ConfigMgr 2007 Antivirus Scan and Exclusion Recommendations

ConfigMgr 2007 Antivirus Scan and Exclusion Recommendations

  • Comments 4
  • Likes

imagePlease review all of the information in this post specific to your systems for any antivirus scan issues and workarounds.

Important: Some of the steps defined herein may increase your security risk. These steps may also make your computer or your network more vulnerable to attack by malicious users or by malicious software such as viruses.  We recommend the process below in order to enable programs to operate as they are designed or to implement specific program capabilities. Before you make these changes, it is your responsibility to evaluate the risks that are associated with implementing this process and to test in your specific environment. If you choose to implement this process, take any appropriate additional steps to protect your system. It is recommended that you follow this process only if it is absolutely required for your environment.

System Center Configuration Manager 2007:

If you have Microsoft System Center Configuration Manager 2007 (ConfigMgr 2007) installed and are running into the specific issues defined in the Knowledge Base articles below, you should consider excluding the folders/files defined in each:

KB900638 - Multiple symptoms occur if an antivirus scan occurs while the Wsusscan.cab file is copied

KB327453 - Antivirus programs may contribute to file backlogs in SMS 2.0 and in SMS 2003

KB922358 - Microsoft Systems Management Server 2003 Inventory Tool for Microsoft Updates cannot run when a McAfee antivirus program is installed on the same computer

KB924148 - A Systems Management Server (SMS) 2003 client computer stops responding when you try to perform a software update scan of the Inventory Tool for Microsoft Updates (ITMU) on a computer that is running SMS 2003

KB824722 - "Cannot Open the File to Verify the Signature" Appears in Despool.log

 

Inventory Tool for Microsoft Updates (ITMU):

If you are running ITMU then review the Knowledge Base articles below for issues with virus scan and their workarounds:

KB900638 - Multiple symptoms occur if an antivirus scan occurs while the Wsusscan.cab file is copied

KB922358 - Microsoft Systems Management Server 2003 Inventory Tool for Microsoft Updates cannot run when a McAfee antivirus program is installed on the same computer -

 

Windows Server Update Services (WSUS):

If you are running WSUS on your system then review the Knowledge Base articles below for issues with virus scan and workarounds:

KB900638 - Multiple symptoms occur if an antivirus scan occurs while the Wsusscan.cab file is copied

 

SQL Server:

If you have SQL Server installed on your system then consider using the guidelines as defined in the following Knowledge Base articles:

KB309422 - Guidelines for choosing antivirus software to run on the computers that are running SQL Server

KB250355 – Antivirus Software that is not cluster-aware may cause problems with cluster Services

 

Operating Systems (OS):

If you are running Windows Server 2003, Windows 2000 or Windows XP, review the following Knowledge Base article for virus scan exclusions:

KB822158 - Virus scanning recommendations for computers that are running Windows Server 2003, Windows 2000, or Windows XP

 

Internet Information Server (IIS):

If you have IIS installed on your system, use the following Knowledge Base articles for virus scan exclusion information:

KB817442 - IIS 6.0: Antivirus Scanning of IIS Compression Directory May Result in 0-Byte File

KB821749 - Antivirus software may cause IIS to stop unexpectedly

 


Summary of Exclusions for ConfigMgr 2007:

 
CAB and archived files exclusions:

· Exclude the Wsusscan.cab file from the antivirus scan. –OR-

· Exclude all .cab files from the antivirus scan. –OR-

· Exclude all archived files from the antivirus scan. –OR-

· Exclude the following items from the antivirus scan:

· The folder in which the Wsusscan.cab file is located.

· The path of the Wsusscan.cab file on the local computer.

 
Exclusion of <DriveLetter>:\<ConfigMgr Install Folder>\Inboxes\SMS_Executive:

The SMS_Executive service may stop responding to some threads. These include the following threads:

• SMS_Discovery_Data_Manager

• SMS_Status_Manager

• SMS_Replication_Manager

• SMS_Despooler

• SMS_Data_Loader

• SMS_Collection_Evaluator

If you experience the behavior described above or in this article (KB327453), use one or more of the following methods to reduce the file backlog:

• Exclude the <DriveLetter>:\<ConfigMgr install folder>\Inboxes\SMS_Executive Thread Name directory or the SMS_CCM\ServiceData directory from the virus-scanning process

• Make sure that the antivirus software is not configure for Real-Time monitoring.

• Remove the antivirus software, and then restart the server so that any remaining traces re unloaded and removed from memory.

Note: If you exclude the <DriveLetter):\<ConfigMgr install folder>\Inboxes directory from virus scanning or remove the antivirus software, you may make the site server and all clients vulnerable to potential virus risks. The client base component files reside in the <DriveLetter):\<ConfigMgr install folder>\Inboxes directory, therefore use these options only as a short-term troubleshooting step and not as a solution for this behavior.

Exclusion of %Windir%\SoftwareDistribution :

Review the issue described in KB922358 where the antivirus program is configured to scan the %Windir%\SoftwareDistribution folder on the computer on which the ITMU scan is run. In this case, when the antivirus program scans the .edb file the antivirus program locks the file. The result is that ITMU cannot access the .edb file. To workaround this issue please make sure that the antivirus program does not scan the files in the %windir%\SoftwareDistribution folder on any computer on which the Windows Update Agent is installed.

 


APPENDIX: ConfigMgr 2007 Antivirus Recommendations

It is recommended from a performance point of view that antivirus scanning be disabled on certain key non-executable items. As these items are non-executable they provide minimal risk on a server, where the number of non-trusted application should be negligible and the opening of files by user applications is also minimal. The key items include:

- ConfigMgr 2007 database data and log files (server-side)

- ConfigMgr 2007 log files (server-side)

- ConfigMgr 2007 transactional files (server-side)

- Windows Update Scan Catalog (client-side)

The following is a listing of the details of the above types of key items:

image

image

image

Rushi Faldu | Senior PFE

The App-V Team blog: http://blogs.technet.com/appv/
The WSUS Support Team blog: http://blogs.technet.com/sus/
The SCMDM Support Team blog: http://blogs.technet.com/mdm/
The ConfigMgr Support Team blog: http://blogs.technet.com/configurationmgr/
The SCOM 2007 Support Team blog: http://blogs.technet.com/operationsmgr/
The SCVMM Team blog: http://blogs.technet.com/scvmm/
The MED-V Team blog: http://blogs.technet.com/medv/
The DPM Team blog: http://blogs.technet.com/dpm/
The OOB Support Team blog: http://blogs.technet.com/oob/
The Opalis Team blog: http://blogs.technet.com/opalis

clip_image001 clip_image002

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • With this released -- does this mean the original whitepaper on this can be rereleased?

  • The bad: leaving Despite dramatic improvements in performance over the past two years, is still Norton no marks on the CPU, and the new results show the effectiveness, if it remains among the top five in the detection of malware still doesn't have the highest detection rate