1 Introduction
1.1 Why Exclude
It is important to achieve a balance between ensuring a secure and virus free server environment while also not interfering with reliability and performance of each server.
A lack of exclusions with regards to virus scanning has traditionally been one of the main causes of outages with regards to applications and services. In addition, virus scanning is often a cause of performance issues.
1.2 Document Purpose
The purpose of this document is to provide guidelines for anti-virus configuration parameters, depending on the software installed on a server. These guidelines are based on Microsoft Knowledge Base, Microsoft Premier Support as well as collective field experience from Microsoft Services.
Theses guidelines apply to both memory resident ‘Realtime’ scanning as well as on-demand ‘Local Scanning’.
1.3 Disclaimer
Implementing the exclusion guidelines described in this document may make your computer or your network more vulnerable to attack by malicious users or by malicious software such as viruses. Before making these changes, it is recommended that the risks that are associated with implementing this workaround be evaluated. It is noted that in some cases, additional settings may be required in addition to those contained in the document to prevent reliability and/or performance issues.
It is at the discretion of the reader with regards to interpretation and implementation of the guidelines contained in this document.
1.4 Document Scope
This document covers anti-virus scanner settings for the following Microsoft Technologies running on Windows 2000 Server and Windows Server 2003:
1. Microsoft Applications
a. ADAM
b. Application Center 2000
c. BizTalk 200x
d. Content Management Server (MCMS) 200x
e. Exchange Server 200x
f. Live Communications Server (LCS) 2005
g. Microsoft Baseline Security Analyzer (MBSA) 2.x
h. Microsoft Identity Integration Server (MIIS) 2003
i. Microsoft Operations Manager (MOM) 2005
j. MSDE 2000
k. SharePoint Portal Server (SPS) 200x
l. SQL Server 2000
m. SQL Server 2000 Notification Services
n. SQL Server 2000 Reporting Services
o. Systems Management Server (SMS) 2 / 2003
p. SMS 2003 Clients (running ITMU)
q. Virtual Server (VS) 2005 (Host)
r. Virtual PC (VPC) 2004 (Host)
s. Visual SourceSafe 4 / 5 / 6
t. Windows Rights Management Services (RMS)
u. Windows SharePoint Services (WSS)
v. Windows System Resource Manager (WSRM)
w. Windows Server Update Services (WSUS)
2. Core Windows 200x Services
a. Active Directory
b. ASP.NET applications
c. Cluster Service
d. DHCP Service
e. File Replication Service (FRS)
f. Internet Information Services (IIS) 5 / 6
g. Index Service
h. MSMQ
i. Pagefile
j. Print Service
k. SMTP Service
l. Terminal Server Licensing Service
m. WINS Service
This document does not cover scanning of data within applications themselves. For example, it is possible to scan data within Exchange and SharePoint databases.
2 Exclusion Guidelines
Service / Application
Process
File, Extension or TCP/IP port
Default Folder
Comments
Windows Applications
ADAM
-
Adamntds.dit
Temp.edb
Edb.chk
edb.log
res1.log
res2.log
%ProgramFiles%\Microsoft ADAM\%instancename%\Data
(where %instancename% is the ADAM instance name that you specify during installation)
ADAM database and logs
-
*.config
Global.asax
-
.config files containing application execution options.
Application Center 2000
http://support.microsoft.com/?id=821119
-
*.*
%replicateddrive%\$ACSRPL$
(where %replicateddrive% is any drive which contains replicated content)
Replicated Content
BizTalk 200x
(dependant on SQL Server, ASP.NET, . may be dependant on MSMQ)
http://support.microsoft.com/?id=318941
-
As required
Exclude any BizTalk file receive queue folders
IIS virtual directories used by BizTalk server (MessagingManager, BizTalkServerRepository)
Exclude any file extensions used, i.e. if you are consuming xml messages exclude scanning of .xml files.
BizTalk File Receive
-
*.config
Global.asax
-
.config files containing application execution options.
Content Management Server (MCMS) 200x
(dependant on IIS, Indexes, ASP.NET)
-
*.*
%ProgramFiles%\Microsoft Content Management Server\Server\RdOnlyRes
CMS Dynamic Content (caches resources extract from database before delivery to client).
*.*
%ProgramFiles%\Microsoft Content Management Server\Server\IIS_NR\System\SdUpload
SDULoad
*.* /s
%ProgramFiles%\Microsoft Content Management Server\Server\IIS_NR\System\ResUpload
ResUpload
-
*.config
Global.asax
-
.config files containing application execution options.
Exchange Server 200x
(dependent on SMTP, IIS)
mad.exe
store.exe
*.edb
*.stm
%ProgramFiles%\Exchsrvr\MDBDATA
Exchange databases
http://support.microsoft.com/?id=245822
http://support.microsoft.com/?id=823166
http://support.microsoft.com/?id=328841
*.chk
*.log
*.dat
%ProgramFiles%\Exchsrvr\MDBDATA
Exchange database logs
*.* /s
M:
Installable File System (IFS) drive (drive M). This applies to an Exchange 2000 server and only if M: drive is enabled.
*.stf
%ProgramFiles%\Exchsrvr\MDBDATA
(or wherever database log files are stored)
Temporary files are used during the content conversion process. These files are only specific to Exchange 2000 Server.
*.*
%ProgramFiles%\Exchsrvr\Mtadata
Exchange MTA files
*.log
C:\Exchsrvr\%servername%.log
(where %servername% is the name of the server running Exchange Server)
Exchange message tracking log files (if enabled)
*.* /s
%ProgramFiles%\Exchsrvr\Mailroot
Virtual server folders
*.*
%ProgramFiles%\Exchsrvr\Srsdata
Site Replication Service (SRS)
*.*
Any folders used when running offline maintenance utilities such as Eseutil.exe.
Live Communications Server (LCS) 2005
(may be dependant on SQL server or MSDE)
-
*.mdf
C:\LC Archiving Data
Archive databases
*.ldf
C:\LC Archiving Log
Archive logs
*.mdf
C:\LC Data
User and Configuration databases
*.ldf
C:\LC Log
User and Configuration logs
Microsoft Baseline Security Analyzer (MBSA) 2.x
http://support.microsoft.com/?id=900638
-
wsusscan.cab
C:\Documents and Settings\%username%\Local Settings\Application Data\Microsoft\MBSA\2.0\Cache
Because the Wsusscan.cab file contains several nested cabinet files, excluding the Wsusscan.cab file itself is not typically sufficient to combat the high CPU use unless you can also specify to exclude its contents.
Microsoft Identity Integration Server (MIIS) 2003
-
MicrosoftIdentityIntegrationServer.mdf
MicrosoftIdentityIntegrationServer_log.LDF
%ProgramFiles%\Microsoft Identity Integration Server\data
MIIS database and log
Microsoft Operations Manager (MOM) 2005
(MOM Management server dependent on SQL Server. MOM Reporting dependant on IIS and SQL Server Reporting Services, MOM Web Console dependent on IIS)
-
MOMHost.exe.config
%ProgramFiles%\Microsoft Operations Manager 2005
.config file contains application configuration options.
web.config
%ProgramFiles%\Microsoft Operations Manager 2005\WebConsole
Web Console .config file contains application configuration options.
MSDE 2000
*.mdf
*.ldf
C:\MSSQL$%InstanceName%\Data
(where %InstanceName% is the MSDE instance name that you or an application specifies during installation)
MSDE database and logs
SharePoint Portal Server (SPS) 200x
http://support.microsoft.com/?id=320111
-
*.*
%ProgramFiles%\SharePoint Portal Server
*.*
%ProgramFiles%\Common Files\Microsoft Shared\Web Storage System
*.*
%SystemRoot%\Temp\FrontPageTempDir
File cache for uploading user files to the document library.
owstimer.exe
Port 25
N/A
Alerts relating to Adding, Modifying, and Deleting information from the Site.
SharePoint Portal server sends out alerts to an SMTP service on port 25. Some anti-virus applications have an option to "Prevent mass mailing worms from sending mail" in port 25. Ensure that the OWSTIMER.EXE is added to the exception list to allow it to communicate with SMTP.
SQL Server 2000
http://support.microsoft.com/?id=309422
mssql.exe
sqlagent.exe
*.mdf
*.ldf
*.ndf
%ProgramFiles%\Microsoft SQL Server\MSSQL\data
SQL database and logs
msdtc.exe
msdtc.log
%SystemRoot%\system32\MsDtc
MSDTC Log
-
*.* /s
%ProgramFiles%\Microsoft SQL Server\MSSQL\FTDATA
SQL Server full-text catalog file (applicable if indexing SQL Server databases)
-
*.bak
*.trn
%ProgramFiles%\Microsoft SQL Server\MSSQL\BACKUP
(and any other folders containing SQL database dumps)
SQL database dumps
SQL Server 2000 Reporting Services
-
*.config
Global.asax
%ProgramFiles%\Microsoft SQL Server\MSSQL\Reporting Services
(exclude these files and extensions for all subfolders)
.config files containing application execution options.
SQL Server 2000 Notification Services
nsservice.exe
*.config
%ProgramFiles%\Microsoft SQL Server\90\NotificationServices\9.0.242\bin
.config files containing application execution options.
Systems Management Server (SMS) 2 & 2003
(dependent on SQL Server)
http://support.microsoft.com/?id=327453
http://support.microsoft.com/?id=871161
-
install.map
C:\SMS
Prevents contention for install.map data file.
*.adc, *.box, *.ccr, *.cfg, *.cmn, *.ct0, *.ct1, *.ct2, *.dat, *.dc, *.ddr, *.i*, *.ins, *.ist, *.job, *.lkp, *.lo_, *.log, *.mif, *.mof, *.nal, *.ncf, *.nhm, *.ofn, *.ofr, *.p*, *.pcf, *.pck, *.pdf, *.pkg, *.pkn, *.rpl, *.rpt, *.sca, *.scd, *.scu, *.sha, *.sic, *.sid, *.srq, *.srs, *.ssu, *.svf, *.tmp, *.udc
C:\SMS\Inboxes
(exclude file types or all files for all sub folders under C:\SMS\Inboxes, with the exception of C:\SMS\Inboxes\clicomp.src and C:\SMS\Inboxes\colfile.box folders).
Site Server inboxes (only applies to servers providing Site Server services)
*.log
C:\SMS\Logs
SMS Logs
*.*
C:\SMS\Netmon\i386\captures
C:\SMS\Netmon\i386\experts
Netmon capture and data files
-
C:\SMS\CAP_%SMSSiteCode%
(where %SMSSiteCode% is the three character site code in SMS)
(exclude file types or all files for all sub folders under C:\SMS\Inboxes)
Client Access Point inboxes (CAP) inboxes (only applies to servers providing CAP services)
*.* /s
C:\SMSPKG folder (this is typically the drive that contains the most available disk space)
Distribution manager stores compressed copy of package.
*.tmp
C:\
(by default this is the same drive as the on that contains the above SMSPKG folder)
Distribution manager compresses temporary copy of package.
*.msg
*.que
*.xml
C:\SMS_CCM\ServiceData
Management Point (MP) (only applies to SMS 2003 Management Points)
SMS 2003 Clients (running ITMU)
-
wsusscan.cab /s
%SystemRoot%\SoftwareDistribution\Scanfile
The Windows Update catalog is a big file and can cause performance issues when copied around on the client machine if AV is set to scan inside archived files.
Because the Wsusscan.cab file contains several nested cabinet files, excluding the Wsusscan.cab file itself is not typically sufficient to combat the high CPU use unless you can also specify to exclude its contents.
%SystemRoot%\system32\CCM\Cache
SMS client cache folder
%SystemRoot%\system32\VPCache
Package ID folder for the inventory tool
Virtual Server 2005 Host
(dependent on IIS)
http://support.microsoft.com/?id=840193
vssrvc.exe
vmh.exe
*.vhd
*.vmc
*.vsv
*.vud
*.vfd
Exclude these extensions for all folders on the server.
Virtual machines, floppies and save state.
-
*.iso
Exclude this extension for all folders on the server.
ISO Image files
Virtual PC 2004 Host
http://support.microsoft.com/?id=840193
virtualpc.exe
*.vhd
*.vmc
*.vsv
*.vud
*.vfd
Exclude these extensions for all folders on the server.
Virtual machines, floppies and save state.
-
*.iso
Exclude this extension for all folders on the server.
ISO Image files
Visual SourceSafe 4 / 5 / 6
http://support.microsoft.com/?id=274051
-
-
Disable any realtime scanning on the server.
Manually scan SourceSafe server periodically.
Windows Rights Management Services (RMS)
-
*.config
Global.asax
-
.config files containing application execution options.
Windows SharePoint Services (dependent on SQL Server or MSDE)
owstimer.exe
Port 25
N/A
Alerts relating to Adding, Modifying, and Deleting information from the Site.
SharePoint Portal server sends out alerts to an SMTP service on port 25. Some anti-virus applications have an option to "Prevent mass mailing worms from sending mail" in port 25. Ensure that the OWSTIMER.EXE is added to the exception list to allow it to communicate with SMTP.
-
*.* /s
%SystemRoot%\Temp\FrontPageTempDir
File cache for uploading user files to the document library.
WSRM
-
Wsrm.edb
%SystemRoot%\system32\Windows System Resource Manager\JetDB
Accounting Database
WSUS
(dependent on SQL Server or MSDE)
-
*.mdf
*.ldf
C:\WSUS\MSSQL$WSUS\Data
WSUS MSDE database and logs (present if MSDE is used for WSUS database)
Windows 200x Services
.NET Framework
-
*.* /s
%SystemRoot%\Microsoft.NET\Framework
Active Directory
http://support.microsoft.com/?id=822158
lsass.exe
ntds.dit
ntds.pat
%SystemRoot%\ntds
NTDS Database
http://support.microsoft.com/?id=284947
http://support.microsoft.com/?id=815263
edb*.log
ntds.pat
res1.log
res2.log
%SystemRoot%\ntds
NTDS Logs
temp.edb
edb.chk
%SystemRoot%\ntds
NTDS Working folder
*.* /s
%SystemRoot%\Sysvol\sysvol
SYSVOL – This exclusion may not be necessary, please refer to TechNet article http://support.microsoft.com/?id=815263 for details)
*.* /s
%SystemRoot%\Sysvol\staging areas
SYSVOL – This exclusion may not be necessary, please refer to TechNet article http://support.microsoft.com/?id=815263 for details)
*.* /s
%SystemRoot%\Sysvol\staging
SYSVOL – This exclusion may not be necessary, please refer to TechNet article http://support.microsoft.com/?id=815263 for details)
ASP.NET applications
(.NET Framework)
http://support.microsoft.com/?id=312592
http://support.microsoft.com/?id=829978
http://support.microsoft.com/?id=821438
http://support.microsoft.com/?id=871042
-
*.config
Global.asax
Location will depend on where the application has been installed to.
.config file contains application configuration options.
Exclude these file types for all servers running ASP.NET applications.
Note that this issue is resolved for both Microsoft .NET Framework 1.0 and 1.1 with a hotfix (and possibly now a service pack). Please refer to http://support.microsoft.com/?id=821438 and http://support.microsoft.com/?id=871042 for details.
Certificate Server
-
Domain.edb
tmp.edb
edb.chk
res1.log
res2.log
%SystemRoot%\system32\CatRoot2
Certificate Jet database and logs
Cluster Service
http://support.microsoft.com/?id=321531
http://support.microsoft.com/?id=250355
-
*.*
%SystemRoot%\Cluster
*.* /s
%QuorumDrive%\MSCS
(where %QuorumDrive% is the shared Quorum disk resource)
Cluster Quorum disk
DFS
-
The same resources that are excluded for a SYSVOL replica set must also be excluded when FRS is used to replicate shares that are mapped to the DFS root and link targets on Windows 2000 or Windows Server 2003-based member computers or domain controllers.
DHCP Service
-
tmp.edb
dhcp.mdb
dhcp.pat
j*.log
res1.log
res2.log
%SystemRoot%\system32\dhcp
DHCP Jet database and logs
Print Service
spoolsv.exe
*.spl
*.shd
%SystemRoot%\system32\spool\PRINTERS
Print Spool service
File Replication Service (FRS)
-
ntfrs.jdb
%SystemRoot%\ntfrs\jet
http://support.microsoft.com/default.aspx?scid=kb;en-us;815263
File Replication Service (FRS) database – Needed for SYSVOL
*.log
%SystemRoot%\ntfrs\jet\log
FRS logs – Needed for SYSVOL
edb.chk
%SystemRoot%\ntfrs\jet\sys
File Replication Service (FRS) working folder – Needed for SYSVOL
Internet Information Services (IIS) 5 / 6
http://support.microsoft.com/?id=817442
inetinfo.exe
*.config
Global.asax
Location will depend on where the application has been installed to.
.config files containing application execution options.
Exclude these file types for all servers running IIS.
metabase.bin
%SystemRoot%\system32\inetsrv
IIS 5 metabase
MetaBase.xml
MBSchema.xml
%SystemRoot%\system32\inetsrv
IIS 6 metabase
*.*
%SystemRoot%\IIS Temporary Compressed Files
IIS temporary compressed files
Index Service
http://support.microsoft.com/?id=247093
http://support.microsoft.com/?id=209304
cisvc.exe
cidaemon.exe
catalog.wci
C:\System Volume Information
(in addition, exclude the catalog.wci in any other folders that contain an Index Catalog)
System catalog.
MSMQ
-
*.* /s
%SystemRoot%\system32\MSMQ
%SystemRoot%\system32\MSMQ\storage
MSMQ Queues
Pagefile
(present on all Windows servers)
-
Pagefile.sys
C:\
Windows Pagefile
SMTP Service
-
*.* /s
C:\Inetpub\mailroot
Default SMTP virtual Server
Terminal Server Licensing Service
lserver.exe
*.edb
*.log
*.tmp
*.chk
%SystemRoot%\System32\LServer
License server database and logs
WINS Service
-
wins.mdb
winstmp.mdb
j50.chk
j50.log
res1.log
res2.log
%SystemRoot%\system32\wins
WINS Jet database and logs
Notes
1. Any paths shown in this document are default installation paths only. Actual paths may vary (and may even be split across multiple drives as is often the case with SQL, Exchange and SMS).
2. %SystemRoot% is ‘C:\Windows’ by default and %ProgramFiles% is ‘C:\Program Files’ by default.
3. If the server was upgraded from Windows NT4.0 then the Windows folder will likely be C:\WINNT.
4. *.* designates that all files in the folder specified should be excluded.
5. *.* /s designates that all files in the folder specified and all sub-folders should be excluded.
6. Specific recommendations from antivirus software vendors may supersede the guidelines contained in this document.
7. Some of the guidelines may not be applicable with any future service packs, hotfixes or versions of any of the operating systems or applications listed in this document.
8. The TechNet articles referenced generally contain a more detailed explanation with regards to potential issues and resolutions with regards to virus scanning software. It is strongly recommended that these articles be reviewed when planning an anti-virus strategy.
3 Appendix A – Best Practices for Determining Files to Exclude from Scanning
3.1 Types of Files
The exclusion guidelines contained in Section 2 of this document are product specific. For other applications (not listed above), it is often necessary to determine exclusions on a case-by-case basis. The section below provides some guidance in this area.
Files should typically be excluded based on the following criteria:
· Locked Files - The files are permanently locked open by a legitimate server process. Examples of these are databases such as DHCP and SQL Server, as well as files such as the Windows Pagefile.
· Large Files - The files are manipulated often by a legitimate server process and are typically large in size. Examples of these are copying CD/DVD images (.iso) and Virtual Machine Files (.vhd). In addition operations may also include the likes of offline maintenance on Virtual Machine Files and Exchange Server databases.
· Temporary Files - A large number of temporary files are written to disk by a legitimate server process. Examples of are the Spool folder and Exchange Server MTA queues.
-----Original Message-----
From: admin@lists.myITforum.com [mailto:admin@lists.myITforum.com] On Behalf Of Michael mott
Sent: Wednesday, January 07, 2009 10:49 AM
To: mssms@lists.myitforum.com
Subject: RE: [mssms] SCCM Console sluggish and 'busy'
Good to know, but is that an acceptable or MS recommended configuration?
Meaning they do say what to exclude for maybe a DP and other SMS processes, just want to be sure its kosher before its asked. Did other folks do this for SMS 2003 also?
>>> "Sergent, Robert" <RobertSergent@officemax.com> 1/7/2009 10:35 AM
>>> >>>
I had the security team add ccmexec.exe, sitecomp.exe, smsexec.exe, smsrph.exe, and sqlsevr.exe to Low-Risk Processes.
From: admin@lists.myITforum.com [mailto:admin@lists.myITforum.com] On Behalf Of Chris Stauffer
Sent: Wednesday, January 07, 2009 9:23 AM
To: mssms@lists.myitforum.com
Subject: RE: [mssms] SCCM Console sluggish and 'busy'
Can you tell us exactly what you excluded?
Thanks,
Christopher Stauffer <><
Enterprise SMS Admin
MCTS ConfigMgr 2007
MCP SMS 2003
Email: CStauffer@myitforum.com
Blog: http://myitforum.com/cs2/blogs/cstauffer/
________________________________
From: "Sergent, Robert" <RobertSergent@officemax.com>
Sent: Wednesday, January 07, 2009 9:29 AM
To: mssms@lists.myitforum.com
Subject: RE: [mssms] SCCM Console sluggish and 'busy'
We found the sluggish SCCM Console issue was caused by our virus software. Once we made the SMS and SQL processes low priority on real time scans, our performance was greatly improved. Now the All Systems collection for 25,000 clients comes back in under two seconds. It used to take about 5 minutes.
From: admin@lists.myITforum.com [mailto:admin@lists.myITforum.com] On Behalf Of Michael Dzikowski
Sent: Wednesday, January 07, 2009 8:12 AM
To: mssms@lists.myitforum.com
Subject: RE: [mssms] SCCM Console sluggish and 'busy'
Echo that!
Mike Dzikowski
Systems Administrator
Credit Acceptance Corporation
248.353.2700 ext. 5551
mdzikowski@creditacceptance.com
From: admin@lists.myITforum.com [mailto:admin@lists.myITforum.com] On Behalf Of Todd Hemsell
Sent: Wednesday, January 07, 2009 9:12 AM
To: mssms@lists.myitforum.com
Subject: RE: [mssms] SCCM Console sluggish and 'busy'
continually
From: admin@lists.myITforum.com [mailto:admin@lists.myITforum.com] On Behalf Of Stephen @ Internet
Sent: Wednesday, January 07, 2009 4:10 AM
To: mssms@lists.myitforum.com
Subject: [mssms] SCCM Console sluggish and 'busy'
Hi everyone from a chilly England,
Does anyone else get sluggish performance from the SCCM MMC console?
i.e. you often have to twiddle your thumbs and wait for the console to do things like this:
It says this but you can just hit cancel and the console is responding
But with this one usually saying something along the lines of waiting/updating console etc
==============
Missed an email? Check out the list archive:
http://myitforum.com/cs2/blogs/smslist/
==============
Missed an email? Check out the list archive:
http://myitforum.com/cs2/blogs/smslist/
==============
Missed an email? Check out the list archive:
http://myitforum.com/cs2/blogs/smslist/
==============
Missed an email? Check out the list archive:
http://myitforum.com/cs2/blogs/smslist/
==============
Missed an email? Check out the list archive:
http://myitforum.com/cs2/blogs/smslist/
==============
Missed an email? Check out the list archive:
http://myitforum.com/cs2/blogs/smslist/
**********************************************************
Electronic Mail is not secure, may not be read every day, and should not be used for urgent or sensitive issues
==============
Missed an email? Check out the list archive:
http://myitforum.com/cs2/blogs/smslist/
-----------------------------------------
**************************************************************
This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee.
If you are not the intended recipient, you are strictly prohibited
from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act. You may not directly or indirectly reuse or redisclose such information for any purpose other than to provide the services for which you are receiving the information.
There are risks associated with the use of electronic transmission.
The
sender of this information does not control the method of transmittal or service providers and assumes no duty or obligation for the security, receipt, or third party interception of this transmission. Thank you.
**************************************************************
==============
Missed an email? Check out the list archive:
http://myitforum.com/cs2/blogs/smslist/
