PDA

View Full Version : Antivirus Exclusions on Servers


YeOldeStonecat
04-19-2012, 05:51 PM
Due to a few posts around the boards here regarding servers and accounting software on them, server performance, issues with servers....I've frequently mentioned having proper antivirus exclusion settings.

So I thought I'd make a post about them. A lot of people just install antivirus on a server...perhaps adjust some scheduled scan settings, update settings..and walk away. :eek:

I'll make a list of specific antivirus exclusions I do. Probably won't be cut 'n paste usable...as one cannot assume drive letters will be the same across the board.

This list is not a "one size fits all" either...there are certainly more directories and file types than I can cover here..but I'm just posting some basics to get started.

ALSO...don't forget, most antivirus clients assume to "Scan all file types"...which puts a heavier load on the system. I change the file extension types to scan from the default "All"....so "Only the file extensions below"..which usually has a list of *.fileextensiontype which may contain viruses. This setting itself greatly reduces much of the load. In addition to excluding certain file types. Don't forget...servers aren't used like a workstation (well...they shouldn't be), no surfing the web, no opening e-mail, etc. So you can afford to lower settings, without increasing risk.

On domain controllers, there are certain directories related to active directory, which should be excluded.

When Exchange is involved...there are directories to be excluded, because hopefully you're using a proper Exchange antivirus engine which hugs the infostore directly.

When SQL is involved, certain directories

Web Servers/IIS

Windows Update directory (WSUS)

And of course, line of business software..and their database engines. Following the guides of the software vendors support for that product. But even something as simple as Quickbooks on the server....I'll exclude the directory that is shared that houses all the company data files. Or at accounting offices, if you have a WinCSA folder shared for CSA Accounting...I'll exclude that share.

From the workstations...accordingly I disable scanning of network drives that contain those shared apps. These are often the cause of "client lock" files being hung...after someone logs out.

"But...what if a virus gets in those folders?" you ask? The answer is "scheduled scans". After hours, at night. Do a once a week scan or something like that. Servers are quite static..no need for real time protection to constantly be burdening all their folders...they're not being used as a desktop.

I"ll follow with some examples of directories/files to exclude on servers.

YeOldeStonecat
04-19-2012, 05:53 PM
Microsofts own guide
http://support.microsoft.com/kb/822158

Exchange Server
http://support.microsoft.com/kb/823166

And here is a link from Eset (makers of NOD32 antivirus) discussing settings on a server as far as "file extension types"
http://kb.eset.com/esetkb/index?page=content&id=SOLN2144

Here is an example of exclusions for Small Business Server 2003. Much the same holds true for 08 and 11.


C:\Program Files\Exchsrvr\Mtadata\*.*
C:\Program Files\Exchsrvr\<servername>.log\*.*
C:\Program Files\Exchsrvr\Mailroot\*.*
C:\Program Files\Exchsrvr\Mdbdata\*.*
C:\Program Files\Exchsrvr\Conndata\*.*
C:\Program Files\Exchsrvr\srsdata\*.*
C:\WINDOWS\system32\inetsrv\*.*
C:\WINDOWS\IIS Temporary Compressed Files\*.*
C:\WINDOWS\NTDS\*.*
C:\WINDOWS\sysvol\*.*
C:\WINDOWS\ntfrs\*.*
C:\WINDOWS\security\edb*.log
C:\WINDOWS\security\tmp.edb
C:\WINDOWS\Security\Database\secedit.sdb
C:\WINDOWS\system32\CertLog\*.*
C:\WINDOWS\system32\dhcp\*.*
C:\WINDOWS\system32\wins\*.*
C:\Program Files\Microsoft SQL Server\MSSQL$BKUPEXEC\Data\*.*
C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Data\*.*
C:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Data\*.*
F:\MSSQL2000\MSSQL\Data\*.*
C:\WINDOWS\System32\ntmsdata\*.*
C:\Program Files\Microsoft Windows Small Business Server\Networking\POP3\Failed Mail\*.*
C:\Program Files\Microsoft Windows Small Business Server\Networking\POP3\Incoming Mail\*.*
C:\WINDOWS\SoftwareDistribution\DataStore\*.*
C:\pagefile.sys
C:\WINDOWS\system32\licstr.cpa
C:\WINDOWS\system32\lls\*.*

FoolishTech
04-19-2012, 05:57 PM
Great info. I knew about excluding the Exchange store folders, didn't realize a few of the others mentioned.

trendless
04-19-2012, 06:31 PM
Awesome, thanks! Covered another question I had regarding whether to exclude from realtime or scheduled or both.

cyabro
04-19-2012, 07:54 PM
The latest version of nod32 is great as it automatically detects what server version it is running on and fills in all the required exclusions for you. :)

YeOldeStonecat
04-19-2012, 10:09 PM
The latest version of nod32 is great as it automatically detects what server version it is running on and fills in all the required exclusions for you. :)

It tries. Been an Eset partner for a long time (since v 2.5). It's getting there...but I still like manually adding more.

FoolishTech
06-30-2012, 03:33 PM
Just thought I'd update this thread after running across this MS page this morning.......

Windows Anti-Virus Exclusion List (en-US) (http://social.technet.microsoft.com/wiki/contents/articles/953.windows-anti-virus-exclusion-list-en-us.aspx)

YeOldeStonecat
07-02-2012, 01:55 PM
Just thought I'd update this thread after running across this MS page this morning.......

Windows Anti-Virus Exclusion List (en-US) (http://social.technet.microsoft.com/wiki/contents/articles/953.windows-anti-virus-exclusion-list-en-us.aspx)

Cool centralized link....Thanks FT.