Friday, August 28, 2009

SBS 2008 Standard Edition Antivirus Exception List

I have a Windows Small Business Server 2008 Standard Edition installation that I installed Kaspersky Antivirus Enterprise Edition on. I've spent an uncomfortable amount of time researching the various antivirus exceptions that are recommended for SBS 2008 and the various individual components that make up SBS 2008.
Documented here are my findings and what I did for my specific case. Note well that I am not suggesting that this is the best way to do things. This is just my research presented here for you to do with as you please. All comments and criticism are welcomed.
I did not choose to use any of the Live OneCare of ForeFront products and thus did not include exclusions appropriate to those products. Furthermore, you may want to use the EICAR file ( ) to make sure that the following directories are truly being excluded by your antivirus product
Here is the list of exclusions that I used:
(The environmental variables %windir% and %systemroot% are used interchangeably because they mean the same thing. It just depended on where I was copying the string from or how lazy I was when typing. Look at some of the Google returns for windir vs systemroot to see what they’re all about.)



WUAU Related (Reference):
  • %systemroot%\SoftwareDistribution\Datastore\Datastore.edb (WUAU database file)
  • %windir%\SoftwareDistribution\Datastore\Logs\Edb*.log (WUAU transaction log files)
  • %windir%\SoftwareDistribution\Datastore\Logs\Edbres00001.jrs,  Edbres00002.jrs  (WUAU stuff exclusive to Vista / Server 08 and above)
  • %windir%\SoftwareDistribution\Datastore\Logs\Edb.chk (WUAU stuff)
  • %windir%\SoftwareDistribution\Datastore\Logs\Tmp.edb (WUAU stuff)
  • %windir%\security\*.edb, *.sdb, *.log, *.chk (WUAU stuff)
  • %windir%\security\database\Security.sdb (WUAU Stuff)

WSUS Exceptions (Reference 1 and Reference 2):
  • Drive:\WSUS (where "drive" is the drive that WSUS is installed on. C: is default)

 Group Policy Related (Reference):
  • %allusersprofile%\NTUser.pol (Group Policy user registry information)
  • %Systemroot%\system32\GroupPolicy\registry.pol (Group Policy client settings file)


Domain Controller Related (Reference):
  • %windir%\ntds\ntds.dit, ntds.pat (Main NTDS files; this is the default location. Check this registry key to find the absolute location: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database File)
  • %SystemRoot%\ntds\EDB*.log, Edbres00001.jrs (Default location for the Active Directory transaction log files. Check this registry key to find the absolute location: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files Path)
  • %SystemRoot%\ntds\Temp.edb, Edb.chk ('ntds' is the default NTDS working folder. Check this registry key to find the absolute location: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory ) 
  • Files in the File Replication Service (FRS) Working Folder need to be excluded. The default FRS Working folder is "%SystemRoot%\ntfrs" Check this registry key to find the absolute location of the folder: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Working Directory. By default, this is the path to the files that should be excluded:
    • %SystemRoot%\ntfrs\jet\sys\edb.chk
    • %SystemRoot%\ntfrs\jet\ntfrs.jdb
    • %SystemRoot%\ntfrs\jet\log\*.log
  • The FRS Database log files need to be excluded. The default location is in %SystemRoot%\ntfrs. Check this registry key to find the absolute location: HKEY_LOCAL_MACHINE\system\currentcontrolset\services\NtFrs\Parameters\DB Log File Directory. By default, this is the path to the files that should be excluded:
    • %SystemRoot%\ntfrs\jet\log\edbres00001.jrs, edbres00002.jrs
    • %SystemRoot%\ntfrs\log\*.log
  • Various staging folders need to be excluded. The staging folder located at this registry key needs to be excluded and all of its subfolders: HKEY_LOCAL_MACHINE\system\currentcontrolset\services\NtFrs\Parameters\Replica Sets\GUID\Replica Set Stage. The default location on an SBS 2008 machine is at: 
    • %SystemRoot%\sysvol\staging
  • Other staging folders in their default locations  to be excluded:
    • %SystemRoot%\sysvol\staging areas\
    • %SystemRoot%\SYSVOL\SYSVOL\
  • FRS preinstall folder which defaults to "Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_Directory". By default, this is the path to the folder that should be excluded::
    • %SystemRoot%\sysvol\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory
  • %systemroot%\sysvol\
    • But my antivirus did a file exclusion for %SystemRoot%\sysvol\* so that all files but not all subdirectories are excluded. If the sysvol folder itself was excluded, then some of the preceding exclusions would be redundant. So confusing.
SQL Server Exceptions (Note: SQL Server Standard is not part of this installation since it's only SBS 2008 Standard Edition. Only the version of SQL Server that is included with standard is taken into account) (Reference):
  • All SQL Server data files:
    • *.mdf
    • *.ldf
    • *.ndf
  • All SQL Server backup files:
    • *.bak
    • *.trn
    • *.[whatever else you append to your backup files]
  • Full-Text catalog files which are at the following paths
    • %ProgramFiles%\Microsoft SQL Server\MSSQL\FTData (for a default instance)
    • %ProgramFiles%\Microsoft SQL Server\MSSQL$instancename\FTData (for a named instance) 
    • C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\FTData (Default location of FTData on a SBS 2008 Standard machine running SQL 2005 Express)
  • Normally directories related to Analysis Services would be excluded but the express edition of SQL server does not included analysis services.
  • This blog post mentions to simply exclude the SQL folder (which I assume is the entire SQL Server program files folder) as well as the file extension exclusion for database related files. I chose not to exclude the whole SQL folder.
SharePoint Exceptions (Reference):
(The word "drive" Is used to designate whichever drive letter sharepoint was installed on. By default in Small Business Server 2008 Sharepoint Services is installed on drive C:)
  • "Drive:\Program Files\Common Files\Microsoft Shared\Web Server Extensions" However, If you really don't want to exclude that entire folder, you can exclude the following two folders specifically:
    • Drive:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\Logs
    • Drive:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\Data\Applications (If you're not using SharePoint Services Search service you don't have to exclude this)
    • I chose to exclude the two specific folders and not the whole Web Server Extensions folder.
  • %windir%\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files
  • %windir%\Windows\Microsoft.NET\Framework64\v2.0.50727\Temporary ASP.NET Files (specifically for x64 editions of Windows and, of course, SBS is 64 bit)
  • C:\ProgramData\Microsoft\SharePoint\Config
    • The former location in Pre Server 2008 OSs is: "C:\Documents and Settings\All Users\Application Data\Microsoft\SharePoint\Config"However Documents and Settings is no longer around and has been in some ways replaced by the ProgramData folder.
    • I used this article to find the new directory since there is no “Documents and Settings” folder anymore.
  • %windir%\Temp\WebTempDir
  • C:\Documents and Settings\the account that the search service is running as\Local Settings\Temp\
  • C:\Documents and Settings\ the account that the search service is running as \Local Settings\Application Data (Only if you use a specific account for SharePoint services or application pool identities)
  • C:\Documents and Settings\ the account that the search service is running as \Local Settings\Temp (Only if you use a specific account for SharePoint services or application pool identities)
    • I Couldn’t find what my search service was running as so didn’t exclude these.
  • %windir%\system32\LogFiles 
  • C:\Documents and Settings\Default User\Local Settings\Temp (I chose not to exempt the Temp folder and didn’t bother looking for where the new default user temp folder was in Vista/Server 08. Does anyone know?)
IIS Exceptions (Reference):
  • %SystemDrive%\inetpub\temp\IIS Temporary Compressed Files
Exchange 2007 Exceptions (Reference 1, Refernece 2, Reference 3):

There are various exclusions for each of the different Exchange 2007 roles. There need to be directory, process and file name exclusions so make sure your antivirus program can handle those types of exclusions.

Exchange Directory Exclusions (NOTE: After looking at all the exclusions that are recommended, the thought occurred to me to just exclude the "drive:\Program Files\Microsoft\Exchange Server" directory. So many subfolders and files get excluded that I wonder if it would really be any less secure to simply mask out the whole Exchange Server folder. Thoughts are appreciated.)
  • All of your storage groups' Exchange databases, checkpoint files and log files. Default location is: %Program Files%\Microsoft\Exchange Server\Mailbox
    • However, you can determine the exact location by running these powershell commands in the Exchange Management Shell:
    • Get-StorageGroup -server [servername]| fl *path* (transaction logs and checkpoint file)
    • Get-MailboxDatabase -server [servername]| fl *path* (Mailbox database)
    • Get-PublicFolderDatabase -server [servername]| fl *path* (Public folder database)
  • Personal to my server
    • E:\Program Files\Microsoft\Exchange Server\Mailbox\
    • I just exclude %Program Files%\Microsoft\Exchange Server\Mailbox (or whatever your path is) and not worry about subfolders and files.
  • General log files found in subfolders underneath the following directories by default:
    • %Program Files%\Microsoft\Exchange Server\TransportRoles\Logs\
    • %Program Files%\Microsoft\Exchange Server\Logging\
    • You can run "Get-MailboxServer | fl *path*" to find the specific directories.
    • Personal to my server that was returned by the above cmdlet
      • C:\Program Files\Microsoft\Exchange Server\Logging\Managed Folder Assistant
      • C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\MessageTracking
      • Strangely, I had previously documented that the following was what was specific to my server, but now that does not appear to be the case:
        • %ProgramFiles%\Microsoft\Exchange Server\TransportRoles\Logs\
        • %ProgramFiles%\Microsoft\Exchange Server\Logging\
        • I excluded all four of those paths to be safe.
  • %Program Files%\Microsoft\Exchange Server\ExchangeOAB (Offline Address book files are located in subfolders in this directory be default)
  • %SystemRoot%\System32\Inetsrv (exclude the IIS system files located in this folder… I just excluded the whole folder)
  • Make sure to exclude the temp folder that is used by any offline maintenance utilites like eseutil.exe. By default it is wherever the .exe is run from.
  • Microsoft says to exclude the server's entire TMP folder. Others debate this.
  • %Program Files%\Microsoft\Exchange Server\Working\OleConvertor (Where OLE conversions are performed)
  • %Program Files%\Microsoft\Exchange Server\Mailbox\MDBTEMP (Mailbox database temp folder)
  • Exclude any Exchange aware antivirus program folders (GFI MailDefense Suite in my case)
  • Various log files underneath subfolders within %ProgramFiles%\Microsoft\Exchange Server\TransportRoles\Logs\ . Use Get-TransportServer [servername]| fl *logpath*,*tracingpath* to find the exact folders. I just exclude the entire Logs folder.
  • Various subfolders underneath %Program Files%\Microsoft\Exchange Server\TransportRoles\Data\Queue folder
    • Use this to find out specifics: Get-TransportServer | fl *dir*path*
    • Strangely, when I did that I got this which is not in the \Data\Queue path like the KB article said it would be:
      • PickupDirectoryPath   : C:\Program Files\Microsoft\Exchange Server\TransportRoles\Pickup
      • ReplayDirectoryPath   : C:\Program Files\Microsoft\Exchange Server\TransportRoles\Replay
      • RootDropDirectoryPath : C:\inetpub\mailroot
      • I excluded all directories to be safe.
  • “%Program Files%\Microsoft\Exchange Server\TransportRoles\Data\Queue” The transport server role queue database, checkpoint, and log files
  • “%Program Files%\Microsoft\Exchange Server\TransportRoles\Data\SenderReputation” The transport server role Sender Reputation database, checkpoint, and log files
  • “%Program Files%\Microsoft\Exchange Server\TransportRoles\Data\IpFilter” The transport server role IP filter database, checkpoint, and log files
  • The temporary folders that are used to perform conversions:
    • Server’s TMP folder (I didn't exclude this. Others say that's asking too much and it's fine to not exclude it.)
    • %Program Files%\Microsoft\Exchange Server\Working\OleConvertor

Client Access server role:
  • “%systemroot%\IIS Temporary Compressed Files” IIS compression folder use with OWA. The problem is that the KB article says it's for IIS 6.0. The same folder cannot be found on a server using IIS 7. I included that path anyway.
  • “%SystemRoot%\System32\Inetsrv” IIS system files
  • “%Program Files%\Microsoft\Exchange Server\ClientAccess” internet related files stored in sub folders of
  • Server TMP folder (Once again, I didn't exclude this)
Unified Messaging server role
  • “%Program Files%\Microsoft\Exchange Server\UnifiedMessaging\grammars” grammar files stored in subfolders of
  • “%Program Files%\Microsoft\Exchange Server\UnifiedMessaging\Prompts” voice prompts stored in subfolders of
  • “%Program Files%\Microsoft\Exchange Server\UnifiedMessaging\voicemail” voicemail files stored in
  • “%Program Files%\Microsoft\Exchange Server\UnifiedMessaging\badvoicemail” bad voicemail files stored in
Microsoft ForeFront Security for Exchange Server (Okay, I included some ForeFront exclusions in this post after all but didn't put them on my server) (Reference):
  • “%Program Files%\Microsoft ForeFront Security\Exchange Server\Data\Archive” archived message
  • “%Program Files%\Microsoft ForeFront Security\Exchange Server\Data\Quarantine” quarantined files
  • “%Program Files%\Microsoft ForeFront Security\Exchange Server\Data\Engines\x86” antivirus engine files stored in subfolders of this folder
  • “%Program Files%\Microsoft ForeFront Security\Exchange Server\Data” configuration files

Exchange 2007 Process Exclusions:
I included the path to the executables where I could find them. Some antivirus programs need to know the path to the executable before it can exclude it. I did not include a path for all of the executables since I was unable to locate each of them. Comments on where to find them would be appreciated.

  • Cdb.exe
  • Cidaemon.exe
  • Cluster.exe
  • Dsamain.exe
  • Edgecredentialsvc.exe
  • Edgetransport.exe (C:\Program Files\Microsoft\Exchange Server\Bin)
  • Galgrammargenerator.exe
  • Inetinfo.exe (the running process in Task Manager says the executable is in C:\Windows\System32\inetsrv but I went there and can’t find it!)
  • Mad.exe (C:\Program Files\Microsoft\Exchange Server\Bin)
  • Microsoft.Exchange.Antispamupdatesvc.exe (C:\Program Files\Microsoft\Exchange Server\Bin)
  • Microsoft.Exchange.Contentfilter.Wrapper.exe
  • Microsoft.Exchange.Cluster.Replayservice.exe (C:\Program Files\Microsoft\Exchange Server\Bin)
  • Microsoft.Exchange.Edgesyncsvc.exe (C:\Program Files\Microsoft\Exchange Server\Bin)
  • Microsoft.Exchange.Imap4.exe
  • Microsoft.Exchange.Imap4service.exe
  • Microsoft.Exchange.Infoworker.Assistants.exe
  • Microsoft.Exchange.Monitoring.exe (C:\Program Files\Microsoft\Exchange Server\Bin)
  • Microsoft.Exchange.Pop3.exe
  • Microsoft.Exchange.Pop3service.exe
  • Microsoft.Exchange.Search.Exsearch.exe (C:\Program Files\Microsoft\Exchange Server\Bin)
  • Microsoft.Exchange.Servicehost.exe (C:\Program Files\Microsoft\Exchange Server\Bin)
  • Msexchangeadtopologyservice.exe (C:\Program Files\Microsoft\Exchange Server\Bin)
  • Msexchangefds.exe (C:\Program Files\Microsoft\Exchange Server\Bin)
  • Msexchangemailboxassistants.exe (C:\Program Files\Microsoft\Exchange Server\Bin)
  • Msexchangemailsubmission.exe (C:\Program Files\Microsoft\Exchange Server\Bin)
  • Msexchangetransport.exe (C:\Program Files\Microsoft\Exchange Server\Bin)
  • Msexchangetransportlogsearch.exe (C:\Program Files\Microsoft\Exchange Server\Bin)
  • Msftefd.exe (C:\Program Files\Microsoft\Exchange Server\Bin)
  • Msftesql.exe (C:\Program Files\Microsoft\Exchange Server\Bin)
  • Oleconverter.exe (C:\Program Files\Microsoft\Exchange Server\Bin)
  • Powershell.exe (C:\WINDOWS\system32\WindowsPowerShell\v1.0)
  • Sesworker.exe
  • Speechservice.exe
  • Store.exe (C:\Program Files\Microsoft\Exchange Server\Bin)
  • Transcodingservice.exe
  • Umservice.exe (C:\Program Files\Microsoft\Exchange Server\Bin)
  • Umworkerprocess.exe (C:\Program Files\Microsoft\Exchange Server\Bin)
  • W3wp.exe (C:\Windows\System32\inetsrv)

File name extension exclusions for Exchange 2007:
  • Application-related extensions
    • .config
    • .dia
    • .Wsb
  • Database-related extensions
    • .chk
    • .log
    • .edb
    • .jrs
    • .que
  • Offline Address Book-related extensions:
    • .lzx
  • Content Index-related extensions
    • .ci
    • .wid
    • .000
    • .001
    • .002
    • .dir
  • Unified Messaging-related extensions
    • .cfg
    • .grxml
DHCP Exceptions (Reference):
  • %systemroot%\system32\dhcp folder (include all the sub-folders and files) 

DNS Exceptions (Reference):
  • %systemroot%\system32\dns folder (include all the sub-folders and files) 

That seems to be it. More additions as research and comments warrant.

2 comments:

  1. An excellent compilation, thanks very much for sharing.

    A few comments:
    - I exclude C:\pagefile.sys.
    - Somewhere I got the idea I should exclude the Certificate Authority files, C:\Windows\system32\CertLog\. Can't confirm online.
    - I think you're missing the \Database subfolder in the path for your WUAU file exclusions (*.edb, *.sdb, etc.). I decided to just exclude the whole \Database subfolder.

    Here's what I came up with for my environment (my Exchange and SharePoint data are on drive F):

    C:\pagefile.sys
    C:\inetpub\temp\IIS Temporary Compressed Files\
    C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Data\
    C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\FTData\
    C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Data\
    C:\Program Files (x86)\Microsoft SQL Server\MSSQL.3\MSSQL\Data\
    C:\Program Files (x86)\Microsoft SQL Server\MSSQL.3\MSSQL\FTData\
    C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\Data\Applications\
    C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\LOGS\
    C:\Program Files\Microsoft\Exchange Server\
    C:\ProgramData\Microsoft\SharePoint\Config\
    C:\ProgramData\NTUser.pol
    C:\Windows\IIS Temporary Compressed Files\
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Temporary ASP.NET Files\
    C:\Windows\ntds\
    C:\Windows\ntfrs\
    C:\Windows\security\database\
    C:\Windows\SoftwareDistribution\DataStore\
    C:\Windows\system32\CertLog\
    C:\Windows\system32\dhcp\
    C:\Windows\System32\GroupPolicy\registry.pol
    C:\Windows\System32\inetsrv\
    C:\Windows\System32\LogFiles\
    C:\Windows\sysvol\
    C:\Windows\Temp\WebTempDir\
    C:\WSUS\
    F:\Program Files\Microsoft\Exchange Server\Mailbox\
    F:\Windows\SYSMSI\SSEE\MSSQL.2005\MSSQL\DATA

    ReplyDelete
  2. Thanks Mark! Those look like great additions. When I migrate this post over to my new blog, may I include your additions (with credit of course)?

    ReplyDelete