Best Practices for Anti-Virus Configuration and Exclusions in a Windows Environment



If you are here, it means you already know that configuring an anti-virus is not as simple as « next, next, next, ok ». Especially, deploying an antivirus to hundreds of clients… You’ve got to make sure that your clients are not suffering from intrusive antivirus processes, setup exclusions properly so that you don’t scan gigabytes of ISO files, make sure that the clients get the most recent and proper updates even if they are not connected to your network… Do you now get what I mean? J

I went through this process recently. We’re using Trend-Micro Worry-Free Advanced Business security software for a couple of years now. Recently Trend-Micro had an update and the most recent version of the program is version 8 as of writing this article. The process of upgrading didn’t go very well so I had to reinstall it from scratch! Here are my notes regarding this project;

I am not an antivirus expert but I guess every antivirus product has their own installing and “best practices” guide. I recommend you highly that these documents are worth reading, even if they are thousands of pages. Generally speaking, there are some folders & processes you can exclude from your real-time & scheduled scans…

Recommended folder exclusions for Windows 7 & Server 2008 R2 systems;

C:\ProgramData\Microsoft\Search
Windows Search & Indexing
C:\Windows\SoftwareDistribution\DataStore
WSUS
C:\Windows\System32\spool\Printers
Printers
C:\ProgramData\NTUser.pol
Security
C:\Windows\System32\GroupPolicy
Group Policy
C:\Windows\Security\Database
Security

This is really a general list. It all depends the software, services and roles that are installed in your systems that will determine what you should exclude from your scans. Let’s say you have a couple of custom applications that are programmed by your trusted developers, feel free to exclude these internal programs. For a complete list of suggested exclusions from Microsoft, please see the following article;
http://support.microsoft.com/kb/822158

During my researches, I’ve also find this useful document from Kaspersky;

http://usa.kaspersky.com/sites/usa.kaspersky.com/files/Virus%20Scan%20Exclusions%20for%20Microsoft%20Products.pdf

I guess there is not much left to say after giving away these documents. But I’ll give you a general list of all the processes that I’ve excluded from our systems too;

C:\Pagefile.sys
System
C:\Windows\System32\SearchFilterHost.exe
Windows Search & Indexing
C:\Windows\System32\SearchIndexer.exe
Windows Search & Indexing
C:\Windows\System32\SearchProtocolHost.exe
Windows Search & Indexing
C:\Windows\System32\Spoolsv.exe
Printers

 All the files that can be excluded from your antivirus agents;
Pagefile.sys
System
NTUser.pol
Group Policy
Registry.pol
Registry

 Here is a list of all the extensions that should be excluded;
.OST
Exchange Offline Cache File
.PST
Outlook Archiving File
.SHD
Print Spooler File
.SPL
Print Spooler File
.VHD
Microsoft Virtual Machine Disk File
.VFS
Microsoft Virtual Machine Disk File
.VMDK
VMware Virtual Machine Disk File
.VMEM
VMware Virtual Machine Memory File
.ISO
Archive File
.WIM
Windows Image File
.LOG
Windows & 3rd party Log Files
.INI
Configuration File

Here is one last useful link that I found during my researches;
http://www.petri.co.il/anti-virus-exclusionn-guidelines-for-microsoft-products.htm
I hope this was useful to you and please feel free to send me your suggestions / corrections to make this document better. Best way to contact me is by email.

Kubilay Elmas
kubilay.elmas@gmail.com
Location: Montreal, QC, Canada

Comments

Post a Comment

Popular posts from this blog

System.Messaging.MessageQueueException (0x80004005): A workgroup installation computer does not support the operation (Public Queue create issue)

This is a weird issue that I don't fully understand why it would happen. But the symptoms are very persistent as we're able to reproduce these behavior easily. Issue: The MSMQ (Microsoft Message Queuing) fails to create Public Queues and throws  "the System.Messaging.MessageQueueException (0x80004005): A workgroup installation computer does not support the operation" exception.
Read more

Veeam Backup Error : Failed to prepare guest for hot backup. Error: VSSControl

Image
Problem Description; I had this issue on one of my backup jobs recently and I was able to fix the issue with the solution explained below. After a quick google search, I realized that I'm not the only one and neither you are :) Full Error Description; Failed to prepare guest for hot backup. Error: VSSControl: Failed to prepare guest for freeze, wait tim eout 9 00 sec Error: VSSControl: Failed to prepare guest for freeze, wait timeout 900 sec
Read more

warning: Win32API is deprecated after Ruby 1.9.1; use fiddle directly instead - Chef Development Kit Update

Today, I needed to do some tests with a newer version of the Chef Client and test my cookbooks. To version 14.12.9-1 to be precise. I also upgraded my ChefDK on my workstation to the 4.2.0 version. I believe that upgrades Ruby version as well and now I have ruby version 2.6.3p62 Right after the upgrade, I tried with a basic knife node list command to see if I needed to reboot or anything was broke... Everything seems to be working fine, except I get this annoying "warning" message. As it's just a warning, I don't really care about it as it just seems to annonce something that is deprecated... Problem; You receive "warning: Win32API is deprecated after Ruby 1.9.1; use fiddle directly instead" warning when using ruby or chef knife commands. Solution; You need to comment out that warning message in Ruby lib scripts.
Read more