Antivirus Exclusion Recommendations

SessionLimit 2.2

This document provides recommended antivirus exclusion configurations for environments where SessionLimit Server and Agent components are deployed.

SessionLimit enforces security policies such as session control, login limitation, credential-based authentication, and optional multi-factor authentication (2FA) by interacting with the Windows logon process, credential providers, registry policies, and runtime system events.

Due to this behavior, certain antivirus or endpoint protection solutions may incorrectly identify SessionLimit components as suspicious or may interfere with their normal operation.

These exclusions are provided to ensure:

  • Reliable enforcement of SessionLimit security policies

  • Proper execution of authentication and 2FA workflows

  • Stable communication between SessionLimit components

  • Prevention of false-positive detections and silent blocking

This document applies to the following SessionLimit components:

  • SessionLimit Server Service

  • SessionLimit Agent (Client & Server)

  • SessionLimit Web / Management Console (IIS-based)

  • Credential Provider and logon-related agent modules

Supported deployment models:

  • All-in-One Server installation

  • Distributed Server / Database / Agent architecture

  • Agent deployment on Windows Servers and Windows Clients

Supported Operating Systems

Server Operating Systems

  • Windows Server 2016

  • Windows Server 2019

  • Windows Server 2022

  • Windows Server 2025

Client Operating Systems

  • Windows 10

  • Windows 11

Why Antivirus Exclusions Are Required

SessionLimit performs the following operations that may be affected by real-time antivirus scanning or behavioral protection modules:

  • Integration with Windows Credential Provider framework

  • Logon, unlock, and RDP session interception

  • Real-time policy evaluation during authentication

  • Registry access under HKLM and HKCU (SID-based) paths

  • Local runtime decision-making for login and 2FA enforcement

  • Secure communication between Agent, Server, and Directory Services

Aggressive antivirus scanning, ransomware protection, or behavioral monitoring may:

  • Delay or block authentication flows

  • Prevent 2FA prompts from appearing

  • Disable session limitation enforcement

  • Cause inconsistent or undefined security behavior

For these reasons, controlled and limited exclusions are recommended.

Recommended File-Based Exclusions

The following executable files should be excluded individually from real-time antivirus scanning.

Agent Components

Type
Path

File

C:\Program Files\SessionLimit v2\SessionLimitService.exe

File

C:\Program Files\SessionLimit v2\SessionLimitUI.exe

File

C:\Program Files\SessionLimit v2\Settings\SessionLimit.LanguageSettings.exe

Server Components

Type
Path

File

C:\Program Files\SessionLimit Server 2.0\Service\SessionLimitServerService.exe

File

C:\Program Files\SessionLimit Server 2.0\FTW\FTW.exe

Data and Runtime Folder Exclusions

The following directory contains runtime data, cache, and operational files used by SessionLimit:

Type
Path

Folder

C:\ProgramData\ArkSoft\SessionLimit20\*.*

Process-Based Exclusions

In addition to file exclusions, process-based exclusions are recommended to prevent behavioral blocking.

Component
Process Name

Agent

SessionLimitService.exe

Agent

SessionLimitUI.exe

Agent

SessionLimit.LanguageSettings.exe

Server

SessionLimitServerService.exe

Server

FTW.exe

Registry Access Considerations

SessionLimit uses the Windows Registry to store configuration, policy, and runtime information.

HKLM (Machine-Level)

Path

HKEY_LOCAL_MACHINE\SOFTWARE\Arksoft Bilisim\SessionLimit v2

HKEY_LOCAL_MACHINE\SOFTWARE\Arksoft Bilisim\SessionLimit Server 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Arksoft Bilisim\Settings\{GUID}

HKCU / SID-Based (Agent)

Path

HKEY_USERS\<UserSID>\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

HKEY_USERS\<UserSID>\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI

Registry exclusions should be evaluated and approved according to the organization’s security policy.

Network and Behavioral Protection Considerations

Network Communication

SessionLimit relies on the following network communications:

Source
Destination
Protocol / Port

Agent

SessionLimit Server

TCP 443 (HTTPS)

Server

Microsoft SQL Server

TCP 1433

Server

Microsoft SQL Browser

UDP 1434

Server

Active Directory

TCP/UDP 389 (LDAP)

Server

Active Directory

TCP 636 (LDAPS, if enabled)

Server

Global Catalog

TCP 3268 / 3269 (if applicable)

Server

DNS

TCP/UDP 53

Behavioral / Ransomware Protection

SessionLimit Agent may interact with the Windows logon process via supported Credential Provider mechanisms. Behavioral protection or ransomware prevention modules should allow these operations to avoid:

  • Blocked login flows

  • Missing 2FA challenges

  • Partial or failed policy enforcement

SessionLimit does not perform undocumented code injection or unauthorized memory manipulation.

Security Notice and Disclaimer

  • The exclusions listed in this document are recommendations only.

  • Final implementation decisions remain the responsibility of the customer’s system and security administrators.

  • Failure to apply appropriate exclusions may result in:

    • Incomplete or failed authentication workflows

    • 2FA mechanisms not triggering as expected

    • Session limitation policies not being enforced

  • In such cases, SessionLimit may not be able to guarantee expected security behavior.

PreviousProtected Group Members and Role Assignments

Last updated