PaulDotCom mailing list archives
AV exclusions and Read vs Write scans
From: a.qarta at gmail.com (Aa'ed Alqarta)
Date: Thu, 21 Jan 2010 09:48:46 +0300
For Installing Antivirus Software on Microsoft Servers needs some attention. Therefore, it has always been a long argument to install and configure different antivirus software on different Microsoft Server Platforms. Some IT consultants do not even recommend installing antivirus software on Critical Servers. Of course vendor documentation is very important and must be analyzed before installing any antivirus products to servers. But Microsoft has its own recommendations and Best Practices to take into consideration. Therefore it is better to take a closer look to below Microsoft Articles. First of all I would like start with the most important part of Microsoft Infrastructure. (Domain Controllers) 1. If your Server holds the domain controller role and there are DNS, DHCP services then we have to review the Microsoft KB article http://support.microsoft.com/kb/822158 a.) %systemroot%\Sysvol folder (include all the sub-folders and files) b.) %systemroot%\system32\dhcp folder (include all the sub-folders and files) c.) %systemroot%\system32\dns folder (include all the sub-folders and files) d.) %systemroot%\ntds 2. If File Replication (NTFR) service is running on your system, make sure your Anti-Virus software is compatible: KB815263 - Antivirus, backup, and disk optimization programs that are compatible with the File Replication Service http://support.microsoft.com/kb/815263 And exclude: a.) %systemroot%\ntfrs folder (include all the sub-folders and files) b.) Files that have the .log and .dit extension 3. If you have IIS installed, exclude: a.) The IIS compression directory (default compression directory is %systemroot%\IIS Temporary Compressed Files) b.) %systemroot%\system32\inetsrv folder c.) Files that have the .log extension Refer to the following knowledge base articles for reference: KB817442 - IIS 6.0: Antivirus Scanning of IIS Compression Directory May Result in 0-Byte File http://support.microsoft.com/kb/817442 KB821749 - Antivirus software may cause IIS to stop unexpectedly http://support.microsoft.com/kb/821749 4. If you have SQL installed, you may want to exclude the SQL folder and databases files (or database file types) from scanning for performance reasons: KB309422 - Guidelines for choosing antivirus software to run on the computers that are running SQL Server http://support.microsoft.com/kb/309422 5. If you have Exchange installed, perform the relevant file-based scanning exclusions listed in Knowledge Base articles: KB328841 - Exchange and antivirus software http://support.microsoft.com/kb/328841 KB823166 - Overview of Exchange Server 2003 and antivirus software http://support.microsoft.com/kb/823166 KB245822 - Recommendations for troubleshooting an Exchange Server computer with antivirus software installed http://support.microsoft.com/kb/245822 6. If you have Cluster services, make sure your Anti-Virus software is compatible: KB250355 - Antivirus Software May Cause Problems with Cluster Services http://support.microsoft.com/kb/250355 NOTE: If you have a SQL cluster, make sure that you exclude these locations from virus scanning: a.) Q:\ (Quorum drive) b.) %systemroot%\Cluster c.) SQL Server data files that have the .mdf extension, the .ldf extension, and the .ndf extension 7. If you have Sharepoint installed, you should exclude: a.) Drive:\Program Files\SharePoint Portal Server b.) Drive:\Program Files\Common Files\Microsoft Shared\Web Storage System c.) Drive:\MSDEDatabases (particularly on SBS) (where Drive: is the drive letter where you installed SharePoint Portal Server) Refer to the following knowledge base articles for reference: KB320111 - Random Errors May Occur When Antivirus Software Scans Microsoft Web Storage System http://support.microsoft.com/kb/320111 KB322941 - Microsoft's Position on Antivirus Solutions for Microsoft SharePoint Portal Server http://support.microsoft.com/kb/322941 8. If you have a Systems Management Server (SMS), you should exclude folders: a.) SMS\Inboxes b.) SMS_CCM\ServiceData Refer to the following knowledge base articles for reference: KB327453 - Antivirus programs may contribute to file backlogs in SMS 2.0 and in SMS 2003 http://support.microsoft.com/kb/327453 NOTE: If you exclude the SMS\Inboxes directory from virus scanning or remove the antivirus software, you may make the site server and all clients vulnerable to potential virus risks. The client base component files reside in the SMS\Inboxes directory 9. If you have a MOM (Microsoft Operations Manager) Server, you consider excluding: a.) Drive:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Operations Manager b.) Drive:\Program Files\Microsoft Operations Manager 2005 (where Drive: is the drive letter where profiles are located) 10. If you have an Internet Security and Acceleration Server (ISA) Server, you should exclude: a.) The ISALogs folder. By default, the ISALogs folder is located in the folder where you installed ISA Server. Typically, this location is Drive:\Program Files\Microsoft ISA Server. Refer to the following knowledge base articles for reference: KB887311 - Event ID 5, event ID 14079, and event ID 14176 are logged in the Application log on your Internet Security and Acceleration Server 2000 computer http://support.microsoft.com/kb/887311 11. If you have a Windows Software Update Services (WSUS) Server role, you consider excluding: a.) Drive:\MSSQL$WSUS b.) Drive:\WSUS (where Drive: is the drive letter where you installed Windows Software Update Services) Also refer to the following knowledge base articles for reference: KB900638 - Multiple symptoms occur if an antivirus scan occurs while the Wsusscan.cab file is copied http://support.microsoft.com/kb/900638 On Thu, Jan 21, 2010 at 1:35 AM, Francois Lachance < digitallachance at gmail.com> wrote:
I am curious to poll the collective intelligence of the pauldotcom.comlist members on the subject of anti-virus on servers. Our data centre has been outsourced and the administrator are proposing to change the settings on our anti-virus to only do scans on write I/O only (no scanning on any Read I/O). There are well known folders and file types that Microsoft recommends to exclude from anti-virus scanning (http://support.microsoft.com/kb/822158or http://support.microsoft.com/kb/823166 for Exchange 2003). The administrator were suggesting to exclude the C:\TEMP\ folder from any scans, which I objected to. That's too obvious of a location to exclude from scrutiny. So my question to you all is do you have a best practice that you follow when dealing with anti-virus on your servers? Any thoughts? Thanks, Francois _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-- Best Regards, http://extremesecurity.blogspot.com http://www.linkedin.com/in/aalqarta http://www.experts-exchange.com/M_3011930.html http://www.liveperson.com/extremesecurity-labs -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20100121/228e0100/attachment.htm
Current thread:
- AV exclusions and Read vs Write scans Francois Lachance (Jan 20)
- AV exclusions and Read vs Write scans Xander Solis (Jan 20)
- AV exclusions and Read vs Write scans Aa'ed Alqarta (Jan 20)