Anti-Virus Exclusions

Microsoft generally recommends that servers are protected against viruses using anti-virus software. The alternative is to adequately harden and lower the software attack surface of the server, together with physical network segmentation and firewalls etc. For customers that will deploy anti-virus software, Microsoft has some specific guidance for configuring antivirus exclusions on Window/SAP/SQLServer environments.

In particular it is our recommendation that database files should not be scanned. Online scans cause additional load on IO, it may also cause some contention issues. It is therefore required to exclude some files or directories from AV scans in order to protect the performance of a SAP installation.

Previous guidance was detailed in the following blog entry:

http://blogs.msdn.com/b/saptech/archive/2010/06/21/sap-on-windows-and-anti-virus-scan.aspx

This blog entry is now a little outdated and in some cases there was not specific guidance on what should be excluded based on what SAP software and components that are installed.

For the most commonly installed software and components here are specific recommendations.

1)   SAP Anti-Virus Exclusion (Excludes the complete directories and Sub Directories)

  • SAP ABAP or Java installs
    • \usr\sap\
  • SAP Content Server Install
    • \SAPDB\
  • SAP Printer Server
    • SAPSprint.exe
  • Servers where are SAPGui is installed
    • lsagent.exe
  • During SAP installs or upgrades, it is a good idea to exclude the base SAPinst directories and subdirectories.
    • \program files\sapinst_instdir\

 2)   Microsoft SQL Server 2008/2008 R2/2012 AV Exclusions

 A.   SQL Server data files:

 

  • .mdf - Primary Data file.
  • .ndf - Secondary Data files.
  • .ldf - Transaction Log file(s).

 

In some cases it might not be enough to exclude the data files, it might also be necessary to exclude the directories that contain the data files. Normally on SAP systems the SQLServer files are in their own individual directories e.g.:

  • \SAPDATA?\

If there are more than 10 SAPDATA directories it might be necessary to use the following as not all antivirus products use the asterisk (*) on directories exclusions:

  • \SAPDATA??\

 B.   SQL Server backup files:

  • *.bak - Database backup files.
  • *.trn - Transaction Log backup files.

 3)   Windows 2008/2012 Exclusions.

a.       Turn off scanning of the Microsoft Forefront "tmp.edb" file

 

If you are using Forefront, turn off scanning of the Forefront database file (tmp.edb). This file is located in the following folder:

  • %windir%\SoftwareDistribution\Datastore

 

b.      Turn off scanning of the log files that are located in the following folder:

 

  • %ProgramData%\Microsoft\Search\Data\Applications\Windows

 c.       Turn off scanning of Windows Update or Automatic Update related files

 Turn off scanning of the Windows Update or Automatic Update database file (Datastore.edb). This file is located in the following folder:

  • ·         %windir%\SoftwareDistribution\Datastore

 d.      Turn off scanning of the log files that are located in the following folder:

  • %windir%\SoftwareDistribution\Datastore\Logs

Specifically, exclude the following files:

  • Res*.log
  • Edb*.jrs
  • Edb.chk
  • Tmp.edb

 e.    Turn off scanning of Windows Security files

 Add the following files in the %windir%\Security\Database path of the exclusions list: 

  • *.edb
  • *.sdb
  • *.log
  • *.chk
  • *.jrs

 

Note if these files are not excluded, antivirus software may prevent proper access to these files which can result in the security databases becoming corrupted. Scanning these files can prevent the files from being used or may prevent a security policy from being applied to the files. These files should not be scanned because antivirus software may not correctly treat them as proprietary database files.

f.        Turn off scanning of Group Policy related files

Group Policy user registry information. These files are located in the following folder:

  • %allusersprofile%\

Specifically, exclude the following file:

  • NTUser.pol

Group Policy client settings file. This file is located in the following folder:

  • %Systemroot%\System32\GroupPolicy\

Specifically, exclude the following file:

  • Registry.pol

g.    Windows Server Failover Cluster Service (Only if is deployed)

 

  • The %Systemroot%\Cluster folder.
  • The temp folder for the Cluster Service account. For example, exclude the \clusterserviceaccount\Local Settings\Temp folder from virus scanning.
  •  The path of the \mscs folder on the quorum hard disk. For example, exclude the Q:\mscs folder from virus scanning.

  

If your antivirus is Microsoft Forefront Endpoint Protection (FEP) you may use the Preconfigured Policy Templates for different server roles and Microsoft applications.

 

References:

http://social.technet.microsoft.com/wiki/contents/articles/953.windows-anti-virus-exclusion-list.aspx

Enterprise Configuration Recommendations:

http://support.microsoft.com/kb/822158  

Windows:

http://support.microsoft.com/kb/822158

Windows / Active Directory:

http://support.microsoft.com/kb/822158  
http://support.microsoft.com/kb/837932  
http://support.microsoft.com/kb/943556 

Cluster:

http://support.microsoft.com/kb/250355

SQL:

http://support.microsoft.com/kb/309422