AV exclusions and Read vs Write scans

[a.qarta at gmail.com (Aa'ed Alqarta)]

For Installing Antivirus Software on Microsoft Servers needs some attention.


Therefore, it has always been a long argument to install and configure
different antivirus software on different Microsoft Server Platforms.

Some IT consultants do not even recommend installing antivirus software on
Critical Servers.

Of course vendor documentation is very important and must be analyzed before
installing any antivirus products to servers.

But Microsoft has its own recommendations and Best Practices to take into
consideration.
Therefore it is better to take a closer look to below Microsoft Articles.

First of all I would like start with the most important part of Microsoft
Infrastructure. (Domain Controllers)

1.      If your Server holds the domain controller role and there are DNS,
DHCP services then we have to review the Microsoft KB article
http://support.microsoft.com/kb/822158
a.) %systemroot%\Sysvol folder (include all the sub-folders and files)
b.) %systemroot%\system32\dhcp folder (include all the sub-folders and
files)
c.) %systemroot%\system32\dns folder (include all the sub-folders and files)
d.) %systemroot%\ntds

2.      If File Replication (NTFR) service is running on your system, make
sure your Anti-Virus software is compatible: KB815263 - Antivirus, backup,
and disk optimization programs that are compatible with the File Replication
Service http://support.microsoft.com/kb/815263 And exclude:
a.) %systemroot%\ntfrs folder (include all the sub-folders and files)
b.) Files that have the .log and .dit extension

3.      If you have IIS installed, exclude:
a.) The IIS compression directory (default compression directory is
%systemroot%\IIS Temporary Compressed Files)
b.) %systemroot%\system32\inetsrv folder
c.) Files that have the .log extension

Refer to the following knowledge base articles for reference:
KB817442 - IIS 6.0: Antivirus Scanning of IIS Compression Directory May
Result in 0-Byte File
http://support.microsoft.com/kb/817442

KB821749 - Antivirus software may cause IIS to stop unexpectedly
http://support.microsoft.com/kb/821749

4.      If you have SQL installed, you may want to exclude the SQL folder
and databases files (or database file types) from scanning for performance
reasons:
KB309422 - Guidelines for choosing antivirus software to run on the
computers that are running SQL Server
http://support.microsoft.com/kb/309422

5.      If you have Exchange installed, perform the relevant file-based
scanning exclusions listed in Knowledge Base articles:

KB328841 - Exchange and antivirus software
http://support.microsoft.com/kb/328841

KB823166 - Overview of Exchange Server 2003 and antivirus software
http://support.microsoft.com/kb/823166

KB245822 - Recommendations for troubleshooting an Exchange Server computer
with antivirus software installed
http://support.microsoft.com/kb/245822

6.      If you have Cluster services, make sure your Anti-Virus software is
compatible:

KB250355 - Antivirus Software May Cause Problems with Cluster Services
http://support.microsoft.com/kb/250355
NOTE: If you have a SQL cluster, make sure that you exclude these locations
from virus scanning:
a.) Q:\ (Quorum drive)
b.) %systemroot%\Cluster
c.) SQL Server data files that have the .mdf extension, the .ldf extension,
and the .ndf extension

7.      If you have Sharepoint installed, you should exclude:
a.) Drive:\Program Files\SharePoint Portal Server
b.) Drive:\Program Files\Common Files\Microsoft Shared\Web Storage System
c.) Drive:\MSDEDatabases (particularly on SBS) (where Drive: is the drive
letter where you installed SharePoint Portal Server)

Refer to the following knowledge base articles for reference:
KB320111 - Random Errors May Occur When Antivirus Software Scans Microsoft
Web Storage System
http://support.microsoft.com/kb/320111

KB322941 - Microsoft's Position on Antivirus Solutions for Microsoft
SharePoint Portal Server
http://support.microsoft.com/kb/322941

8.       If you have a Systems Management Server (SMS), you should exclude
folders:
a.) SMS\Inboxes
b.) SMS_CCM\ServiceData

Refer to the following knowledge base articles for reference:
KB327453 - Antivirus programs may contribute to file backlogs in SMS 2.0 and
in SMS 2003
http://support.microsoft.com/kb/327453

NOTE: If you exclude the SMS\Inboxes directory from virus scanning or remove
the antivirus software, you may make the site server and all clients
vulnerable to potential virus risks. The client base component files reside
in the SMS\Inboxes directory

9.      If you have a MOM (Microsoft Operations Manager) Server, you
consider excluding:
a.) Drive:\Documents and Settings\All Users\Application
Data\Microsoft\Microsoft Operations Manager
b.) Drive:\Program Files\Microsoft Operations Manager 2005 (where Drive: is
the drive letter where profiles are located)

10.       If you have an Internet Security and Acceleration Server (ISA)
Server, you should exclude:
a.) The ISALogs folder. By default, the ISALogs folder is located in the
folder where you installed ISA Server. Typically, this location is
Drive:\Program Files\Microsoft ISA Server.
Refer to the following knowledge base articles for reference:
KB887311 - Event ID 5, event ID 14079, and event ID 14176 are logged in the
Application log on your Internet Security and Acceleration Server 2000
computer
http://support.microsoft.com/kb/887311
11.      If you have a Windows Software Update Services (WSUS) Server role,
you consider excluding:
a.) Drive:\MSSQL$WSUS
b.) Drive:\WSUS
(where Drive: is the drive letter where you installed Windows Software
Update
Services)
Also refer to the following knowledge base articles for reference:
KB900638 - Multiple symptoms occur if an antivirus scan occurs while the
Wsusscan.cab file is copied
http://support.microsoft.com/kb/900638

On Thu, Jan 21, 2010 at 1:35 AM, Francois Lachance <
digitallachance at gmail.com> wrote:

> I am curious to poll the collective intelligence of the pauldotcom.comlist members on the subject of anti-virus on 
> servers.  Our data centre has
> been outsourced and the administrator are proposing to change the settings
> on our anti-virus to only do scans on write I/O only (no scanning on any
> Read I/O).
>
> There are well known folders and file types that Microsoft recommends to
> exclude from anti-virus scanning (http://support.microsoft.com/kb/822158or
> http://support.microsoft.com/kb/823166 for Exchange 2003).  The
> administrator were suggesting to exclude the C:\TEMP\ folder from any scans,
> which I objected to.  That's too obvious of a location to exclude from
> scrutiny.
>
> So my question to you all is do you have a best practice that you follow
> when dealing with anti-virus on your servers?
>
> Any thoughts?
>
> Thanks,
>
> Francois
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com



-- 
Best Regards,

http://extremesecurity.blogspot.com

http://www.linkedin.com/in/aalqarta

http://www.experts-exchange.com/M_3011930.html

http://www.liveperson.com/extremesecurity-labs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20100121/228e0100/attachment.htm