?
Solved

What Anti-Virus scanning exclusions should be considered for system and servers? (Continued)

Posted on 2008-01-30
7
Medium Priority
?
12,180 Views
Last Modified: 2013-11-22
Hello everyone,
I am hoping to create a reference guide for all those looking for antivirus exclusion lists (files, folders and/or

processes that should not be scanned by AV) for common applications. I found the following links, which were extremely

helpful: (http://myitforum.com/cs2/blogs/scassells/archive/2007/05/14/what-anti-virus-scanning-exclusions-should-be-

considered-for-system-and-servers.aspx) and (http://support.microsoft.com/kb/822158/) and

(http://support.microsoft.com/kb/943556) Please help me augment my growing list.  (The person who donates the most

exclusions gets the points)

Here is what I have generated so far.  Feel free to comment if you feel I am an idiot for those listed.  AND THANKS for

your help:


All Windows 2003 and Windows XP (the following are applied to all systems):
  Directories = \windows\SoftwareDistribution\Datastore, \windows\SoftwareDistribution\Datastore\Logs,
  Files extensions = log, chk, edb, (and Wsusscan.cab, Wsusscn2.cab)

Windows infrastructure services - Active Directory/DNS/DHCP/File Replication/WSUS/IIS:
  Directories to exclude = \windows\ntds, \windows\system32\dns, \windows\system32\dhcp, \windows\ntfrs,

\windows\system32\inetsrv, \inetpub, :\windows\iis temporary compressed files,

FRS_Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_Directory
  File extensions to exclude = BTR, DBF, SBF, DB, MDX, NDX, MDW, LDB, MDF, NDF, TMP, BIN, DIT, PAT, JDB, dat
  Processes = java.exe, msiexec.exe, INETINFO.EXE

Windows Cluster:
  Directories = Q:\ (Quorum drive), \windows\Cluster

Sharepoint:
  Directories = \Program Files\SharePoint Portal Server, \Program Files\Common Files\Microsoft Shared\Web Storage System,

\MSDEDatabases

SMS:
  Directories = SMS\Inboxes, SMS_CCM\ServiceData

- Office 2003 and 2007: (Don't have any, just hoping to spur your thoughts on it since I deploy it across our entire

organization.)

- Exchange 2003:
  Directories = \program files\exchsrvr\mailroot,\program files\exchsvr\mdbdata, M:\, \program files\exchsrvr\mtadata,

\windows\system32\MSMQ
  File extensions = eml, stm, dat, dat
  Processes  = EMSMTA.exe, MAD.EXE, STORE.EXE , DSAMAIN.EXE , ISINTEG.EXE, ESEUTIL.EXE, MTACHECK.EXE, INETINFO.EXE,

SRSMAIN.EXE

- SQL 2000 and 2005
  File extensions = mdf, ldf, ndf

- VMware Infrastructure
  Processes: vmwareservice.exe, vmware-ufad.exe

- Computer Associates
  Directories: CA install folder
  Processes: caavppc.exe, inort.exe

Thanks a billion!
0
Comment
Question by:jedifenner
7 Comments
 
LVL 38

Expert Comment

by:younghv
ID: 20781838
For starters, I don't want any points - but here is a thought to ponder.

If I were to create a piece of malware, I would make sure that it stored itself in one of those locations, and gave itself one of those (apparent) extensions.

I have seen those recommendations for years and have always completely ignored them.

All systems and all files should have daily scans performed in the off/low use periods.

I fully understand the rationale for the discussion and the other point of view, but the only time I have been burned was with that blankety-blank Symantec - and that was a function of the product, not the configuration.

FWIW.

Vic
0
 

Author Comment

by:jedifenner
ID: 20786461
Hi younghv,

(does younghv = young halo victim?)  :-)

I understand your logic, however, I have had varying flavors of antivirus corrupt critical systems in the past and it was determined that antivirus was to blame, my examples being IIS and Exchange.  Plus, having AV scan program and database files (again, such as Exchange) can cause a noticeable performance hit. I really do appreciate your thoughts, but I can't go along with them after having gone through the above.  

Personally, I feel as long as you:
1. Put up a firewall
2. Educate your end users (if you have any and if the monkeys are trainable)
3. Update your system and software patches
4. Keep your antivirus up-to-date and only apply to filters that are applicable for any given system and don't create one Catch All filter (such as not excluding STORE.EXE on a system that does not have Exchange installed)
...then I believe you are less likely to fall victim to a malicious program trying to masquerade as one of the listed exclusions and you have an environment optimized for best performance and protection - IMHO.

But again, thanks for your thoughts.  Anyone else???
0
 
LVL 38

Expert Comment

by:younghv
ID: 20786622
As I said, I understand your point of view and you obviously know what you're talking about.

With that said isn't this always the crux of the problem?
<Educate your end users (if you have any and if the monkeys are trainable)>

I always maintain that a good SysAdmin can fix the equipment/application stuff -- but not those dad-gummed 'Users'.

:)

I'll back off and monitor for other comments.

Good question, btw.
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
LVL 2

Accepted Solution

by:
kaos_theory earned 1000 total points
ID: 20803104
ORACLE DATABASES!!! SQL DATABASES !!!!  these is many that are vendor specific also , you would have to deal with them on a case by case basis
0
 

Author Comment

by:jedifenner
ID: 20922027
Thank you Kaos!  Any other thoughts?  I have a hard time believing my list encompasses all the options to exclude!  Take a second and submit your exclude lists, please!
0
 

Author Closing Comment

by:jedifenner
ID: 31426554
thanks for the assist
0
 

Expert Comment

by:gbweasel
ID: 22282554
I love this topic. I am on the same page as younghv, but with a little less strictness.

Basic rule of thumb: understand what you are implementing and the risk associated with it. Evaluate that choice, then determine if that choice makes sense for you in this case.

I am against "exclusion" posts in general because too many admins just follow instructions and then wonder why they have virus that blue screen servers. I have also had anti-virus programs cause problems with system. As an issue came up I addressed the issue specifically. If I needed an exclusion I put one in after determine if security rules were in place so that the security surface area was still small.

Just my two cents because I love the topic.

**********************************************************************************
exclusion = c:\ and there will be no Antivirus issues on server :) :) :)
(Sorry, I had to put that in there)
0

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

PREFACE The purpose of this guide is to explain what the SEPC Status Utility is and how it works. I have written the utility using AutoIt and have included the source code for your review. You are welcome to modify the code to your liking, but I wi…
For those of you actively in the Malware fightling business, we now have available an amazing new tool in the malware wars (first recommended to me by rpggamergirl (http://www.experts-exchange.com/M_3598771.html), the Zone Advisor for the Virus and …
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

600 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question