05 November, 2013

Best Practices for Anti-Virus Configuration and Exclusions in a Windows Environment



If you are here, it means you already know that configuring an anti-virus is not as simple as « next, next, next, ok ». Especially, deploying an antivirus to hundreds of clients… You’ve got to make sure that your clients are not suffering from intrusive antivirus processes, setup exclusions properly so that you don’t scan gigabytes of ISO files, make sure that the clients get the most recent and proper updates even if they are not connected to your network… Do you now get what I mean? J

I went through this process recently. We’re using Trend-Micro Worry-Free Advanced Business security software for a couple of years now. Recently Trend-Micro had an update and the most recent version of the program is version 8 as of writing this article. The process of upgrading didn’t go very well so I had to reinstall it from scratch! Here are my notes regarding this project;

I am not an antivirus expert but I guess every antivirus product has their own installing and “best practices” guide. I recommend you highly that these documents are worth reading, even if they are thousands of pages. Generally speaking, there are some folders & processes you can exclude from your real-time & scheduled scans…

Recommended folder exclusions for Windows 7 & Server 2008 R2 systems;

C:\ProgramData\Microsoft\Search
Windows Search & Indexing
C:\Windows\SoftwareDistribution\DataStore
WSUS
C:\Windows\System32\spool\Printers
Printers
C:\ProgramData\NTUser.pol
Security
C:\Windows\System32\GroupPolicy
Group Policy
C:\Windows\Security\Database
Security

This is really a general list. It all depends the software, services and roles that are installed in your systems that will determine what you should exclude from your scans. Let’s say you have a couple of custom applications that are programmed by your trusted developers, feel free to exclude these internal programs. For a complete list of suggested exclusions from Microsoft, please see the following article;
http://support.microsoft.com/kb/822158

During my researches, I’ve also find this useful document from Kaspersky;

http://usa.kaspersky.com/sites/usa.kaspersky.com/files/Virus%20Scan%20Exclusions%20for%20Microsoft%20Products.pdf

I guess there is not much left to say after giving away these documents. But I’ll give you a general list of all the processes that I’ve excluded from our systems too;

C:\Pagefile.sys
System
C:\Windows\System32\SearchFilterHost.exe
Windows Search & Indexing
C:\Windows\System32\SearchIndexer.exe
Windows Search & Indexing
C:\Windows\System32\SearchProtocolHost.exe
Windows Search & Indexing
C:\Windows\System32\Spoolsv.exe
Printers

 All the files that can be excluded from your antivirus agents;
Pagefile.sys
System
NTUser.pol
Group Policy
Registry.pol
Registry

 Here is a list of all the extensions that should be excluded;
.OST
Exchange Offline Cache File
.PST
Outlook Archiving File
.SHD
Print Spooler File
.SPL
Print Spooler File
.VHD
Microsoft Virtual Machine Disk File
.VFS
Microsoft Virtual Machine Disk File
.VMDK
VMware Virtual Machine Disk File
.VMEM
VMware Virtual Machine Memory File
.ISO
Archive File
.WIM
Windows Image File
.LOG
Windows & 3rd party Log Files
.INI
Configuration File

Here is one last useful link that I found during my researches;
I hope this was useful to you and please feel free to send me your suggestions / corrections to make this document better. Best way to contact me is by email.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.