Windows antivirus exclusions

All Windows Operating systems in my opinion should run antivirus and malware software, which should be regularly updated to counteract the threat that malicious code can pose.  Many corporations in my experience simple install the anti-virus application; then configure the virus signature updates and believe that that they are done – but there is a small oversight – certain files in Windows need to be excluded for various reasons such as performance and functionality.  There is a slight risk that you may open yourself up to viruses but the consensus is that the benefit out ways the risk

Configure your anti-virus product to exclude the following: (Note: the * indicates multiple files not all files).

Windows Update

Turn of scanning of datastore.edb

%windir%\SoftwareDistribution\Datastore

Turn of scanning of datastore log files located in the folder

%windir%\SoftwareDistribution\Datastore\Logs

Res*.log
Res*.jrs
Edb.chk
Tmp.edb

Windows Security Files

Exclude the scanning of the Windows Security files located in the folder:

%windir%\Security\Database

*.edb
*.sdb
*.log
*.chk
*.jrs

Note: These files should be excluded as failure to do so may may Windows having the correct access to these files or in the worse case scenario the security databases can become corrupted.   Antivirus scanning of these files can prevent the files from being used or may prevent a security policy from being applied to the file.  These files should not be scanned because antivirus software may not recognise them as proprietary database files.

Group Policy
Exclude the scanning of the Group Policy user registry information located in the folder:

Group Policy user registry information. These files are located in the following folder:
%allusersprofile%\

Specifically, exclude the following file:
NTUser.pol

Group Policy client settings file. This file is located in the following folder:
%Systemroot%\System32\GroupPolicy\

Specifically, exclude the following file:
Registry.pol

Active Directory

Turn off scanning of Active Directory and Active Directory related files.

Exclude the Main NTDS database files. The location of these files is specified in the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database File

The default location is %windir%\Ntds

Exclude the following files:

Ntds.dit
Ntds.pat

Exclude the Active Directory transaction log files.

The location of these files is specified in the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files path

The default location is %windir%\Ntds

Exclude the following files:

EDB*.log
Res*.log
Res*.jrs
Ntds.pat (Windows Server 2003 no longer uses the Ntds.pat file).

Exclude the files in the NTDS Working folder that is specified in the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory

Exclude the following files:

Temp.edb
Edb.chk

Turn off scanning of SYSVOL files

Turn off scanning of files in the File Replication Service (FRS) Working folder that is specified in the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Working Directory

The default location is %windir%\Ntfrs.

Exclude the following files:

edb.chk
Ntfrs.jdb
*.log

Turn off scanning of files in the FRS Database Log files that are specified in the following registry key:

HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\Ntfrs\Parameters\DB Log File Directory

The default location is %windir%\Ntfrs. Exclude the following files:

Exclude the following files:

Eedb*.log (if the registry key is not set).
FRS Working Dir\Jet\Log\Edb*.jrs (Windows Server 2008 and Windows Server 2008 R2).
Edb*.jrs (Windows Server 2008 and Windows Server 2008 R2).

Turn off scanning of the Staging file as specified in the following registry key.

HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\NtFrs\Parameters\Replica Sets\GUID\Replica Set Stage

By default, staging uses the following location:

%systemroot%\Sysvol\Staging areas

Exclude the following files:

Nntfrs_cmp*.*

Turn off scanning of files in the Sysvol\Sysvol folder.

The current location of the Sysvol\Sysvol folder and all its subfolders is the file system reparse target of the replica set root.

The Sysvol\Sysvol folder uses the following location:

%systemroot%\Sysvol\Sysvol

Exclude the following files from this folder and all its subfolders:

*.adm
*.admx
*.adml
Registry.pol
*.aas
*.inf
Fdeploy.inf
Scripts.ini
*.ins
Oscfilter.ini

Turn off scanning of files in the FRS Preinstall folder that is in the following location:

Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_Directory

The Preinstall folder is always open when FRS is running.

Exclude the following files from this folder and all its subfolders:

Ntfrs*.*

Turn off scanning of files in the DFSR database and working folders. The location is specified by the following registry key:

HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\DFSR\Parameters\Replication Groups\GUID\Replica Set Configuration File=Path >

The default location is the following hidden folder:

%systemdrive%\System Volume Information\DFSR

Exclude the following files from this folder and all its subfolders:

$db_normal$
FileIDTable_2
SimilarityTable_2
*.xml
$db_dirty$
Dfsr.db
Fsr.chk
*.frx
*.log
Fsr*.jrs
Tmp.edb

If any one of these folders or files is moved or is put in a different location, scan or exclude the equivalent element.

DFS

Turn off scanning of DFS files

The same resources that are excluded for a SYSVOL replica set must also be excluded when FRS or DFSR is used to replicate shares that are mapped to the DFS root and link targets on Windows Server 2008 R2-based, Windows Server 2008-based, Windows Server 2003-based, or Windows 2000-based member computers or domain controllers.

DHCP

Turn off scanning of DHCP files

By default, DHCP files that should be excluded are present in the following folder on the server:

%systemroot%\System32\DHCP

Exclude the following files from this folder and all its subfolders:

*.mdb
*.pat
*.log
*.chk
*.edb

The location of DHCP files can be changed. To determine the current location of the DHCP files on the server, check the DatabasePath, DhcpLogFilePath, and BackupDatabasePath parameters that are specified in the following registry subkey:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters

DNS

Turn off scanning of DNS files

By default, DNS uses the following folder:

%systemroot%\System32\Dns

Exclude the following files from this folder and all its subfolders:

*.log
*.dns
BOOT

WINS

Turn off scanning of WINS files

By default, WINS uses the following folder:

%systemroot%\System32\Wins

Exclude the following files from this folder and all its subfolders:

*.chk
*.log
*.mdb

The exact file paths of this post has been extracted from a Microsoft KB number 822158 but the reasoning is from experience.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s