions for ACC, identify your operating system and add the listed paths to your endpoint security tool's exclusion list.

Windows Executable paths Binary Path Main agent binary C:\Program Files\ServiceNow\agent-client-collector\bin\acc.exe Ruby interpreter C:\Program Files\ServiceNow\agent-client-collector\embedded\bin\ruby.exe osqueryi C:\ProgramData\ServiceNow\agent-client-collector\cache\osquery\bin\osqueryi.exe Directory exclusions If your antivirus product supports directory-level exclusions, adding both root directories below covers all present and future plugin binaries without requiring per-binary updates as ACC upgrades:

C:\Program Files\ServiceNow\agent-client-collector\ C:\ProgramData\ServiceNow\agent-client-collector\ Additional notes osqueryi.exe is absent from a fresh installation. The agent downloads it on the first policy sync after connecting. Add the exclusion before ACC first connects, or immediately after.

Exclude %TEMP%\.osquery\ from real-time scanning. Antivirus scanning of this directory causes check timeouts. Linux Executable paths Binary Path Main agent binary /usr/share/servicenow/agent-client-collector/bin/acc Service wrapper /usr/share/servicenow/agent-client-collector/bin/acc-service Ruby interpreter /usr/share/servicenow/agent-client-collector/embedded/bin/ruby osqueryi /var/cache/servicenow/agent-client-collector/osquery/bin/osqueryi Additional notes Exclude /tmp/.osquery/ from real-time scanning. macOS Executable paths Binary Path Main agent binary /opt/servicenow/agent-client-collector/bin/acc Service wrapper /opt/servicenow/agent-client-collector/bin/acc-service Ruby interpreter /opt/servicenow/agent-client-collector/embedded/bin/ruby osqueryi /opt/servicenow/agent-client-collector/cache/osquery/bin/osqueryi Additional notes Exclude /tmp/.osquery/ from real-time scanning. Endpoint security tools on macOS (such as CrowdStrike Falcon, SentinelOne, and Jamf Protect) may quarantine osqueryi because it arrives as a network-downloaded binary in the cache directory. Add the cache directory to the tool's allow list before ACC first connects. All platforms: exception paths reference Platform Binary Path Windows Main agent C:\Program Files\ServiceNow\agent-client-collector\bin\acc.exe Windows Ruby interpreter C:\Program Files\ServiceNow\agent-client-collector\embedded\bin\ruby.exe Windows osqueryi C:\ProgramData\ServiceNow\agent-client-collector\cache\osquery\bin\osqueryi.exe Linux Main agent /usr/share/servicenow/agent-client-collector/bin/acc Linux Service wrapper /usr/share/servicenow/agent-client-collector/bin/acc-service Linux Ruby interpreter /usr/share/servicenow/agent-client-collector/embedded/bin/ruby Linux osqueryi /var/cache/servicenow/agent-client-collector/osquery/bin/osqueryi macOS Main agent /opt/servicenow/agent-client-collector/bin/acc macOS Service wrapper /opt/servicenow/agent-client-collector/bin/acc-service macOS Ruby interpreter /opt/servicenow/agent-client-collector/embedded/bin/ruby macOS osqueryi /opt/servicenow/agent-client-collector/cache/osquery/bin/osqueryi Related Links .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } .kb-wrapper{font-family:'Lato',sans-serif;font-size:12pt;line-height:1.7;color:#000;max-width:100%} .kb-wrapper p{margin:0 0 12px 0} .kb-wrapper ul{margin:0 0 12px 0;padding-left:24px} .kb-wrapper li{margin-bottom:8px} .kb-wrapper .warning{border-left:4px solid #e6a817;background:#fff4e0;padding:10px 14px;margin:14px 0} .kb-wrapper a{color:var(--now-color--link-primary,#00718F)} Preparing for Agent Client Collector implementation