What Anti-Virus scanning exclusions should be considered for system and servers? (Continued)

Hello everyone,
I am hoping to create a reference guide for all those looking for antivirus exclusion lists (files, folders and/or

processes that should not be scanned by AV) for common applications. I found the following links, which were extremely

helpful: (http://myitforum.com/cs2/blogs/scassells/archive/2007/05/14/what-anti-virus-scanning-exclusions-should-be-

considered-for-system-and-servers.aspx) and (http://support.microsoft.com/kb/822158/) and

(http://support.microsoft.com/kb/943556) Please help me augment my growing list.  (The person who donates the most

exclusions gets the points)

Here is what I have generated so far.  Feel free to comment if you feel I am an idiot for those listed.  AND THANKS for

your help:


All Windows 2003 and Windows XP (the following are applied to all systems):
  Directories = \windows\SoftwareDistribution\Datastore, \windows\SoftwareDistribution\Datastore\Logs,
  Files extensions = log, chk, edb, (and Wsusscan.cab, Wsusscn2.cab)

Windows infrastructure services - Active Directory/DNS/DHCP/File Replication/WSUS/IIS:
  Directories to exclude = \windows\ntds, \windows\system32\dns, \windows\system32\dhcp, \windows\ntfrs,

\windows\system32\inetsrv, \inetpub, :\windows\iis temporary compressed files,

FRS_Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_Directory
  File extensions to exclude = BTR, DBF, SBF, DB, MDX, NDX, MDW, LDB, MDF, NDF, TMP, BIN, DIT, PAT, JDB, dat
  Processes = java.exe, msiexec.exe, INETINFO.EXE

Windows Cluster:
  Directories = Q:\ (Quorum drive), \windows\Cluster

Sharepoint:
  Directories = \Program Files\SharePoint Portal Server, \Program Files\Common Files\Microsoft Shared\Web Storage System,

\MSDEDatabases

SMS:
  Directories = SMS\Inboxes, SMS_CCM\ServiceData

- Office 2003 and 2007: (Don't have any, just hoping to spur your thoughts on it since I deploy it across our entire

organization.)

- Exchange 2003:
  Directories = \program files\exchsrvr\mailroot,\program files\exchsvr\mdbdata, M:\, \program files\exchsrvr\mtadata,

\windows\system32\MSMQ
  File extensions = eml, stm, dat, dat
  Processes  = EMSMTA.exe, MAD.EXE, STORE.EXE , DSAMAIN.EXE , ISINTEG.EXE, ESEUTIL.EXE, MTACHECK.EXE, INETINFO.EXE,

SRSMAIN.EXE

- SQL 2000 and 2005
  File extensions = mdf, ldf, ndf

- VMware Infrastructure
  Processes: vmwareservice.exe, vmware-ufad.exe

- Computer Associates
  Directories: CA install folder
  Processes: caavppc.exe, inort.exe

Thanks a billion!
jedifennerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

younghvCommented:
For starters, I don't want any points - but here is a thought to ponder.

If I were to create a piece of malware, I would make sure that it stored itself in one of those locations, and gave itself one of those (apparent) extensions.

I have seen those recommendations for years and have always completely ignored them.

All systems and all files should have daily scans performed in the off/low use periods.

I fully understand the rationale for the discussion and the other point of view, but the only time I have been burned was with that blankety-blank Symantec - and that was a function of the product, not the configuration.

FWIW.

Vic
0
jedifennerAuthor Commented:
Hi younghv,

(does younghv = young halo victim?)  :-)

I understand your logic, however, I have had varying flavors of antivirus corrupt critical systems in the past and it was determined that antivirus was to blame, my examples being IIS and Exchange.  Plus, having AV scan program and database files (again, such as Exchange) can cause a noticeable performance hit. I really do appreciate your thoughts, but I can't go along with them after having gone through the above.  

Personally, I feel as long as you:
1. Put up a firewall
2. Educate your end users (if you have any and if the monkeys are trainable)
3. Update your system and software patches
4. Keep your antivirus up-to-date and only apply to filters that are applicable for any given system and don't create one Catch All filter (such as not excluding STORE.EXE on a system that does not have Exchange installed)
...then I believe you are less likely to fall victim to a malicious program trying to masquerade as one of the listed exclusions and you have an environment optimized for best performance and protection - IMHO.

But again, thanks for your thoughts.  Anyone else???
0
younghvCommented:
As I said, I understand your point of view and you obviously know what you're talking about.

With that said isn't this always the crux of the problem?
<Educate your end users (if you have any and if the monkeys are trainable)>

I always maintain that a good SysAdmin can fix the equipment/application stuff -- but not those dad-gummed 'Users'.

:)

I'll back off and monitor for other comments.

Good question, btw.
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

kaos_theoryCommented:
ORACLE DATABASES!!! SQL DATABASES !!!!  these is many that are vendor specific also , you would have to deal with them on a case by case basis
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jedifennerAuthor Commented:
Thank you Kaos!  Any other thoughts?  I have a hard time believing my list encompasses all the options to exclude!  Take a second and submit your exclude lists, please!
0
jedifennerAuthor Commented:
thanks for the assist
0
gbweaselCommented:
I love this topic. I am on the same page as younghv, but with a little less strictness.

Basic rule of thumb: understand what you are implementing and the risk associated with it. Evaluate that choice, then determine if that choice makes sense for you in this case.

I am against "exclusion" posts in general because too many admins just follow instructions and then wonder why they have virus that blue screen servers. I have also had anti-virus programs cause problems with system. As an issue came up I addressed the issue specifically. If I needed an exclusion I put one in after determine if security rules were in place so that the security surface area was still small.

Just my two cents because I love the topic.

**********************************************************************************
exclusion = c:\ and there will be no Antivirus issues on server :) :) :)
(Sorry, I had to put that in there)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.