Recommended scan exclusion list for Trend Micro Endpoint products

Support
Solution ID Last Updated
1059770 Date : 2014/10/13 Time:4:05 AM , (PST)


Product/Version Platform
OfficeScan - 10.0, 10.5, 10.6;11.0;Worry-Free Business Security Services - 5.3;Worry-Free Business Security Standard/Advanced - 6.0, Worry-Free Business Security Standard/Advanced - 7.0, Worry-Free Business Security Standard/Advanced - 8.0;Worry-Free Business Security Standard/Advanced - 9.0;
Windows - 2003 Enterprise, 2003 Enterprise 64-bit, 2003 Home Server, 2003 Server R2, 2003 Small Business Server, 2003 Small Business Server R2, 2003 Standard, 2003 Standard 64-bit, 2008 Enterprise, 2008 Essential Business Server, 2008 Server Core, 2008 Server Foundation, 2008 Server R2, 2008 Small Business Server, 2008 Standard, 2011 Small Business Server Essentials, 2011 Small Business Server Standard, 2012 Enterprise, 2012 Server Essentials, 2012 Web Server Edition, 7 32-bit, 7 64-bit, XP Professional 64-bit

Problem Description

Database and encrypted type files should generally be excluded from scanning to avoid performance and functionality issues.
Below are exclusions to consider for OfficeScan (OSCE) Real-time scan and Worry-Free Business Security (WFBS) Security Agent.

Solution

To exclude the following in OfficeScan and WFBS, you need to log on to the OfficeScan management console and go to Networked Computers > Client Management > Scan Settings > Real-time Scan Settings.
[ Expand All ]

 

General Exclusions for all Windows platforms

  • Pagefile.sys
  • *.pst
  • %systemroot%\System32\Spool (replace %systemroot% with actual directory)
  • %systemroot%\SoftwareDistribution\Datastore (replace %systemroot% with actual directory)
  • %allusersprofile%\NTUser.pol
  • %Systemroot%\system32\GroupPolicy\registry.pol

 

Appian Enterprise

 

Acronis Backup & Recovery

 

ARCserve

 

AutoDesk Inventor / AutoCAD

  • C:\Program Files\Autodesk\Inventor 2013\Bin\Inventor.exe
  • C:\Program Files\Autodesk\Vault Professional 201\Explorer\Connectivity.VaultPro.exe
  • C:\Program Files\Autodesk\AutoCAD 2013\acad.exe
  • C:\Program Files\Autodesk\Inventor Fusion 2013\Inventor Fusion.exe
  • C:\Program Files\Autodesk\DWG TrueView 2013\dwgviewr.exe
  • C:\Program Files (x86)\Autodesk\Autodesk Design Review 2013\DesignReview.exe
  • C:\Program Files\Autodesk\Product Design Suite 2013\Bin\ProductDesignSuite.exe

 

BlackBerry Enterprise

 

Cisco CallManager

  • Drive:\Program Files\Call Manager
  • Drive:\Program Files\Call Manager Serviceability
  • Drive:\Program Files\Call Manager Attendant

 

Citrix Exclusions

On Citrix systems, the following extensions have been causing performance problems. Exclude these file extensions to avoid any performance problems: *.LOG, *.DAT, *.TMP, *.POL, *.PF.

 

Domino Data Directory

The data directory is used to store Domino email messages. Repeated scanning of this folder while it is being updated with new messages is not an efficient way to scan locally stored email. Use virus scanning applications such as ScanMail for Domino to handle email viruses. By default, the Domino data directory for a non-partitioned installation is <drive>: \ Lotus \ Domino \ Data.

 

Microsoft Exchange Server

Exclude the directory or partition where MS Exchange stores its mailbox. Use virus scanning applications like ScanMail for Exchange to handle email viruses. Installable File System (IFS) drive M must also be excluded to prevent the corruption of the Exchange Information Store.

 

Exchange 5.5

  • <drive>: \ EXCHSRVR \ IMCData
  • <drive>: \ EXCHSRVR \ MDBData

 

Exchange 2000

  • <drive>: \ EXCHSRVR \ MDBData
  • <drive>: \ EXCHSRVR \ MTAData
  • <drive>: \ EXCHSRVR \ Mailroot
  • <drive>: \ EXCHSRVR \ SrsData
  • <drive>: \ WINNT \ system32 \ InetSrv

 

Exchange 2003

  • <drive>: \ EXCHSRVR \ MDBData
  • <drive>: \ EXCHSRVR \ MTAData
  • <drive>: \ EXCHSRVR \ Mailroot
  • <drive>: \ EXCHSRVR \ SrsData
  • <drive>: \ WINNT \ system32 \ InetSrv
  • <drive>: \ EXCHSRVR \ MdbDataUtility

 

Exchange 2007

Refer to this Microsoft article: File-Level Antivirus Scanning on Exchange 2010.

 

FAST Search Server 2010 for SharePoint

 

Mapped Drives / Shared Folders

This option is best disabled. If it is enabled, it may create unnecessary network traffic when the end users access remote paths or mapped network drives. It can severely impact the user’s experience. Consider disabling this function if all workstations have OfficeScan client installed and are updated to the latest virus signature.

 

Microsoft Active Directory Domain Controller

  • <drive>: \ WINNT \ SYSVOL
  • <drive>: \ WINNT \ NTDS
  • <drive>: \ WINNT \ ntfrs
  • <drive>: \ WINNT \ system32 \ dhcp
  • <drive>: \ WINNT \ system32 \ dns

 

Microsoft IIS 7.0 Server

Web Server log files should be excluded from scanning. By default, IIS logs are saved in <drive>:\inetpub\logs\.

 

Microsoft IIS Server

Web Server log files should be excluded from scanning. By default, IIS logs are saved in:
  • <drive>: \ WINNT \ system32 \ LogFiles
  • <drive>: \ WINNT \ system32 \ IIS Temporary Compressed Files

 

Microsoft Internet Security and Acceleration Server (ISA)

  • <drive>: \ Program Files \ Microsoft ISA Server \ ISALogs
  • <drive>: \ Program Files \ Microsoft SQL Server \ MSSQL$MSFW \ Data

 

Microsoft Lync

Scan exclusion guidelines for Microsoft Lync:

 

Microsoft Operations Manager Server (MOM)

  • <drive>: \ Documents and Settings \ All Users \ Application Data \ Microsoft \ Microsoft Operations Manager
  • <drive>: \ Program Files \ Microsoft Operations Manager 2005

 

Microsoft Sharepoint Portal Server

  • <drive>: \ Program Files \ SharePoint Portal Server
  • <drive>: \ Program Files \ Common Files \ Microsoft Shared \ Web Storage System
  • <drive>: \ Windows \ Temp \ Frontpagetempdir
  • M:\

 

Microsoft SharePoint Servers Foundation 2010

  • Drive:\Program Files\Common Files\Microsoft Shared\Web Server Extensions
  • Drive:\Windows\Microsoft.NET\Framework64\v2.0.50727\Temporary ASP.NET Files
  • Drive:\Users\ServiceAccount\AppData\Local\Temp
  • Drive:\Users\Default\AppData\Local\Temp
  • Drive:\Users\<the account that the search service is running as>\AppData\Local\Temp
  • Drive:\WINDOWS\system32\LogFiles
  • Drive:\Windows\Syswow64\LogFiles
Reference: Certain folders may have to be excluded from antivirus scanning when you use a file-level antivirus program in SharePoint.

 

Microsoft SQL Server

Because scanning may hinder performance, large databases should not be scanned. Since Microsoft SQL Server databases are dynamic, they exclude the directory and backup folders from the scan list. If it is necessary to scan database files, a scheduled task can be created to scan them during off-peak hours.
  • <drive>:\ WINNT \ Cluster (if using SQL Clustering)
  • <drive>: \ Program Files \ Microsoft SQL Server \ MSSQL \ Data
  • Q:\ (if using SQL Clustering)
  • C:\Program Files\Microsoft SQL Server\MSSQL.X\OLAP\Data
  • File extensions to exclude: .mdf, .ldf, .ndf, .bak, .tm
SQL Server 2012
  • %ProgramFiles%\Microsoft SQL Server\MSSQL11.<Instance Name>\MSSQL\Binn\SQLServr.exe
  • %ProgramFiles%\Microsoft SQL Server\MSRS11.<Instance Name>\Reporting Services\ReportServer\Bin\ReportingServicesService.exe
  • %ProgramFiles%\Microsoft SQL Server\MSAS11.<Instance Name>\OLAP\Bin\MSMDSrv.exe
SQL Server 2008 R2
  • %ProgramFiles%\Microsoft SQL Server\MSSQL10_50.<Instance Name>\MSSQL\Binn\SQLServr.exe
  • %ProgramFiles%\Microsoft SQL Server\MSSQL10_50.<Instance Name>\Reporting Services\ReportServer\Bin\ReportingServicesService.exe
  • %ProgramFiles%\Microsoft SQL Server\MSSQL10_50.<Instance Name>\OLAP\Bin\MSMDSrv.exe
SQL Server 2008
  • %ProgramFiles%\Microsoft SQL Server\MSSQL10.<Instance Name>\MSSQL\Binn\SQLServr.exe
  • %ProgramFiles%\Microsoft SQL Server\MSSQL10.<Instance Name>\Reporting Services\ReportServer\Bin\ReportingServicesService.exe
  • %ProgramFiles%\Microsoft SQL Server\MSSQL10.<Instance Name>\OLAP\Bin\MSMDSrv.exe
SQL Server 2005
  • %ProgramFiles%\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLServr.exe
  • %ProgramFiles%\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\Bin\ReportingServicesService.exe
  • %ProgramFiles%\Microsoft SQL Server\MSSQL.2\OLAP\Bin\MSMDSrv.exe
Considerations for clustering
You can run antivirus software on a SQL Server cluster. However, you must make sure that the antivirus software is a cluster-aware version. Contact your antivirus vendor about cluster-aware versions and interoperability.
If you are running antivirus software on a cluster, make sure that you also exclude these locations from virus scanning:
  • Q:\ (Quorum drive)
  • C:\Windows\Cluster

 

Microsoft Systems Management Server (SMS)

  • SMS \ Inboxes \ SMS_Executive Thread Name
  • SMS_CCM \ ServiceData
  • SMS \ Inboxes

 

Microsoft Windows System Update Server (WSUS)

    • <drive:>\ WSUS
    • <drive:>\ WsusDatabase
    • <drive:>\MSSQL$WSUS
Where "<drive:>" is the drive letter where you installed Windows Software Update Services server.
You can refer to the following Microsoft article for additional information: Multiple symptoms occur if an antivirus scan occurs while the Wsusscan.cab file or the Wsusscn2.cab file is copied

 

MySQL

  • MySQL main directory - <Drive>:\mysql\
  • MySQL Temporary Files - Uses the Windows system default, which is usually C:\windows\temp\

 

Novell Zenworks

  • C:\Program Files\Novell\Zenworks
  • C:\Program Files\Novell\ZENworks\logs\ExternalStore
  • C:\Program Files\Novell\ZENworks\cache\zmd\ZenCache\metaData
  • C:\Program Files\Novell\ZENworks\cache\zmd
  • Exclude the following files: NalView.exe, RMenf.exe, ZenNotifyIcon.exe, ZenUserDaemon.exe, casa.msi, dluenf.dll, fileInfo.db, lcredmgr.dll, objInfo.db
  • Exclude the following extensions: .APPSTATE, .LOG, .TMP, .ZC

 

Oracle

  • .dbf - Database file
  • .log - Online Redo Log
  • .rdo - Online Redo Log
  • .arc - Archive log
  • .ctl - Control files

 

RA-MICRO

  • C:\Dokumente und Einstellungen\%userName%\Anwendungsdaten\RA-E
  • C:\Dokumente und Einstellungen\%userName%\Anwendungsdaten\RA-MICRO
  • C:\Dokumente und Einstellungen\%userName%\Anwendungsdaten\RA-MICRO Software GmbH
  • C:\Dokumente und Einstellungen\%userName%\Lokale Einstellungen\Anwendungsdaten\RA-MICRO_Software_GmbH
  • C:\Dokumente und Einstellungen\%userName%\Lokale Einstellungen\Anwendungsdaten\RA-MICRO
  • C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\RA-MICRO

 

SAP

  • SAP ABAP or Java installs:
    \usr\sap\ 
  • SAP Content Server Install:
    \SAPDB\
  • SAP Printer Server:
    SAPSprint.exe
  • Servers where are SAPGui is installed:
    lsagent.exe
  • During SAP installs or upgrades, it is recommended to exclude the base SAPinst directories and subdirectories:
    ..\Program Files\SAPinst_instdir\

 

ScanMail for Exchange (SMEX) 7.0

  • ..\Smex\Temp
  • ..\Smex\Storage
  • ..\Smex\ShareResPool\

 

SMART Notebook Express

 

Symantec Backup Exec

  • ~\Symantec\Backup Exec\beremote.exe
  • ~\Symantec\Backup Exec\beserver.exe
  • ~\Symantec\Backup Exec\bengine.exe
  • ~\Symantec\Backup Exec\benetns.exe
  • ~\Symantec\Backup Exec\pvlsvr.exe
  • ~\Symantec\Backup Exec\BkUpexec.exe

 

VMWare

Other file extension types that should be added to the exclusion list include large flat and designed files, such as VMWare disk partition. Scanning VMWare partitions while attempting to access them can affect session loading performance and the ability to interact with the virtual machine. Exclusions can be configured for the directory(ies) that contain the Virtual Machines, or by excluding *.vmdk and *.vmem files.

 

Volume Shadow Copies

Backup process takes longer to finish when real-time scan is enabled. There are also instances when real-time scan detects an infected file in the volume shadow copy but cannot enforce the scan action because volume shadow copies have read-only access.
It is also advisable to apply the latest Microsoft patches for the Volume Shadow Copies service. Refer to this Microsoft article: A Volume Shadow Copy Service (VSS) update package is available for Windows Server 2003.

 

Other Trend Micro Products

Make sure the checkbox for "Do not scan the directories where Trend Micro products are installed." is enabled in WFBS’s Exclusion List settings (Security Settings>Antivirus/Anti-spyware>Exclusions).
 
Note: Add the.bkf extension to the list of real-time scan exclusions.
To know more about Microsoft's exclusion list, refer to the TechNet article Microsoft Anti-Virus Exclusion List.


Rate this Solution
Did this article help you?

Please provide your comments to help us improve this solution.

 
  *This form is an automated system. General questions, technical, sales and product-related issues submitted through this form will not be answered.
 
 

Connect with us on