Posts Tagged Virusscan DC

Virus scanning recommendations for Domain controllers

Posted by on Thursday, 8 April, 2010

This article contains recommendations that may help you determine the cause of potential instability on a computer that is running a supported version of Microsoft Windows when it is used with antivirus software in an Active Directory domain environment or in a managed business environment.

1.      Turn off scanning of Active Directory and Active Directory-related files

  • Exclude the Main NTDS database files. The location of these files is specified in the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database File

The default location is %windir%\Ntds. Specifically, exclude the following files:

  • Ntds.dit
  • Ntds.pat
  • Exclude the Active Directory transaction log files. The location of these files is specified in the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files Path

The default location is %windir%\Ntds. Specifically, exclude the following files:

  • EDB*.log
  • Res*.log
  • Res*.jrs
  • Ntds.pat

Note Windows Server 2003 no longer uses the Ntds.pat file.

  • Exclude the files in the NTDS Working folder that is specified in the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory

Specifically, exclude the following files:

  • Temp.edb
  • Edb.chk

 

2.       Turn off scanning of SYSVOL files

  • Turn off scanning of files in the File Replication Service (FRS) Working folder that is specified in the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Working Directory

The default location is %windir%\Ntfrs. Exclude the following files that exist in the folder:

  • edb.chk
  • Ntfrs.jdb
  • *.log
  • Turn off scanning of files in the FRS Database Log files that are specified in the following registry key:

HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\Ntfrs\Parameters\DB Log File Directory

The default location is %windir%\Ntfrs. Exclude the following files:

  • Eedb*.log (if the registry key is not set).
  • FRS Working Dir\Jet\Log\Edb*.jrs (Windows Server 2008 and Windows Server 2008 R2).
  • Edb*.jrs (Windows Server 2008 and Windows Server 2008 R2).

Note Settings for specific file exclusions is documented here for completeness. By default, these folders allow access only to System and Administrators. Please verify that the correct protections are in place. These folders contain only component working files for FRS and DFSR.

  • Turn off scanning of the Staging file as specified in the following registry key.

HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\NtFrs\Parameters\Replica Sets\GUID\Replica Set Stage
By default, staging uses the following location:

%systemroot%\Sysvol\Staging areas

Exclude the following files:

  • Nntfrs_cmp*.*
  • Turn off scanning of files in the Sysvol\Sysvol folder.The current location of the Sysvol\Sysvol folder and all its subfolders is the file system reparse target of the replica set root. The Sysvol\Sysvol folder uses the following location:

%systemroot%\Sysvol\Sysvol

Exclude the following files from this folder and all its subfolders:

  • *.adm
  • *.admx
  • *.adml
  • Registry.pol
  • *.aas
  • *.inf
  • Fdeploy.inf
  • Scripts.ini
  • *.ins
  • Oscfilter.ini
  • Turn off scanning of files in the FRS Preinstall folder that is in the following location:

Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_Directory

The Preinstall folder is always open when FRS is running.

Exclude the following files from this folder and all its subfolders:

  • Ntfrs*.*
  • Turn off scanning of files in the DFSR database and working folders. The location is specified by the following registry key:

HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\DFSR\Parameters\Replication Groups\GUID\Replica Set Configuration File=Path >

In this registry key, “Path” is the path of an XML file that states the name of the Replication Group. In this example, the path would contain “Domain System Volume.”

The default location is the following hidden folder:

%systemdrive%\System Volume Information\DFSR

Exclude the following files from this folder and all its subfolders:

  • $db_normal$
  • FileIDTable_2
  • SimilarityTable_2
  • *.xml
  • $db_dirty$
  • Dfsr.db
  • Fsr.chk
  • *.frx
  • *.log
  • Fsr*.jrs
  • Tmp.edb

If any one of these folders or files is moved or is put in a different location, scan or exclude the equivalent element.

3.       Turn off scanning of DFS files

The same resources that are excluded for a SYSVOL replica set must also be excluded when FRS or DFSR is used to replicate shares that are mapped to the DFS root and link targets on Windows Server 2008 R2-based, Windows Server 2008-based, Windows Server 2003-based, or Windows 2000-based member computers or domain controllers.

4.       Turn off scanning of DHCP files

By default, DHCP files that should be excluded are present in the following folder on the server:

%systemroot%\System32\DHCP

Exclude the following files from this folder and all its subfolders:

  • *.mdb
  • *.pat
  • *.log
  • *.chk
  • *.edb

The location of DHCP files can be changed. To determine the current location of the DHCP files on the server, check the DatabasePath, DhcpLogFilePath, and BackupDatabasePath parameters that are specified in the following registry subkey:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters

For Windows Server 2008, Windows Server 2003, and Windows 2000 domain controllers

5.       Turn off scanning of DNS files

By default, DNS uses the following folder:

%systemroot%\System32\Dns

Exclude the following files from this folder and all its subfolders:

  • *.log
  • *.dns
  • BOOT

6.       Turn off scanning of WINS files

By default, WINS uses the following folder:

%systemroot%\System32\Wins

Exclude the following files from this folder and all its subfolders:

  • *.chk
  • *.log
  • *.mdb

 Microsoft KB article http://support.microsoft.com/kb/822158