Virus Scan Exclusions for Microsoft Products

echinoidqueenServers

Dec 4, 2013 (3 years and 8 months ago)

473 views







Virus Scan Exclusions for Microsoft Products



One

of phases

in implementation of complex antimalware protection system is creating of antivirus policies
and related procedures where virus scanning
tasks will exist as one of points
.
But scanning of all objects
could be the cause of potential instability of system
.

That’s why
some
vendors
provide information

what

files, folders
,

processes
and file extensions
could be excluded from scanning.

It’s not a strict
recommendation but

possible workaround because

f
rom another
point of view

such exclusion
s lead

to less
safety of system. So the real goal is the balance between safety and stability
.



You could also face with these questions
during

maintenance
phase

or when new product is added to the
protection scope.

These questions are rather important and some
times it takes more time to make decision
on them than to deploy antivirus software
itself.


This article describes exclusions provided by Microsoft for its produc
ts.
Kaspersky Anti
-
Virus 6.0 MP4
for
Windows Workstations

(KAV WKS) and
Kaspersky Anti
-
Virus 6.0 MP4 for Windows Servers

(KAV FS) are
considered when we are talking about antivirus software.

Transport level or product aware

scanners like
Kaspersky Anti
-
Virus for Microsoft ISA Server

and
Kaspersky Security for Microsoft Exchange Server

are out
of scope of this document.

For protection of some server products it’s recommended to disable firewall
component of antivirus software

but KAV FS does not have this component opposite to KAV WKS which has
it (Anti
-
Hacker module). All recommendations are gi
ven for default paths. If you use non default locations
than you should adjust these settings.
All settings should be applied temporary at first to evaluate
a
system.


In the current article you can find exclusions for:

-

Windows
operating systems

(from Windows 2000 to Windows 7 and Windows 2008 R2)
.

-

Domain controller
s
.

-

DHCP, DNS and WINS server
s
.

-

IIS
6.0/7.0
server
s
.

-

WSUS server
s
.

-

Cluster server
s
.

-

SQL
2000/2005/2008
server
s
.

-

ISA and Forefront servers

(ISA 2000/2004/2006, TMG

2010
, IAG

2007
, UAG

2010
)
.

-

System Center products

(SMS

2003
,
SCCM

2007
,
MOM

2005
,
SCOM 2007, SCDPM 2007
)
.

-

SharePoint

S
erver
s

2001/2003/
2007

and S
ervices

3.0
.

-

Hyper
-
V

server
s
.

-

Exchange
2003/
2007
/2010

server
s
.

-

BizTalk
2004

server
s
.


Information about how to add these exclusions is located at the
end

of article
.


General Exclusions for
Microsoft
Windows 2008 R2, Windows 2008, Windows 2003 R2, Windows 2003,
Windows 2000, Windows 7, Windows Vista

and

Windows XP



Windows Updates or Automatic Updates related files

(database).

Exclude:

%windir%
\
SoftwareDistribution
\
Datastore
\
Datastore.edb



Windows Updates or Automat
ic Updates related files (logs).

Exclude:

%windir%
\
SoftwareDistribution
\
Datastore
\
Logs
\
Res*.log

%windir%
\
SoftwareDistribution
\
Datastore
\
Logs
\
Res*.jrs

%windir%
\
SoftwareDistribution
\
Datastore
\
Logs
\
Edb.chk

%windir%
\
SoftwareDistribution
\
Datastore
\
Logs
\
Tmp.edb



Windows Security files

-

scanning of these files may prevent sec
urity policy fro
m being applied.

Exclude:

%windir%
\
Security
\
Database
\
*.edb

%windir%
\
Security
\
Database
\
*.sdb

%windir%
\
Security
\
Database
\
*.log

%windir%
\
Security
\
Database
\
*.chk

%windir%
\
Security
\
Database
\
*.jrs



Group Policy related files
.

Exclude:

%allusersprofile
%
\
NTUser.pol

%Systemroot%
\
System32
\
GroupPolicy
\
Registry.pol



Print Spooler

(service which manages print queues and controls printing jobs).

Exclude
spoolsv.exe

process



Paging

file

(which is an important part of virtual memory implementation).

Exclude
pagefile.sys



MSMQ

(which is a messaging protocol that allows applications running on separate servers to
communicate in a failsafe manner).

Exclude:

%SystemRoot%
\
system32
\
MSMQ
\

%SystemRoot%
\
system32
\
MSMQ
\
storage


Please use this
link

for more detailed information.



Domain Controllers on Microsoft Windows 2008 R2, Windows 2008, Windows 2003 R2, Windows 2003,
Windows 2000



Active Directory related files

(NTDS database)
.

Exclude:

%windir%
\
Ntds
\
Ntds.dit

%windir%
\
Ntds
\
Ntds.pat


Non default path could be found here:

HKEY_LOCAL_MACHINE
\
System
\
CurrentControlSet
\
Services
\
NTDS
\
Parameters
\
DSA Database File



Active Directory related files (transaction logs)
.

Exclude:

%windir%
\
Ntds
\
EDB*.log

%windir%
\
Ntds
\
Res*.log

%windir%
\
Ntds
\
Res*.jrs


Non default path could be found here:
HKEY_LOCAL_MACHINE
\
System
\
CurrentControlSet
\
Services
\
NTDS
\
Parameters
\
DSA Working Directory



Active
Directory related files

(NTDS

working directory)
.

Exclude:

%
windir%
\
Ntds
\
Temp.edb

%windir%
\
Ntds
\
Edb.chk


Non default path could be found here:

HKEY_LOCAL_MACHINE
\
System
\
CurrentControlSet
\
Services
\
NTDS
\
Parameters
\
DSA Working Directory



Sysvol files
(FRS working directory)


System volume is a shared folder that
stores public files (elements
of Group Policy, scripts, etc) distributed to other domain controlle
rs via File Replication service.

Exclude:

%windir%
\
Ntfrs
\
edb.chk

%windir%
\
Ntfrs
\
Ntfrs.jdb

%windir%
\
Ntfrs
\
*.log


Non default path could be found here:

HKEY_LOCAL_MACHINE
\
System
\
CurrentControlSet
\
Services
\
NtFrs
\
Parameters
\
Working Directory



Sysvol files (FRS database logs)

are located in
%windir%
\
Ntfrs.

Exclude
:

Eedb*.log

(if the registry key is not set)

FRS Working Dir
\
Jet
\
Log
\
Edb*.jrs

(Windows 2008 and Windows 2008 R2)


Non default path could be found here:

HKEY_LOCAL_MACHINE
\
System
\
Currentcontrolset
\
Services
\
Ntfrs
\
Parameters
\
DB Log File Directory



Sysvol files (staging files).

Exclude:

%systemroot%
\
Sysvol
\
Staging areas
\
Nntfrs_cmp*.*


Non default path could be found here:

HKEY_LOCAL_MACHINE
\
System
\
Currentcontrolset
\
Services
\
NtFrs
\
Parameters
\
Replica Sets
\
GUID
\
Replica
Set Stage



Sysvol subfolder.

Default location is
%systemroot%
\
Sysvol
\
Sysvol
.


Exclude
the following files
from this folder

and all its subfolders:

*.adm

*admx

*.adml

Registry.pol

*.aas

*.inf

Fdeploy.inf

Scripts.ini

*.ins

Oscfilter.ini



Sysvol files (FRS preinstall
directory
).

Exclude:

%windir%
\
sysvol
\
domain
\
DO_NOT_REMOVE_NtFrs_PreInstall_Directory
.



DFS files
(database, logs and working folders)


Distributed File System technology offers WAN friendly
replication and simplified fault
-
tolerant access to geographically dispersed files
.

Default location is
%systemdrive%
\
System Volume Information
\
DFSR.


Exclude the

following files from this folder and all its subfolders:

$db_normal$

FileIDTable_2

SimilarityTable_2

*.xml

$db_dirty$

Dfsr.db

Fsr.chk

*.frx

*.log

Fsr*.jrs

Tmp.edb


Non default path could be found here:

HKEY_LOCAL_MACHINE
\
System
\
Currentcontrolset
\
Services
\
DFSR
\
Parameters
\
Replication
Groups
\
GUID
\
Replica Set Configuration File=Path >


Please use this
link

for more detailed information.



DHCP Servers


By default DHCP
related
files are
located
in
%
systemroot%
\
System32
\
DHCP
.


Exclude the following files from this folder and all its subfolders:

*.mdb

*.pat

*.log

*.chk

*.edb


Non default path could be found here:

HKEY_LOCAL_MACHINE
\
System
\
CurrentControlSet
\
Services
\
DHCPServer
\
Parameters


Please use this
link

for more detailed information.



DNS Servers


By default DNS related files are
located
in
%systemroot%
\
System32
\
Dns
.


Exclude the following files from this folder and all its
subfolders:

*.log

*.dns

BOOT


Please use this
link

for more detailed information.




WINS Servers


By default WINS related files are
located
in
%systemroot%
\
System32
\
Wins
.


Exclude the following
files from this folder and all its subfolders:

*.chk

*.log

*.mdb


Please use this
link

for more detailed information.



IIS

Servers

6.0/7.0


Exclude:

%systemroot%
\
IIS Temporary Compressed Files
(IIS 6.0)

%SystemDrive%
\
inetpub
\
temp
\
IIS Temporary Compressed Files (IIS 7.0)

%systemroot%
\
system32
\
inetsrv


Please use this
link

for more detailed information.



WSUS Servers


Exclude:

Wsusscan.cab

Wsusscn2.cab


Please use this
link

for more detailed information.



Cluster Servers

(MSCS)


Exclude:

“MSCS” folder on quorum disk.

%Systemroot%
\
Cluster

\
clusterserviceaccount
\
Local Settings
\
Temp (temp
folder for Cluster Service account)


Please use this
link

for more detailed information.



SQL Servers

2000/2003/2008



Exclude

d
ata files:

*.mdf

*.ndf



Exclude l
ogs:

*.ldf



Exclude b
ackup files:

*.bak

*.trn



Exclude f
ull
-
t
ext catalog files
:

“FTData” folders



Exclude
Analysis Services data:

%ProgramFiles%
\
Microsoft SQL Server
\
MSSQL.X
\
OLAP



Exclude
Analysis Services backup files:

%ProgramFiles%
\
Microsoft SQL Server
\
MSSQL.X
\
OLAP
\
Backup



Exclude
Analysis
Services logs:

%ProgramFiles%
\
Microsoft SQL Server
\
MSSQL.X
\
OLAP
\
Log


Please use this
link

for more detailed information.



ISA
and Forefront
Servers


This section contains information about
:


-

Internet
Security and Acceleration (ISA) Server 2000/2004/2006 Standard/Enterprise Editions
.

-

Intelligent Application Gateway (IAG) 2007
.

-

Forefront Threat Management Gateway (TMG) Medium Business Edition
.

-

Forefront Threat Management Gateway (TMG) 2010
.

-

Forefront
Unified Access Gateway (UAG) 2010
.


General exclusions:

-

Application’s working directory

-

Logs

-

Configuration storage

-

Cache storage

-

Application’s processes

-

General folders and files mentioned in sections above

-

ISA/Forefront
-
aware antivirus program folders.



ISA 2000
.

Exclude

paths
:

%Pro
gramFiles%
\
Microsoft ISA Server

%ProgramFiles%
\
Microsoft ISA Server
\
ISALogs

ISA Server Web cache


Exclude processes:

%ProgramFiles%
\
Microsoft ISA Server
\
dailysum.exe

%ProgramFiles%
\
Microsoft ISA Server
\
repgen.exe

%ProgramFiles
%
\
Microsoft ISA Server
\
mspadmin.exe

%ProgramFiles%
\
Microsoft ISA Server
\
w3prefch.exe

%ProgramFiles%
\
Microsoft ISA Server
\
wspsrv.exe



ISA 2004/2006

SE/EE
.

Exclude

paths
:

%ProgramFiles%
\
Microsoft ISA Server

%ProgramFiles%
\
Microsoft SQL Server

ISA Server Web
cache


Exclude processes:

%ProgramFiles%
\
Microsoft ISA Server
\
dailysum.exe

%ProgramFiles%
\
Microsoft ISA Server
\
isastg.exe

%ProgramFiles%
\
Microsoft ISA Server
\
mspadmin.exe

%ProgramFiles%
\
Microsoft ISA Server
\
w3prefch.exe

%ProgramFiles%
\
Microsoft ISA
Server
\
wspsrv.exe

%ProgramFiles%
\
Microsoft SQL Server
\
80
\
Tools
\
Binn
\
sqlmangr.exe

%ProgramFiles%
\
Microsoft SQL Server
\
MSSQL$MSFW
\
sqlservr.exe

%WinDir%
\
System32
\
dsamain.exe (Enterprise version only)




IAG 2007
.

Exclude

paths
:

The same files which were
excluded for IIS.

The same files which were excluded for ISA 2006
.


Exclude processes:

%WinDir%
\
System32
\
inetsrv
\
inetinfo.exe

%WinDir%
\
System32
\
inetsrv
\
w3wp.exe



TMG MBE
.

Exclude

paths
:

%ProgramFiles%
\
Microsoft ISA Server

%ProgramFiles(x86)%
\
Microsoft SQL
Server

%SystemRoot%
\
Temp
\
ScanStorage

%ProgramFiles(x86)%
\
Microsoft ISA Server
\
Logs

TMG Web cache

%SystemDrive%
\
InetPub


Exclude

processes
:

%ProgramFiles(x86)%
\
Microsoft ISA Server
\
isastg.exe

%ProgramFiles(x86)%
\
Microsoft ISA Server
\
mspadmin.exe

%
ProgramFiles(x86)%
\
Microsoft ISA Server
\
wspsrv.exe

%ProgramFiles(x86)%
\
Microsoft ISA Server
\
w3prefch.exe

%ProgramFiles(x86)%
\
Microsoft SQL Server
\
MSSQL.1
\
MSSQL
\
Binn
\
sqlservr.exe

%ProgramFiles(x86)%
\
Microsoft SQL Server
\
MSSQL.2
\
MSSQL
\
Binn
\
sqlservr.exe

%Prog
ramFiles(x86)%
\
Microsoft SQL Server
\
90
\
Shared
\
sqlwriter.exe

%WinDir%
\
System32
\
dsamain.exe

%WinDir%
\
System32
\
inetsrv
\
inetinfo.exe

%WinDir%
\
System32
\
inetsrv
\
w3wp.exe



TMG 2010
.

Exclude paths:

%ProgramFiles%
\
Microsoft Forefront Threat Management Gateway

%
ProgramFiles%
\
Microsoft SQL Server
\
MSSQL10.ISARS

%ProgramFiles%
\
Microsoft SQL Server
\
MSSQL10.MSFW

%SystemRoot%
\
Temp
\
ScanStorage

%ProgramFiles%
\
Microsoft Forefront Threat Management Gateway
\
Logs

Web cache


Exclude

processes
:

%ProgramFiles%
\
Microsoft
Forefront Threat Management Gateway
\
IsaManagedCtrl.exe

%ProgramFiles%
\
Microsoft Forefront Threat Management Gateway
\
isastg.exe

%ProgramFiles%
\
Microsoft Forefront Threat Management Gateway
\
mspadmin.exe

%ProgramFiles%
\
Microsoft Forefront Threat Management Ga
teway
\
wspsrv.exe

%ProgramFiles%
\
Microsoft Forefront Threat Management Gateway
\
w3prefch.exe

%ProgramFiles%
\
Microsoft SQL Server
\
MSSQL10.ISARS
\
MSSQL
\
Binn
\
sqlservr.exe

%ProgramFiles%
\
Microsoft SQL Server
\
MSSQL10.ISARS
\
MSSQL
\
Binn
\
ReportingServicesService.exe

%
ProgramFiles%
\
Microsoft SQL Server
\
MSSQL10.MSFW
\
MSSQL
\
Binn
\
sqlservr.exe

%WinDir%
\
System32
\
dsamain.exe



UAG 2010
.

Exclude:

The same files which were excluded for IIS.

The same files which were excluded for TMG 2010.

%ProgramFiles%
\
Microsoft Forefront
Unified Access Gateway
.


Please use this
link

for more detailed information.



System Center Products
and

Their P
redecessor
s


This section contains information about:

-

Systems
Management Server

(
SMS
)

2003

and Configuration Manager (SCCM) 2007.

-

System Center Data Protection Manager (SCDPM)

2007
.

-

System Center Operations Manager (SCOM)

2007 and Operations Manager (MOM) 2005
.



SMS 2003.

Exclude:

SMS
\
Inboxes directory on Microsoft
Systems Management Server site servers
.

SMS_CCM
\
ServiceData directory on Microsoft SMS Management Points
.


Please use this
link

for more detailed information.



SCCM 2007.

Exclude:

%ProgramFiles
%
\
Microsoft Configuration Manager
\
Inboxes


Please use this
link

for more detailed information.



SCDPM

2007
.

Exclude:

%ProgramFiles%
\
Microsoft Data Protection Manager
\
DPM
\
XSD

%
ProgramFiles%
\
Microsoft Data Protection Manager
\
DPM
\
Temp
\
MTA

%ProgramFiles%
\
Microsoft Data Protection Manager
\
DPM
\
bin
\
dpmra.exe

%WinDir%
\
Microsoft.net
\
Framework
\
v2.0.50727
\
csc.exe


Please use this
link

for more detailed information.




SCOM 2007 and MOM 2005
.

Exclude:

Momhost.exe (MOM 2005)

Monitoringhost.exe (SCOM 2007)

%allusersprofile%
\
Application Data
\
Microsoft
\
Microsoft Operations Manager
\

(MOM 2005)

%ProgramFiles%
\
System Center Operations Manager 2007
\
Health Service State
\
Health Service Store
(SCOM 2007)


Please use this
link

for more detailed information.




SharePoint

Servers & Services



SharePoint Server 2007.

Exclude:

%ProgramFiles%
\
Microsoft Office Servers
\
12.0
\
Data

%ProgramFiles%
\
Microsoft Office Servers
\
12.0
\
Logs

%ProgramFiles%
\
Microsoft Office Servers
\
12.0
\
Bin


Please use this
link

for more detailed information.




SharePoint Service 3.0.

Exclude:

%ProgramFiles%
\
Common Files
\
Microsoft Shared
\
Web Server Extensions
\
12
\
Logs

%ProgramFiles%
\
Common Files
\
Microsoft Shared
\
Web Server Extensions
\
12
\
Data
\
Applications

(if the
computer is running the Windows SharePoint Services Search service)

%WinDir%
\
Microsoft.NET
\
Framework
\
v2.0.50727
\
Temporary ASP.NET Files

%WinDir%
\
Microsoft.NET
\
Framework64
\
v2.0.50727
\
Temporary ASP.NET Files

(
on
64bit system
s
)

%allusersprofile%
\
Application Data
\
Microsoft
\
SharePoint
\
Config

%WinDir%
\
Temp
\
WebTempDir

%SystemDrive%
\
Documents and Settings
\
service
_account
\
Local Settings
\
Temp
\


Please use this
link

for more detailed information.




SharePoint Portal Server 2001/2003.

Exclude:

%ProgramFiles%
\
SharePoint Portal Server

%ProgramFiles%
\
Common Files
\
Microsoft Shared
\
Web Storage System

%WinDir%
\
Temp
\
Frontpagetempdir (If use are using SPS 2003 SP1)


Please use this
link

for more detailed information.




Hyper
-
V

Servers


Exclude:

\
Vmms.exe

\
Vmwp.exe

Virtual hard disk drives
.

Snapshots
.


Please use this
link

for more detailed information.




Exchange

2003

Servers



Exclude

paths
:

Databases and log files across all storage groups
are
located in Exchsrvr
\
Mdbdata.


MTA files
are
located in Exchsrvr
\
Mtadata.


Additional log files such as Exchsrvr
\
server_name.log
directory.


Exchsrvr
\
Mailroot virtual server folder.


Working folder used to store streaming .tmp files that are used for message conversion is
located in
Exchsrvr
\
Mdbdata.


Temporary folder used in conjunction with offline maintenance utilities such as
Eseutil.exe is located in
folder where the .exe file is run from.


Site Replication Service files
are located
in Exchsrvr
\
Srsdata.


IIS system files
are located
in %SystemRoot%
\
System32
\
Inetsrv.


IIS 6.0 compression folder used with Outlook Web Access 2003

is located in %systemroot%
\
IIS Temporary
Compressed Files.


Quorum disk and %Winnt%
\
Cluster (for clusters).


Exchsrvr
\
Conndata.


Exchange
-
aware antivirus program folders.



Exclude processes:

Cdb.exe

Cidaemon.exe

Store.exe

Emsmta.exe

Mad.exe

Mssearch.exe

Inetinfo.exe

W3wp.exe


Please use this
link

for more detailed information.




Exchange

2007

Servers



Mailbox s
erver role

inc
luding clustered mailbox server.

Exclude:


Databases, checkpoint files, log files and database content indexes located in
subfolders under
%Program

Files%
\
Microsoft
\
Exchange

Server
\
Mailbox.


General log files like message tracking log files
are
located in subfolders under
%Program

Files%
\
Microsoft
\
Exchange

Server
\
TransportRoles
\
Logs and


%Program Files%
\
Microsoft
\
Exchange

Server
\
Logging.


Offline Address Book files
are
located in subfolders under

%Program

Files%
\
Microsoft
\
Exchange

Server
\
ExchangeOAB
.


IIS system files
located in %SystemRoot%
\
System32
\
Inetsrv.


Temporary folder used in conjunction with offline maintenance utilities such as Eseutil.exe is located in
folder where the .exe file is run from.


Temporary folders used for conversions

are
located in
server’s TMP folder,
%Program

Files%
\
Microsoft
\
Exchange

Server
\
Working
\
OleConvertor

and %Program

Files%
\
Microsoft
\
Exchange

Server
\
Mailbox
\
MDBTEMP.


The quorum disk and the %Winnt%
\
Cluster
.


E
xchange
-
aware antivirus program folders.



Hub Transport server
role
.

Exclude:


General log files are located in
subfolders under
%Program

Files%
\
Microsoft
\
Exchange

Server
\
TransportRoles
\
Logs
.


Message folders are located in subfolders under
%Program

Files%
\
Microsoft
\
Exchange

Server
\
TransportRoles.


Q
ueue database,
checkpoint and log files are located in
%Program

Files%
\
Microsoft
\
Exchange

Server
\
TransportRoles
\
Data
\
Queue.


Sender Reputation database, checkpoint and log files are located in
%Program

Files%
\
Microsoft
\
Exchange

Server
\
TransportRoles
\
Data
\
SenderReputation
.


IP

filter database, checkpoint and log files are located in
%Program

Files%
\
Microsoft
\
Exchange

Server
\
TransportRoles
\
Data
\
IpFilter.


Temporary folders used for conversions are located in server
’s TMP folder and
%Program

Files%
\
Microsoft
\
Exchange

Server
\
Working
\
OleConvertor.


E
xchange
-
aware antivirus program folders.



Edg
e Transport server role.

Exclude:


Active

Directory Application Mode (ADAM) database and log files are located

in
%Program

Files%
\
Microsoft
\
Exchange

Server
\
TransportRoles
\
Data
\
Adam.


General log files

are located in subfolders under
%Program

Files%
\
Microsoft
\
Exchange

Server
\
TransportRoles
\
Logs.


Message folders are located in %Program

Files%
\
Microsoft
\
Exchange

Server
\
TransportRoles.


Queue database, checkpoint and log files are located in
%Program

Files%
\
Microsoft
\
Exchange

Server
\
TransportRoles
\
Data
\
Queue.


Sender Reputation database, checkpoint and log files are located in
%Program

Files%
\
Microsoft
\
Exchange

Server
\
Tra
nsportRoles
\
Data
\
SenderReputation.


IP

filter database, checkpoint and log files are located in
%Program

Files%
\
Microsoft
\
Exchange

Server
\
TransportRoles
\
Data
\
IpFilter.


Temporary folders used for conversions are located in server’s TMP folder and
%Program

Files%
\
Microsoft
\
Exchange

Server
\
Working
\
OleConvertor.


Exchange
-
aware antivirus program folders.



Client Access server role.

Exclude:


Internet

Information

Services

(IIS)

6.0 compression folder used with Microsoft

Outlook

Web

Access is
located in

%systemroot%
\
IIS Temporary Compressed Files.


IIS system files are located in %SystemRoot%
\
System32
\
Inetsrv.


Internet
-
related files

are located in subfolders under

%Program

Files%
\
Microsoft
\
Exchange

Server
\
ClientAccess
.


Temporary folder used for
conversions is located in server’s TMP folder.



Unified Messaging server role.

Exclude:


Grammar files are located in subfolders under
%Program

Files%
\
Microsoft
\
Exchange

Server
\
UnifiedMessaging
\
grammars.


Voice prompts located in subfolders under
%Program

Files%
\
Microsoft
\
Exchange

Server
\
UnifiedMessaging
\
Prompts.


Voicemail files are located in %Program

Files%
\
Microsoft
\
Exchange

Server
\
UnifiedMessaging
\
voicemail.


Bad voicemail files are located in
%Program

Files%
\
Microsoft
\
Exchange

Server
\
UnifiedM
essaging
\
badvoicemail.



Process exclusions:

Cdb.exe

Cidaemon.exe

Cluster.exe

Dsamain.exe

Edgecredentialsvc.exe

Edgetransport.exe

Galgrammargenerator.exe

Inetinfo.exe

Mad.exe

Microsoft.Exchange.Antispamupdatesvc.exe

Microsoft.Exchange.Contentfilter.Wrapper.exe

Microsoft.Exchange.Cluster.Replayservice.exe

Microsoft.Exchange.Edgesyncsvc.exe

Microsoft.Exchange.Imap4.exe

Microsoft.Exchange.Imap4service.exe

Microsoft.Exchange.Infoworker.Assistants.exe

Microsoft.Exchange.Mo
nitoring.exe

Microsoft.Exchange.Pop3.exe

Microsoft.Exchange.Pop3service.exe

Microsoft.Exchange.Search.Exsearch.exe

Microsoft.Exchange.Servicehost.exe

Msexchangeadtopologyservice.exe

Msexchangefds.exe

Msexchangemailboxassistants.exe

Msexchangemailsubmission
.exe

Msexchangetransport.exe

Msexchangetransportlogsearch.exe

Msftefd.exe

Msftesql.exe

Oleconverter.exe

Powershell.exe

Sesworker.exe

Speechservice.exe

Store.exe

Transcodingservice.exe

Umservice.exe

Umworkerprocess.exe

W3wp.exe



Extension exclusions.


In
addition to excluding specific directories and processes, you should exclude the following Exchange
-
specific file name extensions

in case directory exclusions fail or files are moved from their default locations.


Application
-
related extensions:

.config

.d
ia

.wsb


Database
-
related extensions:

.chk

.log

.edb

.jrs

.que


Offline address book
-
related extensions:

.lzx


Content Index
-
related extensions:

.ci

.dir

.wid

.000

.001

.002


Unified Messaging
-
related extensions
:

.cfg

.grxml


GroupMetrics
:

.dsc

.bin

.xml


Please use this
link

for more detailed information.


Exchange

20
10

Servers



Mailbox server role inc
luding clustered mailbox server.

Exclude:


Databases, checkpoint files, log files and database content indexes located in subfolders under
%ExchangeInstallPath%
\
Mailbox.


Group Metrics files are located in %ExchangeInstallPath%
\
GroupMetrics.


General log files like message tracking log files are lo
cated in subfolders under
%ExchangeInstallPath%
\
TransportRoles
\
Logs
and

%ExchangeInstallPath%
\
Logging
.


Offline Address Book files
are
located in subfolders under
%ExchangeInstallPath%
\
ExchangeOAB
.


IIS system files located in %SystemRoot%
\
System32
\
Inetsrv
.


Temporary folder used in conjunction with offline maintenance utilities such as Eseutil.exe is located in
folder where the .exe file is run from.


Mailbox database temporary folder is located in %ExchangeInstallPath%
\
Mailbox
\
MDBTEMP.


The quorum disk
and the %Winnt%
\
Cluster.


Exchange
-
aware antivirus program folders.



Hub Transport server role
.

Exclude:


General log files are located in subfolders under
%ExchangeInstallPath%
\
TransportRoles
\
Logs
.


Pickup and Replay message directory folders
are

located in %ExchangeInstallPath%
\
TransportRoles.


Queue database, checkpoint and log files are located in
%ExchangeInstallPath%
\
TransportRoles
\
Data
\
Queue
.


Sender Reputation database, checkpoint and log files are located in
%ExchangeInstallPath%
\
Transport
Roles
\
Data
\
SenderReputation
.


IP

filter database, checkpoint and log files are located in
%ExchangeInstallPath%
\
TransportRoles
\
Data
\
IpFilter
.


Temporary folders used for conversions are located in server’s TMP folder and
%ExchangeInstallPath%
\
Working
\
OleCo
nvertor
.


Exchange
-
aware antivirus program folders.



Edg
e Transport server role.

Exclude:


Active

Directory Application Mode (ADAM) database and log files are located

in
%ExchangeInstallPath%
\
TransportRoles
\
Data
\
Adam
.


General log files are located in subfolders under
%ExchangeInstallPath%
\
TransportRoles
\
Logs
.

Pickup and Replay m
essage folders are located in
%ExchangeInstallPath%
\
TransportRoles
.


Queue database, checkpoint and log files are located in
%ExchangeInstallPat
h%
\
TransportRoles
\
Data
\
Queue
.


Sender Reputation database, checkpoint and log files are located in
%ExchangeInstallPath%
\
TransportRoles
\
Data
\
SenderReputation
.


IP

filter database, checkpoint and log files are located in
%ExchangeInstallPath%
\
TransportRoles
\
Data
\
IpFilter
.


Temporary folders used for conversions are located in server’s TMP folder and
%ExchangeInstallPath%
\
Working
\
OleConvertor
.


Exchange
-
aware antivirus program folders.



Client Access server role.

Exclude:


Inter
net

Information

Services

(IIS)

7
.0 compression folder used with Microsoft

Outlook

Web

App

is located
in
%SystemDrive%
\
inetpub
\
temp
\
IIS Temporary Compressed Files.


Internet

Information

Services

(IIS)

7.0 compression folder used with Microsoft

Outlook

Web

A
pp is located
in %systemroot%
\
IIS Temporary Compressed Files.


IIS system files are located in %SystemRoot%
\
System32
\
Inetsrv.


Inetpub
\
logs
\
logfiles
\
w3svc.


Internet
-
related files are located in subfolders under
%ExchangeInstallPath%
\
ClientAccess
.


For
servers that have protocol logging enabled for POP3 or IMAP4: %ExchangeInstallPath%
\
Logging
\
POP3
and %ExchangeInstallPath%
\
Logging
\
IMAP4.


Temporary folder used for conversions is located in server’s TMP folder

and
%ExchangeInstallPath%
\
Working
\
OleConverto
r.



Unified Messaging server role.

Exclude:


Grammar files are located in subfolders under
%ExchangeInstallPath%
\
UnifiedMessaging
\
grammars
.


Voice prompts
, greetings and informational message files are

located in subfolders under
%ExchangeInstallPath%
\
UnifiedMessaging
\
Prompts
.


Voicemail files are located in
%ExchangeInstallPath%
\
UnifiedMessaging
\
voicemail
.


Temporary files generated by Unified Messaging
are located in
%ExchangeInstallPath%
\
UnifiedMessaging
\
temp
.



Process exclusions:

Cdb.exe

Cidaemon.exe

Cluster.exe

Dsamain.exe

EdgeCredentialSvc.exe

EdgeTransport.exe

ExFBA.exe

GalGrammarGenerator.exe

Inetinfo.exe

Mad.exe

Microsoft.Exchange.AddressBook.Service.exe

Microsoft.Exchange.AntispamUpdateSvc.exe

Microsoft.Exchange.ContentFilter.Wrapper
.exe

Microsoft.Exchange.EdgeSyncSvc.exe

Microsoft.Exchange.Imap4.exe

Microsoft.Exchange.Imap4service.exe

Microsoft.Exchange.Infoworker.Assistants.exe

Microsoft.Exchange.Monitoring.exe

Microsoft.Exchange.Pop3.exe

Microsoft.Exchange.Pop3service.exe

Microsoft.Exchange.ProtectedServiceHost.exe

Microsoft.Exchange.RPCClientAccess.Service.exe

Microsoft.Exchange.Search.Exsearch.exe

Microsoft.Exchange.Servicehost.exe

MSExchangeASTopologyService.exe

MSExchangeFDS.exe

MSExchangeMailboxAssistants.exe

MSExchang
eMailboxReplication.exe

MSExchangeMailSubmission.exe

MSExchangeRepl.exe

MSExchangeTransport.exe

MSExchangeTransportLogSearch.exe

MSExchangeThrottling.exe

Msftefd.exe

Msftesql.exe

OleConverter.exe

Powershell.exe

SESWorker.exe

SpeechService.exe

Store.exe

Tra
nscodingService.exe

UmService.exe

UmWorkerProcess.exe

W3wp.exe



Extension exclusions.


In addition to excluding specific directories and processes, you should exclude the following Exchange
-
specific file name extensions

in case directory exclusions fail or

files are moved from their default locations.


Application
-
related extensions:

.config

.dia

.wsb


Database
-
related extensions:

.chk

.log

.edb

.jrs

.que


Offline address book
-
related extensions:

.lzx


Content Index
-
related extensions:

.ci

.dir

.wid

.000

.001

.002


Unified Messaging
-
related extensions
:

.cfg

.grxml


GroupMetrics
:

.dsc

.bin

.xml


Please use this
link

for more detailed information.



BizTalk 2004 Server
s


Exclude any file
receive queue folders.


Please use this
link

for more detailed information.



How to Add Exclusions


To add exclusions
r
ight
-
click
KAV icon in system tray

-
> Properties
-
> Protection
-
> Exclusions
-
>

Trusted
Zones
-
> Configure Exclusion Rules and/or Trusted Applications.

The same thing could be done via policy if
you use
Kaspersky Administration Kit 8.0

(AK)
to manage your hosts.


In the c
urrent example

C:
\
Windows
\
SoftwareDistribution
\
Datastore
\
Datastore.edb


was excluded as was
recommended in the beginning of the article:





Please use this
link

for more detailed information

regarding creation of exception rules
.

Here

you can find information about mask
s

usage.


Another way to exclude some objects is to check “Exclude areas recommended by Microsoft from virus
scan”

box during KAV manual installation.
Part of objects described in “General exclusions” section in the
beginning of the article will be excluded.
This is available for server version only.
Please use this
link

for
more detailed information.




If you use AK you can add the same exclusions to installation package

(this is available for server version
only)
:
Expand

AK tree
-
> Repositories
-
> Install
ation Packages
-
> Right
-
click “
Kaspersky Anti
-
Virus 6.0 for
Windows Servers MP4

-
> Properties
-
> Check “
Use exclusions specified by Microsoft
” box: