4 minute read

Source

Consider the followingfile scanning exceptions for your Anti-Virus software where applicable:

NOTE: The %systemroot% is normally the C:\WINDOWS or C:\WINNT directory depending on your OS. NOTE: the %systemroot% variable will not work as an exclusion for some OSs. So make sure to spell out full path in your exclusion files (GPO or via AntiVirus Server)

1.) %systemroot%\System32\Spool (and all the sub-folders and files) 2.) %systemroot%\SoftwareDistribution\Datastore Refer to the following article for information: KB822158 - Virus scanning recommendations for computers that are running Windows Server 2003, Windows 2000, or Windows XPhttp://support.microsoft.com/kb/822158 3.) Any Network Drives that are mapped.

The following steps are Server Role specific:

1.) If your system is alsoa Domain Controller (DC) / DNS / DHCPalsoexclude the following from Anti-Virus Scanning: a.) %systemroot%\Sysvol folder (include all the sub-folders and files) b.) %systemroot%\system32\dhcp folder (include all the sub-folders and files) c.) %systemroot%\system32\dns folder (include all the sub-folders and files) d.) %systemroot%\ntds Refer to the following article for information: KB822158 - Virus scanning recommendations for computers that are running Windows Server 2003, Windows 2000, or Windows XPhttp://support.microsoft.com/kb/822158

2.) IfFileReplication (NTFR)service is running on your system, make sure yourAnti-Virus software is compatible: KB815263 - Antivirus, backup, and disk optimization programs that are compatible with theFile Replication Service http://support.microsoft.com/kb/815263 Andexclude: a.) %systemroot%\ntfrs folder (include all the sub-folders and files) b.) Files that have the .log and .dit extension

3.) If you haveIISinstalled,exclude: a.) The IIS compression directory (default compression directory is %systemroot%\IIS Temporary Compressed Files) b.) %systemroot%\system32\inetsrv folder c.) Files that have the .log extension Refer to the following knowledge base articles for reference: KB817442 - IIS 6.0: Antivirus Scanning of IIS Compression Directory May Result in 0-ByteFile http://support.microsoft.com/kb/817442 KB821749 - Antivirus software may cause IIS to stop unexpectedly http://support.microsoft.com/kb/821749

4.) If you haveSQLinstalled, you may want toexclude the SQL folder and databases files (or databasefile types) from scanning for performance reasons: KB309422 - Guidelines for choosing antivirus software to run on the computers that are running SQL Server http://support.microsoft.com/kb/309422

5.) If you haveExchangeinstalled, perform the relevantfile-based scanning exclusions listed in Knowledge Base articles: KB328841 - Exchange and antivirus software http://support.microsoft.com/kb/328841 KB823166 - Overview of Exchange Server 2003 and antivirus software http://support.microsoft.com/kb/823166 KB245822 - Recommendations for troubleshooting an Exchange Server computer with antivirus software installed http://support.microsoft.com/kb/245822

6.) If you haveCluster services, make sure your Anti-Virus software is compatible: KB250355 - Antivirus Software May Cause Problems with Cluster Services http://support.microsoft.com/kb/250355 NOTE: If you have a SQL cluster, make sure that youexclude these locations from virus scanning: a.) Q:\ (Quorum drive) b.) %systemroot%\Cluster c.) SQL Server data files that have the .mdf extension, the .ldf extension, and the .ndf extension

7.) If you haveSharepointinstalled, you shouldexclude: a.) Drive:\Program Files\SharePoint Portal Server b.) Drive:\Program Files\Common Files\Microsoft Shared\Web Storage System c.) Drive:\MSDEDatabases (particularly on SBS) (where Drive: is the drive letter where you installed SharePoint Portal Server) Refer to the following knowledge base articles for reference: KB320111 - Random Errors May Occur When Antivirus Software Scans Microsoft Web Storage System http://support.microsoft.com/kb/320111 KB322941 - Microsoft’s Position on Antivirus Solutions for Microsoft SharePoint Portal Server http://support.microsoft.com/kb/322941

8.) If you have aSystems Management Server(SMS), you shouldexclude folders: a.)SMS\Inboxes b.) SMS_CCM\ServiceData Refer to the following knowledge base articles for reference: KB327453 - Antivirus programs may contribute tofile backlogs inSMS 2.0 and inSMS 2003 http://support.microsoft.com/kb/327453 NOTE: If youexclude theSMS\Inboxes directory from virus scanning or remove the antivirus software, you may make the site server and all clients vulnerable to potential virus risks. The client base component files reside in theSMS\Inboxes directory.

9.) If you have aMOM (Microsoft Operations Manager) Server, you consider excluding: a.) Drive:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Operations Manager b.) Drive:\Program Files\Microsoft Operations Manager 2005 (where Drive: is the drive letter where profiles are located)

10.) If you have anInternet Security and Acceleration Server (ISA) Server, you shouldexclude: a.) The ISALogs folder. By default, the ISALogs folder is located in the folder where you installed ISA Server. Typically, this location is Drive:\Program Files\Microsoft ISA Server. Refer to the following knowledge base articles for reference: KB887311 - Event ID 5, event ID 14079, and event ID 14176 are logged in the Application log on your Internet Security and Acceleration Server 2000 computer http://support.microsoft.com/kb/887311

11.) If you have aWindows Software Update Services (WSUS) Serverrole, you consider excluding: a.) Drive:\MSSQL$WSUS b.) Drive:\WSUS (where Drive: is the drive letter where you installed Windows Software Update Services) Also refer to the following knowledge base articles for reference: KB900638 - Multiple symptoms occur if an antivirusscan occurs while the Wsusscan.cabfile is copied http://support.microsoft.com/kb/900638

MORE INFORMATION: KB49500 - List of antivirus software vendors http://support.microsoft.com/kb/49500 KB129972 - Computer viruses: description, prevention, and recovery http://support.microsoft.com/kb/129972

Small Business Server (SBS):

KB885685 - How to troubleshoot the POP3 Connector in Windows Small Business Server 2003 http://support.microsoft.com/kb/885685

SOX050603700001 - How do Iexclude afile fromAV scanning? SOX040212700018 - Anti Virus Software and System State Backup SOX060301700048 - ISA 2004 Firewall Service crashes intermittently with Event ID: 5 Source: Microsoft Firewall SOX060307700037 - MOM 2005/File level Anti-virus scanners SOX061205700029 - MOM Agent Installation fails with -2147023277

KB837932 - Event ID 2108 and Event ID 1084 occur during inbound replication of Active Directory in Windows 2000 Server and in Windows Server 2003 http://support.microsoft.com/kb/837932 Anti-Virus folder exclusions have not been configured (Exchange) http://www.microsoft.com/technet/prodtechnol/exchange/Analyzer/9fb755f5-5f0b-4817-a584-70c76a62eae2.mspx Process: Manage Antivirus Software on Domain Controllers http://www.microsoft.com/technet/solutionaccelerators/cits/mo/winsrvmg/adpog/adpog3.mspx#EHBBG

Keywords: AV scanning,Scan exceptions, Antivirus scanning, first level scanning exclusions, first level scanning exceptions, Server Roles, Server scanning

Leave a comment