What are best practices for installing antivirus protection on servers?

For Installing Antivirus Software on Microsoft Servers needs some attention.
Therefore, it has always been a long argument to install and configure different antivirus software on different Microsoft Server Platforms.
Some IT consultants do not even recommend installing antivirus software on Critical Servers.
Of course vendor documentation is very important and must be analyzed before installing any antivirus products to servers.
But Microsoft has its own recommendations and Best Practices to take into consideration.
Therefore it is better to take a closer look to below Microsoft Articles.
First of all I would like start with the most important part of Microsoft Infrastructure. (Domain Controllers)

1.      If your Server holds the domain controller role and there are DNS, DHCP services then we have to review the Microsoft KB article http://support.microsoft.com/kb/822158
a.) %systemroot%\Sysvol folder (include all the sub-folders and files)
b.) %systemroot%\system32\dhcp folder (include all the sub-folders and files)
c.) %systemroot%\system32\dns folder (include all the sub-folders and files)
d.) %systemroot%\ntds

2.      If File Replication (NTFR) service is running on your system, make sure your Anti-Virus software is compatible: KB815263 - Antivirus, backup, and disk optimization programs that are compatible with the File Replication Service http://support.microsoft.com/kb/815263 And exclude:
a.) %systemroot%\ntfrs folder (include all the sub-folders and files)
b.) Files that have the .log and .dit extension

3.      If you have IIS installed, exclude:
a.) The IIS compression directory (default compression directory is %systemroot%\IIS Temporary Compressed Files)
b.) %systemroot%\system32\inetsrv folder
c.) Files that have the .log extension

Refer to the following knowledge base articles for reference:
KB817442 - IIS 6.0: Antivirus Scanning of IIS Compression Directory May Result in 0-Byte File
http://support.microsoft.com/kb/817442 

KB821749 - Antivirus software may cause IIS to stop unexpectedly
http://support.microsoft.com/kb/821749

4.      If you have SQL installed, you may want to exclude the SQL folder and databases files (or database file types) from scanning for performance reasons:
KB309422 - Guidelines for choosing antivirus software to run on the computers that are running SQL Server
http://support.microsoft.com/kb/309422

5.      If you have Exchange installed, perform the relevant file-based scanning exclusions listed in Knowledge Base articles:

KB328841 - Exchange and antivirus software
http://support.microsoft.com/kb/328841 

KB823166 - Overview of Exchange Server 2003 and antivirus software
http://support.microsoft.com/kb/823166 

KB245822 - Recommendations for troubleshooting an Exchange Server computer with antivirus software installed
http://support.microsoft.com/kb/245822

6.      If you have Cluster services, make sure your Anti-Virus software is compatible:

KB250355 - Antivirus Software May Cause Problems with Cluster Services
http://support.microsoft.com/kb/250355 
NOTE: If you have a SQL cluster, make sure that you exclude these locations from virus scanning:
a.) Q:\ (Quorum drive)
b.) %systemroot%\Cluster
c.) SQL Server data files that have the .mdf extension, the .ldf extension, and the .ndf extension

7.      If you have Sharepoint installed, you should exclude:
a.) Drive:\Program Files\SharePoint Portal Server
b.) Drive:\Program Files\Common Files\Microsoft Shared\Web Storage System
c.) Drive:\MSDEDatabases (particularly on SBS) (where Drive: is the drive letter where you installed SharePoint Portal Server)

Refer to the following knowledge base articles for reference:
KB320111 - Random Errors May Occur When Antivirus Software Scans Microsoft Web Storage System
http://support.microsoft.com/kb/320111 

KB322941 - Microsoft's Position on Antivirus Solutions for Microsoft SharePoint Portal Server
http://support.microsoft.com/kb/322941

8.       If you have a Systems Management Server (SMS), you should exclude folders:
a.) SMS\Inboxes
b.) SMS_CCM\ServiceData

Refer to the following knowledge base articles for reference:
KB327453 - Antivirus programs may contribute to file backlogs in SMS 2.0 and in SMS 2003
http://support.microsoft.com/kb/327453

NOTE: If you exclude the SMS\Inboxes directory from virus scanning or remove the antivirus software, you may make the site server and all clients vulnerable to potential virus risks. The client base component files reside in the SMS\Inboxes directory

9.      If you have a MOM (Microsoft Operations Manager) Server, you consider excluding:
a.) Drive:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Operations Manager
b.) Drive:\Program Files\Microsoft Operations Manager 2005 (where Drive: is the drive letter where profiles are located)

10.       If you have an Internet Security and Acceleration Server (ISA) Server, you should exclude:
a.) The ISALogs folder. By default, the ISALogs folder is located in the folder where you installed ISA Server. Typically, this location is Drive:\Program Files\Microsoft ISA Server.
Refer to the following knowledge base articles for reference:
KB887311 - Event ID 5, event ID 14079, and event ID 14176 are logged in the Application log on your Internet Security and Acceleration Server 2000 computer
http://support.microsoft.com/kb/887311
11.      If you have a Windows Software Update Services (WSUS) Server role, you consider excluding:
a.) Drive:\MSSQL$WSUS
b.) Drive:\WSUS
(where Drive: is the drive letter where you installed Windows Software Update
Services)
Also refer to the following knowledge base articles for reference:
KB900638 - Multiple symptoms occur if an antivirus scan occurs while the Wsusscan.cab file is copied
http://support.microsoft.com/kb/900638

For More Information you can check the below links.

KB49500 - List of antivirus software vendors
http://support.microsoft.com/kb/49500 

KB129972 - Computer viruses: description, prevention, and recovery
http://support.microsoft.com/kb/129972

wow. Thanks very much Karamurat.  

r-k:

I have to disagree with you.  Yes, you should not be surfing or checking email with one of your production servers, but if a worm should get inside your network, then your servers are surely compromised.  I have SAV installed on all servers except for SQL and Exchange.  In order to install on SQL and Exchange you would have to follow special installation methods so that there arent any issues.  

I totally agree with d-k... so many times an AV program on a server causes issues.  scan your servers but certainly you dont want Real Time protection.  This is from 30 years of experience.

Just last week McAfee on Exchange because a client had malware BLOCKED port 25.  

oops, teguila and posts may be a bad combo... IT experience since 1991 and r-k. not dk.   New topic, any non drinking in the trenches IT people out there?!

Lol, thanks itc-mt. I've been away from this board for too long, but your vote of confidence serves as a reminder may be I should get back here once in a while. Go easy with the tequilla, it's only Thursday! All best.

Oh brother, didn't even spell tequila right! Still the point is valid and you are welcome r-k!