Microsoft generally recommends that servers are protected against viruses using anti-virus software. The alternative is to adequately harden and lower the software attack surface of the server, together with physical network segmentation and firewalls etc. For customers that will deploy anti-virus software, Microsoft has some specific guidance for configuring antivirus exclusions on Window/SAP/SQLServer environments.
In particular it is our recommendation that database files should not be scanned. Online scans cause additional load on IO, it may also cause some contention issues. It is therefore required to exclude some files or directories from AV scans in order to protect the performance of a SAP installation.
Previous guidance was detailed in the following blog entry:
This blog entry is now a little outdated and in some cases there was not specific guidance on what should be excluded based on what SAP software and components that are installed.
For the most commonly installed software and components here are specific recommendations.
In some cases it might not be enough to exclude the data files, it might also be necessary to exclude the directories that contain the data files. Normally on SAP systems the SQLServer files are in their own individual directories e.g.:
If there are more than 10 SAPDATA directories it might be necessary to use the following as not all antivirus products use the asterisk (*) on directories exclusions:
If you are using Forefront, turn off scanning of the Forefront database file (tmp.edb). This file is located in the following folder:
Turn off scanning of the Windows Update or Automatic Update database file (Datastore.edb). This file is located in the following folder:
Specifically, exclude the following files:
Add the following files in the %windir%\Security\Database path of the exclusions list:
Note if these files are not excluded, antivirus software may prevent proper access to these files which can result in the security databases becoming corrupted. Scanning these files can prevent the files from being used or may prevent a security policy from being applied to the files. These files should not be scanned because antivirus software may not correctly treat them as proprietary database files.
Group Policy user registry information. These files are located in the following folder:
Specifically, exclude the following file:
Group Policy client settings file. This file is located in the following folder:
If your antivirus is Microsoft Forefront Endpoint Protection (FEP) you may use the Preconfigured Policy Templates for different server roles and Microsoft applications.
http://support.microsoft.com/kb/822158 http://support.microsoft.com/kb/837932 http://support.microsoft.com/kb/943556