Posts Tagged Exclusions best practise

Virus scanning recommendations for Windows OS

Posted by on Thursday, 8 April, 2010

Virus scanning recommendations for computers that are running currently supported versions of Windows

Turn off scanning of Windows Update or Automatic Update related files

  • Turn off scanning of the Windows Update or Automatic Update database file (Datastore.edb). This file is located in the following folder:

%windir%\SoftwareDistribution\Datastore

  • Turn off scanning of the log files that are located in the following folder:

%windir%\SoftwareDistribution\Datastore\Logs

Specifically, exclude the following files:

  • Res*.log
  • Res*.jrs
  • Edb.chk
  • Tmp.edb

The wildcard character (*) indicates that there may be several files.

Turn off scanning of Windows Security files

  • Add the following files in the %windir%\Security\Database path of the exclusions list:
    • *.edb
    • *.sdb
    • *.log
    • *.chk
    • *.jrs

Note If these files are not excluded, antivirus software may prevent proper access to these files, and security databases can become corrupted. Scanning these files can prevent the files from being used or may prevent a security policy from being applied to the files. These files should not be scanned because antivirus software may not correctly treat them as proprietary database files.

Turn off scanning of Group Policy related files

  • Group Policy user registry information. These files are located in the following folder:

%allusersprofile%\

Specifically, exclude the following file:

NTUser.pol

  • Group Policy client settings file. This file is located in the following folder:

%Systemroot%\System32\GroupPolicy\

Specifically, exclude the following file:

Registry.pol

For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:

951059 (http://support.microsoft.com/kb/951059/ ) On a Windows Server 2003-based computer, registry-based policy settings are unexpectedly removed after a user logs on to the computer

930597 (http://support.microsoft.com/kb/930597/ ) Some registry-based policy settings are lost and error messages are logged in the Application log on a Windows XP-based computer or on a Windows Vista-based computer

Virus scanning recommendations for Domain controllers

Posted by on Thursday, 8 April, 2010

This article contains recommendations that may help you determine the cause of potential instability on a computer that is running a supported version of Microsoft Windows when it is used with antivirus software in an Active Directory domain environment or in a managed business environment.

1.      Turn off scanning of Active Directory and Active Directory-related files

  • Exclude the Main NTDS database files. The location of these files is specified in the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database File

The default location is %windir%\Ntds. Specifically, exclude the following files:

  • Ntds.dit
  • Ntds.pat
  • Exclude the Active Directory transaction log files. The location of these files is specified in the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files Path

The default location is %windir%\Ntds. Specifically, exclude the following files:

  • EDB*.log
  • Res*.log
  • Res*.jrs
  • Ntds.pat

Note Windows Server 2003 no longer uses the Ntds.pat file.

  • Exclude the files in the NTDS Working folder that is specified in the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory

Specifically, exclude the following files:

  • Temp.edb
  • Edb.chk

 

2.       Turn off scanning of SYSVOL files

  • Turn off scanning of files in the File Replication Service (FRS) Working folder that is specified in the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Working Directory

The default location is %windir%\Ntfrs. Exclude the following files that exist in the folder:

  • edb.chk
  • Ntfrs.jdb
  • *.log
  • Turn off scanning of files in the FRS Database Log files that are specified in the following registry key:

HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\Ntfrs\Parameters\DB Log File Directory

The default location is %windir%\Ntfrs. Exclude the following files:

  • Eedb*.log (if the registry key is not set).
  • FRS Working Dir\Jet\Log\Edb*.jrs (Windows Server 2008 and Windows Server 2008 R2).
  • Edb*.jrs (Windows Server 2008 and Windows Server 2008 R2).

Note Settings for specific file exclusions is documented here for completeness. By default, these folders allow access only to System and Administrators. Please verify that the correct protections are in place. These folders contain only component working files for FRS and DFSR.

  • Turn off scanning of the Staging file as specified in the following registry key.

HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\NtFrs\Parameters\Replica Sets\GUID\Replica Set Stage
By default, staging uses the following location:

%systemroot%\Sysvol\Staging areas

Exclude the following files:

  • Nntfrs_cmp*.*
  • Turn off scanning of files in the Sysvol\Sysvol folder.The current location of the Sysvol\Sysvol folder and all its subfolders is the file system reparse target of the replica set root. The Sysvol\Sysvol folder uses the following location:

%systemroot%\Sysvol\Sysvol

Exclude the following files from this folder and all its subfolders:

  • *.adm
  • *.admx
  • *.adml
  • Registry.pol
  • *.aas
  • *.inf
  • Fdeploy.inf
  • Scripts.ini
  • *.ins
  • Oscfilter.ini
  • Turn off scanning of files in the FRS Preinstall folder that is in the following location:

Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_Directory

The Preinstall folder is always open when FRS is running.

Exclude the following files from this folder and all its subfolders:

  • Ntfrs*.*
  • Turn off scanning of files in the DFSR database and working folders. The location is specified by the following registry key:

HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\DFSR\Parameters\Replication Groups\GUID\Replica Set Configuration File=Path >

In this registry key, “Path” is the path of an XML file that states the name of the Replication Group. In this example, the path would contain “Domain System Volume.”

The default location is the following hidden folder:

%systemdrive%\System Volume Information\DFSR

Exclude the following files from this folder and all its subfolders:

  • $db_normal$
  • FileIDTable_2
  • SimilarityTable_2
  • *.xml
  • $db_dirty$
  • Dfsr.db
  • Fsr.chk
  • *.frx
  • *.log
  • Fsr*.jrs
  • Tmp.edb

If any one of these folders or files is moved or is put in a different location, scan or exclude the equivalent element.

3.       Turn off scanning of DFS files

The same resources that are excluded for a SYSVOL replica set must also be excluded when FRS or DFSR is used to replicate shares that are mapped to the DFS root and link targets on Windows Server 2008 R2-based, Windows Server 2008-based, Windows Server 2003-based, or Windows 2000-based member computers or domain controllers.

4.       Turn off scanning of DHCP files

By default, DHCP files that should be excluded are present in the following folder on the server:

%systemroot%\System32\DHCP

Exclude the following files from this folder and all its subfolders:

  • *.mdb
  • *.pat
  • *.log
  • *.chk
  • *.edb

The location of DHCP files can be changed. To determine the current location of the DHCP files on the server, check the DatabasePath, DhcpLogFilePath, and BackupDatabasePath parameters that are specified in the following registry subkey:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters

For Windows Server 2008, Windows Server 2003, and Windows 2000 domain controllers

5.       Turn off scanning of DNS files

By default, DNS uses the following folder:

%systemroot%\System32\Dns

Exclude the following files from this folder and all its subfolders:

  • *.log
  • *.dns
  • BOOT

6.       Turn off scanning of WINS files

By default, WINS uses the following folder:

%systemroot%\System32\Wins

Exclude the following files from this folder and all its subfolders:

  • *.chk
  • *.log
  • *.mdb

 Microsoft KB article http://support.microsoft.com/kb/822158

Virus scanning recommendations for Exchange 2010

Posted by on Wednesday, 7 April, 2010

 Recommendations for Using File-Level Scanning with Exchange 2010

If you’re deploying file-level scanners on Exchange 2010 servers, make sure that the appropriate exclusions, such as directory exclusions, process exclusions, and file name extension exclusions, are in place for both memory-resident and file-level scanning. This section describes directory exclusions, process exclusions, and file name extension exclusions for each server or server role.

 Directory Exclusions

You must exclude specific directories for each Exchange server or server role on which you run a file-level antivirus scanner. This section describes the directories that you should exclude from file-level scanning for each server or server role.

Mailbox server role

  • Exchange databases, checkpoint files, and log files. By default, these are located in sub-folders under the %ExchangeInstallPath%\Mailbox folder. You can obtain the directory location by running the following commands in the Exchange Management Shell:
    • To determine the location of a mailbox database, transaction log, and checkpoint file, run the following command: Get-MailboxDatabase -server <servername>| format-list *path*
  • Database content indexes. By default, these are located in the same folder as the database file.
  • Group Metrics files. By default, these files are located in the %ExchangeInstallPath%\GroupMetrics folder.
  • General log files, such as message tracking and calendar repair log files. By default, these files are located in subfolders under the %ExchangeInstallPath%\TransportRoles\Logs folder and %ExchangeInstallPath%\Logging folder. To determine the log paths being used, run the following command in the Exchange Management Shell: Get-MailboxServer <servername> | format-list *path*
  • The Offline Address Book files. By default, these are located in subfolders under the %ExchangeInstallPath%\ExchangeOAB folder
  • IIS system files in the %SystemRoot%\System32\Inetsrv folder
  • The temporary folder that is used with offline maintenance utilities, such as Eseutil.exe. By default, this folder is the location where the .exe file is run from. However, you can configure where you perform the operation when you run the utility.
  • The Mailbox database temporary folder: %ExchangeInstallPath%\Mailbox\MDBTEMP
  • Any Exchange-aware antivirus program folders

Mailbox server that is a member of a Database Availability Group

All the items listed in the Mailbox server role list, and the following:

  • The quorum disk and the %Winnt%\Cluster folder

Witness server

  • The witness directory files. These are located on another server in the environment, typically a Hub Transport server. By default, these files are located in \\%SystemDrive%:\DAGFileShareWitnesses\<DAGFQDN> and default share (<DAGFQDN>) on that server. For more information about a database availability group (DAG) and witness servers, see Managing Database Availability Groups.

Hub Transport server role

  • General log files, for example, message tracking and connectivity logs. By default, these files are located in subfolders under the %ExchangeInstallPath%\TransportRoles\Logs folder. To determine the log paths being used, run the following command in the Exchange Management Shell: Get-TransportServer <servername>| format-list *logpath*,*tracingpath*
  • Pickup and Replay message directory folders. By default, these folders are located under the %ExchangeInstallPath%\TransportRoles folder. To determine the paths being used, run the following command in the Exchange Management Shell: Get-TransportServer <servername>| fl *dir*path*
  • The transport server role queue database, checkpoint, and log files. By default, these are located in the %ExchangeInstallPath%\TransportRoles\Data\Queue folder. For more information, see Managing Transport Queues.
  • The transport server role Sender Reputation database, checkpoint, and log files. By default, these are located in the %ExchangeInstallPath%\TransportRoles\Data\SenderReputation folder.
  • The transport server role IP filter database, checkpoint, and log files. By default, these are located in the %ExchangeInstallPath%\TransportRoles\Data\IpFilter folder.
  • The temporary folders that are used to perform conversions:
    • By default, content conversions are performed in the Exchange server’s TMP folder.
    • By default, OLE conversions are performed in %ExchangeInstallPath%\Working\OleConvertor folder.
  • Any Exchange-aware antivirus program folders

Edge Transport server role

  • The Active Directory Lightweight Directory Service database (AD LDS) and log files. By default, these are located in the %ExchangeInstallPath%\TransportRoles\Data\Adam folder. For more information about AD LDS database files, see Modify AD LDS Configuration.
  • General log files, for example message tracking. By default, these files are located in subfolders under the %ExchangeInstallPath%\TransportRoles\Logs folder. To determine the log paths being used, run the following command in the Exchange Management Shell: Get-TransportServer <servername> | format-list *logpath*,*tracingpath*
  • The Pickup and Replay message folders. By default, these are located under the %ExchangeInstallPath%\TransportRoles folder. To determine the log paths being used, run the following command in the Exchange Management Shell: Get-TransportServer <servername>| format-list *dir*path*
  • The transport server role queue database, checkpoint, and log files. By default, these are located in the %ExchangeInstallPath%\TransportRoles\Data\Queue folder. For more information about transport server queues, see Managing Transport Queues.
  • The transport server role Sender Reputation database, checkpoint, and log files. By default, these are located in the %ExchangeInstallPath%\TransportRoles\Data\SenderReputation folder
  • The transport server role IP filter database, checkpoint, and log files. By default, these are located in the %ExchangeInstallPath%\TransportRoles\Data\IpFilter folder
  • The temporary folders that are used to perform conversions:
    • By default, content conversions are performed in the server’s TMP folder.
    • By default, OLE conversions are performed in %ExchangeInstallPath%\Working\OleConvertor folder.
  • Any Exchange-aware antivirus program folders

Client Access server role

  • For servers using Internet Information Services (IIS) 7.0, the compression folder that is used with Microsoft Outlook Web App. By default, the compression folder for IIS 7.0 is located at %SystemDrive%\inetpub\temp\IIS Temporary Compressed Files.
  • For servers using IIS 6.0, the compression folder that is used with Microsoft Outlook Web App. By default, the compression folder for IIS 6.0 is located at %systemroot%\IIS Temporary Compressed Files.
  • Note   For more information about possible errors resulting from scanning the IIS compression folder, see Microsoft Knowledge Base article 817442, A 0-byte file may be returned when compression is enabled on a server that is running IIS.
  • IIS system files in the %SystemRoot%\System32\Inetsrv folder
  • Inetpub\logs\logfiles\w3svc
  • The Internet-related files that are stored in the sub-folders of the %ExchangeInstallPath%\ClientAccess folder
  • For servers that have protocol logging enabled for POP3 or IMAP4, the following folders:
    • POP3 folder: %ExchangeInstallPath%\Logging\POP3
    • IMAP4 folder: %ExchangeInstallPath%\Logging\IMAP4
  • The temporary folders that are used to perform conversions:
    • By default, content conversions are performed in the server’s TMP folder.
    • By default, OLE conversions are performed in %ExchangeInstallPath%\Working\OleConvertor folder.

Unified Messaging server role

  • The grammar files for different locales, for example en-EN or es-ES. By default, these are stored in the subfolders in the %ExchangeInstallPath%\UnifiedMessaging\grammars folder.
  • The voice prompts, greetings and informational message files. By default, these are stored in the subfolders in the %ExchangeInstallPath%\UnifiedMessaging\Prompts folder
  • The voicemail files that are temporarily stored in the %ExchangeInstallPath%\UnifiedMessaging\voicemail folder.
  • The temporary files generated by Unified Messaging. By default, these are stored in the %ExchangeInstallPath%\UnifiedMessaging\temp folder.

Microsoft Forefront Protection for Exchange

  • The Forefront installation folder. By default, this is %Program Files%\Microsoft Forefront Security\Exchange Server.
  • Any archived messages. By default, these are stored in the %Program Files%\Microsoft Forefront Security\Exchange Server\Data\Archive folder.
  • Any quarantined files. By default, these are stored in the %Program Files%\Microsoft Forefront Security\Exchange Server\Data\Quarantine folder.
  • The antivirus engine files. By default, these are stored in the subfolders of %Program Files%\Microsoft Forefront Security\Exchange Server\Data\Engines\x86 folder.
  • The configuration files. By default, these are stored in the %Program Files%\Microsoft Forefront Security\Exchange Server\Data folder.

 Process Exclusions

Many file-level scanners now support the scanning of processes, which can adversely affect Microsoft Exchange if the incorrect processes are scanned. Therefore, you should exclude the following processes from file-level scanners.

Cdb.exe Microsoft.Exchange.Search.Exsearch.exe
Cidaemon.exe Microsoft.Exchange.Servicehost.exe
Cluster.exe MSExchangeASTopologyService.exe
Dsamain.exe MSExchangeFDS.exe
EdgeCredentialSvc.exe MSExchangeMailboxAssistants.exe
EdgeTransport.exe MSExchangeMailboxReplication.exe
ExFBA.exe MSExchangeMailSubmission.exe
GalGrammarGenerator.exe MSExchangeRepl.exe
Inetinfo.exe MSExchangeTransport.exe
Mad.exe MSExchangeTransportLogSearch.exe
Microsoft.Exchange.AddressBook.Service.exe MSExchangeThrottling.exe
Microsoft.Exchange.AntispamUpdateSvc.exe Msftefd.exe
Microsoft.Exchange.ContentFilter.Wrapper.exe Msftesql.exe
Microsoft.Exchange.EdgeSyncSvc.exe OleConverter.exe
Microsoft.Exchange.Imap4.exe Powershell.exe
Microsoft.Exchange.Imap4service.exe SESWorker.exe
Microsoft.Exchange.Infoworker.Assistants.exe SpeechService.exe
Microsoft.Exchange.Monitoring.exe Store.exe
Microsoft.Exchange.Pop3.exe TranscodingService.exe
Microsoft.Exchange.Pop3service.exe UmService.exe
Microsoft.Exchange.ProtectedServiceHost.exe UmWorkerProcess.exe
Microsoft.Exchange.RPCClientAccess.Service.exe W3wp.exe

If you’re also deploying Forefront Protection for Exchange Server, exclude the following processes.

Adonavsvc.exe FscStatsServ.exe
FscController.exe FscTransportScanner.exe
FscDiag.exe FscUtility.exe
FscExec.exe FsEmailPickup.exe
FscImc.exe FssaClient.exe
FscManualScanner.exe GetEngineFiles.exe
FscMonitor.exe PerfmonitorSetup.exe
FscRealtimeScanner.exe ScanEngineTest.exe
FscStarter.exe SemSetup.exe

 File Name Extension Exclusions

In addition to excluding specific directories and processes, you should exclude the following Exchange-specific file name extensions in case directory exclusions fail or files are moved from their default locations.

Application-related extensions

  • .config
  • .dia
  • .wsb

Database-related extensions

  • .chk
  • .log
  • .edb
  • .jrs
  • .que

Offline address book-related extensions:

  • .lzx

Content Index-related extensions

.ci .wid .001
.dir .000 .002

 

Unified Messaging-related extensions

  • .cfg
  • .grxml

GroupMetrics

  • .dsc
  • .bin
  • .xml

Forefront Protection for Exchange Server–related extensions

.avc .dt .lst
.cab .fdb .mdb
.cfg .fdm .ppl
.config .ide .set
.da1 .key .v3d
.dat .klb .vdb
.def .kli .vdm

 

The file name extensions listed for Forefront Protection for Exchange Server are the signature files from various antivirus directory engines. In most cases, these file name extensions don’t change, but file name extensions may be added in the future as third-party antivirus vendors update their antivirus signature files.

Technet exchange 2010 Help http://technet.microsoft.com/en-us/library/bb332342.aspx