Recommended Scan Exclusion List for OfficeScan Real-time scan

Support
Solution ID Last Updated
1059770 Date : 2013/01/23 Time:9:49 AM , (PST)


Product/Version Platform
OfficeScan - 10.0, 10.5, 10.6;
Windows - 2003 Enterprise, 2003 Enterprise 64-bit, 2003 Standard, 2003 Standard 64-bit, 2008 Enterprise, 2008 Standard

Problem Description

This article enumerates the recommending Exclusion List for OfficeScan Real-time scan.

Solution

Database and encrypted files should generally be excluded from scanning to avoid performance and functionality issues. The exclusions below should be considered depending on the type of machine you are installing the OfficeScan client on.
To exclude the following, you need to log on to the OfficeScan management console and go to Networked Computers > Client Management > Scan Settings > Real-time Scan Settings.
General Exclusion for all Windows platforms
[ Expand All ]

 

Pagefile.sys

  • *.pst
  • %systemroot%\System32\Spool
  • %systemroot%\SoftwareDistribution\Datastore
  • %allusersprofile%\NTUser.pol
  • %Systemroot%\system32\GroupPolicy\registry.pol
Note: The system variables are not recognized so replace "%systemroot%" and "%allusersprofile%" with actual directory.

 

Microsoft Active Directory Domain Controller

  • DRIVE:\WINNT\SYSVOL
  • DRIVE:\WINNT\NTDS
  • DRIVE:\WINNT\ntfrs
  • DRIVE:\WINNT\system32\dhcp
  • DRIVE:\WINNT\system32\dns

 

Microsoft IIS Server

Web Server log files should be excluded from scanning. By default, IIS logs are saved in:
  • DRIVE:\WINNT\system32\LogFiles
  • DRIVE:\WINNT\system32\IIS Temporary Compressed Files

 

Microsoft IIS 7.0 Server

Web Server log files should be excluded from scanning. By default, IIS logs are saved in:
  • DRIVE:\inetpub\logs\

 

Domino Data Directory

The data directory is used to store Domino email messages. Repeated scanning of this folder while it is being updated with new messages is not an efficient way to scan locally-stored emails. Use virus scanning applications, like ScanMail for Domino to handle email viruses.
By default, the Domino data directory for a non-partitioned installation is: \Lotus\Domino\Data.

 

Cisco Call Manager

  • Drive:\Program Files\Call Manager
  • Drive:\Program Files\Call Manager Serviceability
  • Drive:\Program Files\Call Manager Attendant

 

Microsoft SQL Server

Because scanning may hinder performance, large databases should not be scanned. Since Microsoft SQL Server databases are dynamic, exclude the directory and backup folders from the scan list. If it is necessary to scan database files, a scheduled task can be created to scan them during off-peak hours.
  • DRIVE:\Program Files\Microsoft SQL Server\MSSQL\Data
  • DRIVE:\WINNT\Cluster (if using SQL Clustering)
  • Q:\ (if using SQL Clustering)
  • C:\Program Files\Microsoft SQL Server\MSSQL.X\OLAP\Data
  • File extensions to exclude: .mdf, .ldf, .ndf, .bak, .tm

 

Cluster Servers

  • Q:\ (Quorum drive)
  • C:\Windows\Cluster

 

Microsoft Sharepoint Portal Server

  • DRIVE:\Program Files\SharePoint Portal Server
  • DRIVE:\Program Files\Common Files\Microsoft Shared\Web Storage System
  • DRIVE:\Windows\Temp\Frontpagetempdir
  • M:\

 

Microsoft SharePoint Servers Foundation 2010

  • Drive:\Program Files\Common Files\Microsoft Shared\Web Server Extensions
  • Drive:\Windows\Microsoft.NET\Framework64\v2.0.50727\Temporary ASP.NET Files
  • Drive:\Users\ServiceAccount\AppData\Local\Temp
  • Drive:\Users\Default\AppData\Local\Temp
  • Drive:\Users\the account that the search service is running as\AppData\Local\Temp
  • Drive:\WINDOWS\system32\LogFiles
  • Drive:\Windows\Syswow64\LogFiles

 

Microsoft SharePoint Server 3.0 / 2007 / 2010

  • Drive:\Program Files\Microsoft Office Servers
  • Drive:\Program Files\Common Files\Microsoft Shared\Web Service Extensions
  • Drive:\Windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files
  • Drive:\Documents and Settings\All Users\Application Data\Microsoft\SharePoint\Config
  • Drive:\Windows\Temp\WebTempDir
  • Drive:\Documents and Settings\the account that the search service is running as\Local Settings\Temp\
  • Drive:\WINDOWS\system32\LogFiles

 

Microsoft Systems Management Server (SMS)

  • SMS\Inboxes\SMS_Executive Thread Name
  • SMS_CCM\ServiceData

 

Microsoft Operations Manager Server (MOM)

  • DRIVE:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Operations Manager
  • DRIVE:\Program Files\Microsoft Operations Manager 2005
  • Microsoft Internet Security and Acceleration Server (ISA)
  • DRIVE:\Program Files\Microsoft ISA Server\ISALogs
  • DRIVE:\Program Files\Microsoft SQL Server\MSSQL$MSFW\Data

 

Microsoft Windows System Update Server (WSUS)

  • \WSUS
  • \WsusDatabase

 

VMWare

Other file extension types that should be added to the exclusion list include large flat and designed files, such as VMWare disk partition. Scanning VMWare partitions while attempting to access them can affect session loading performance and the ability to interact with the virtual machine. Exclusions can be configured for the directory(ies) that contain the Virtual Machines, or by excluding *.vmdk and *.vmem files.

 

Microsoft Exchange Server

Exclude the directory or partition where MS Exchange stores its mailbox. Use virus scanning applications, like ScanMail for Exchange, to handle email viruses. Installable File System (IFS) drive must also be excluded to prevent the corruption of the Exchange Information Store.

 

Exchange 5.5

  • DRIVE:\EXCHSRVR\IMCData
  • DRIVE:\EXCHSRVR\MDBData

 

Exchange 2000

  • DRIVE:\EXCHSRVR\MDBData
  • DRIVE:\EXCHSRVR\MTAData
  • DRIVE:\EXCHSRVR\Mailroot
  • DRIVE:\EXCHSRVR\SrsData
  • DRIVE:\WINNT\system32\InetSrv

 

Exchange 2003

  • DRIVE:\EXCHSRVR\MDBData
  • DRIVE:\EXCHSRVR\MTAData
  • DRIVE:\EXCHSRVR\Mailroot
  • DRIVE:\EXCHSRVR\SrsData
  • DRIVE:\WINNT\system32\InetSrv
  • DRIVE:\EXCHSRVR\MdbDataUtility

 

Exchange 2007

Refer to the following Microsoft article for the required exclusions for the various Exchange 2007 roles: File-Level Antivirus Scanning on Exchange 2007

 

Exchange 2010

Refer to the following Microsoft article for the required exclusions for the various Exchange 2010 roles: File-Level Antivirus Scanning on Exchange 2010

 

Mapped Drives / Shared Folders

This option is best disabled. If it is enabled, it may create unnecessary network traffic when the end users access remote paths or mapped network drives. It can severely impact the user’s experience. Consider disabling this function if all workstations have OfficeScan client installed, and updated to the latest virus signature.

 

Volume Shadow Copies

Backup process takes longer to finish when real-time scan is enabled. There are also instances when real-time scan detects an infected file in the volume shadow copy but cannot enforce the scan action because volume shadow copies have read-only access.
It is advised to apply the latest Microsoft patches for the Volume Shadow Copies service: A Volume Shadow Copy Service (VSS) update package is available for Windows Server 2003

 

Citrix Exclusions

On Citrix systems following extensions have been causing performance problems. Exclude these file extensions to avoid any performance problems.
  • *.LOG, *.DAT, *.TMP, *.POL, *.PF

 

Novell Zenworks

  • C:\Program Files\Novell\Zenworks
  • Exclude the following files: NalView.exe, RMenf.exe, ZenNotifyIcon.exe, ZenUserDaemon.exe, casa.msi, dluenf.dll, fileInfo.db, lcredmgr.dll, objInfo.db
  • Exclude the following extensions: .APPSTATE, .LOG, .TMP, .ZC

 

Other Trend Micro Products

Make sure that the check box for Exclude from scanning the directories where Trend Micro products are installed is enabled in the OfficeScan Exclusion List settings.
Rate this Solution
Did this article help you?

Please provide your comments to help us improve this solution.

 
  *This form is an automated system. General questions, technical, sales and product-related issues submitted through this form will not be answered.
 
 

Connect with us on