The Operations Manager Support Team Blog : Anti-virus software may ca...

http://blogs.technet.com/operationsmgr/archive/2009/01/22/anti-virus-sof...

The Operations Manager Support Team Blog

Anti-virus software may cause script failures in OpsMgr 2007
We've been getting a few calls on this here in product support so I think it's probably worth a quick mention just in case you happen to run into it too. Usually the call will start out where the customer says he or she is running System Center Operations Manager 2007 and receiving Alerts (Warning severity) similar to the following: Script or Executable Failed to run The process started at 10:41:22 AM failed to create System.PropertyBagData, no errors detected in the output. The process exited with 1 Command executed: "C:\WINDOWS\system32\cscript.exe" //nologo "C:\Program Files\System Center Operations Manager 2007\Health Service State\Monitoring Host Temporary Files 73\3456\ScriptName.vbs" Working Directory: C:\Program Files\System Center Operations Manager 2007\Health Service State\Monitoring Host Temporary Files 73\3456\ One or more workflows were affected by this. And you know what usually turns out to be the problem? If you read the title of this post then you probably do but I'll say it again anyway. Usually it's anti-virus software that for whatever reason is blocking VBS or JS scripts. Fortunately the solution to this is easy: Configure your anti-virus software to not block the OpsMgr scripts from running. How you do that will depend on the A/V software you use so if you're unsure you'll probably have to check the documentation for your particular anti-virus product. I hope you don't run into this yourself but if you do at least maybe this will help save you some time tracking down the problem. J.C. Hornbeck | Manageability Knowledge Engineer Posted: Thursday, January 22, 2009 8:57 PM by jchornbe Filed under: OpsMgr, Script, Troubleshoot Comments SMS&MOM said:
Just an FYI that I posted a note about an issue we're seeing in product support relating to script errors

# January 22, 2009 4:02 PM

The Configuration Manager Support Team Blog said:

Earlier today I posted about an issue we're seeing with some degree of frequency in our OpsMgr support

# January 22, 2009 5:24 PM

Rod Trent at myITforum.com said:

1 of 2

5/20/2009 3:28 PM

The Operations Manager Support Team Blog : Anti-virus software may ca...

http://blogs.technet.com/operationsmgr/archive/2009/01/22/anti-virus-sof...

  Earlier today I posted about an issue we're seeing with some degree of frequency in our OpsMgr

# January 22, 2009 5:42 PM

Scott Moss at myITforum.com said:

See this blog post for more details. For those of you who did not get a chance to deal with anti-virus

# January 22, 2009 9:00 PM

Cliff Hobbs - FAQShop.com and Microsoft MVP ConfigMgr/ SMS said:

Earlier today I posted about an issue we're seeing with some degree of frequency in our OpsMgr support

# January 23, 2009 9:41 AM

Cliff Hobbs at myITforum.com said:

Earlier today I posted about an issue we're seeing with some degree of frequency in our OpsMgr support

# January 23, 2009 9:49 AM

Rod Trent at myITforum.com said:

Anti-virus software may cause script failures in OpsMgr 2007 Feed: The Operations Manager Support Team

# January 26, 2009 10:39 AM

Cliff Hobbs - FAQShop.com and Microsoft MVP ConfigMgr/ SMS said:

We've been getting a few calls on this here in product support so I think it's probably worth

# January 27, 2009 6:24 AM

Anonymous comments are disabled 2009 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy Statement

2 of 2

5/20/2009 3:28 PM

Nick MacKechnie : Antivirus exclusions for Operations Manager 2007

http://blogs.msdn.com/nickmac/archive/2008/07/18/antivirus-exclusions-f...

Welcome to MSDN Blogs Sign in | Join | Help

Nick MacKechnie

Stuck somewhere between family life and IT...

Antivirus exclusions for Operations Manager 2007 Hi All, We had some customers ask what they should exclude in terms antivirus for Operations Manager 2007, I was passed this information from a colleage. 1. The database server could be treated similar to normal SQL servers. Guidelines for configuring AV software on SQL servers along with clustering considerations Some antivirus programs cause issues with MSCS, how to fully disable filter drivers from monitoring shared cluster disks. 2. For the application side, there is no official document for SCOM AV exclusions, however, the product team recommends you consider excluding the following folders: I. Operations Manager Server: \Program Files\System Center Operations Manager\...\Health Service State and all sub-directories %windir\temp% or other directory depends on the directory store for the ETL files (defined in starttracing.cmd) II. Operations Manager Agent: \Program Files\System Center Operations Manager\...\Health Service State and all sub-directories %windir\temp% or other directory depends on the directory store for the ETL files (defined in starttracing.cmd) III. Database server: OpsMgr /DW database directory and all other database directories IV. OpsMgr Console: \Documents and Settings\<USER>\Local Settings\...\Microsoft.MOM.UI.Console V. In addition to the following directories: %installdir%\Health Service State %installdir%\Config Service State %installdir%\SDK Service State %installdir%\tools\tmf %windir%\temp\OpsMgrTrace VI. Additionally, checking http://blogs.technet.com/kevinholman/archive/2007/12/12/antivirusexclusions-for-mom-and-opsmgr.aspx VII. A recommendation about excluding File Type Extension of EDB, CHK, and LOG from the AV scanning scope. Nick.

1 of 2

5/20/2009 3:29 PM

Nick MacKechnie : Antivirus exclusions for Operations Manager 2007

http://blogs.msdn.com/nickmac/archive/2008/07/18/antivirus-exclusions-f...

Published Friday, July 18, 2008 3:17 PM by nickmac Filed under: SCOM 2007, MOM, System Center, Operations, Antivirus

Comments
# OpsMgr 2007: Antivirus software may cause script failures in Operations Manager 2007

See this blog post for more details. For those of you who did not get a chance to deal with anti-virus Thursday, January 22, 2009 9:00 PM by Scott Moss at myITforum.com Anonymous comments are disabled
2009 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy Statement

2 of 2

5/20/2009 3:29 PM

Kevin Holman's OpsMgr Blog : Antivirus Exclusions for MOM and OpsMgr

http://blogs.technet.com/kevinholman/archive/2007/12/12/antivirus-exclu...

Welcome to TechNet Blogs Sign in | Join | Help

Kevin Holman's OpsMgr Blog

Posts in this blog are provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified in the Terms of Use Are you interested in having a dedicated engineer that will be your Microsoft 'go to' technical resource, work with you on projects, provide training and also help troubleshoot problems that come up? Then Dedicated Support Engineering (DSE) is for you. Learn more at Microsoft Premier Services or contact your Technical Account Manager. Antivirus Exclusions for MOM and OpsMgr

Antivirus Exclusions in MOM 2005 and OpsMgr 2007:

Processes:
Excluding by process executable is very dangerous, in that it limits the control of scanning potentially dangerous les handled by the process, because it excludes any and all les involved. For this reason, unless absolutely necessary, we will not exclude any process executables in AV congurations for MOM servers. If you do want to exclude the processes they are documented below: MOM 2005 momhost.exe OpsMgr 2007 monitoringhost.exe

Exclusion by Directories:
Realtime, scheduled scanner and local scanner le extension specic exclusions for Operations Manager: The directories listed here are default application directories. You may need to modify these paths based on your client specic designs. Only the following MOM\OpsMgr related directories should be excluded. Important Note: When a directory to be excluded is greater than 8 characters in length, add both the short and long le names of the directory into the exclusion list. To traverse the subdirectories, this is required by some AV programs. SQL Database Servers: These include the SQL Server database les used by Operations Manager components as well as system database les for the master database and tempdb. To exclude these by directory, exclude the directory for the LDF and MDF les: Examples: C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data D:\MSSQL\DATA E:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Log

1 of 3

5/20/2009 3:29 PM

Kevin Holman's OpsMgr Blog : Antivirus Exclusions for MOM and OpsMgr

http://blogs.technet.com/kevinholman/archive/2007/12/12/antivirus-exclu...

MOM 2005 (management servers and agents): These include the queue and log les used by Operations Manager. Example: C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Operations Manager\

OpsMgr 2007 (management servers and agents): These include the queue and log les used by Operations Manager. Example: C:\Program Files\System Center Operations Manager 2007\Health Service State\Health Service Store

Exclusion of File Type by Extensions:

Realtime, scheduled scanner and local scanner le extension specic exclusions for Operations Manager: SQL Database Servers: These include the SQL Server database les used by Operations Manager components as well as system database les for the master database and tempdb. Examples: MDF, LDF MOM 2005 (management servers and agents): These include the queue and log les used by Operations Manager. Example: WKF, PQF, PQF0, PQF1 OpsMgr 2007 (management servers and agents): These include the queue and log les used by Operations Manager. Example: EDB, CHK, LOG.

Notes:
Page les should also be excluded from any real time scanning. Published Wednesday, December 12, 2007 5:05 PM by kevinhol Filed under: agents

2 of 3

5/20/2009 3:29 PM

Kevin Holman's OpsMgr Blog : Antivirus Exclusions for MOM and OpsMgr

http://blogs.technet.com/kevinholman/archive/2007/12/12/antivirus-exclu...

Comment Notification If you would like to receive an email when updates are made to this post, please register here Subscribe to this post's comments using RSS

Comments
# Antivirus exclusions for Operations Manager 2007

Thursday, July 17, 2008 10:17 PM by Nick MacKechnie Hi All, We had some customers ask what they should exclude in terms antivirus for Operations Manager
# OpsMgr 2007: Antivirus software may cause script failures in Operations Manager 2007

Thursday, January 22, 2009 9:00 PM by Scott Moss at myITforum.com See this blog post for more details. For those of you who did not get a chance to deal with anti-virus
2009 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy Statement

3 of 3

5/20/2009 3:29 PM

Guidelines for choosing antivirus software to run on the computers that are...

http://support.microsoft.com/kb/309422/

Article ID: 309422 - Last Review: October 8, 2008 - Revision: 13.0

Guidelines for choosing antivirus software to run on the computers that are running SQL Server
This article was previously published under Q309422

This article provides general guidelines to help you decide which type of antivirus software to run on the computers that are running SQL Server in your environment.

Microsoft strongly recommends that you individually assess the security risk for each computer that is running SQL Server in your environment and that you select the tools that are appropriate for the security risk level of each computer that is running SQL Server. Additionally, Microsoft recommends that before you roll out any virus protection project, test the whole system under a full load to measure any changes to stability and performance. Virus protection software requires some system resources to execute. You must perform testing before and after you install your antivirus software to determine if there is performance impact to the computer that is running SQL Server.

Security risk factors

The The The The value to your business of the information that is stored on the computer. required security level for that information. cost of losing access to that information. risk of either virus or bad information propagating from that computer.

High-risk servers
Any server is at some risk of infection. The highest risk servers generally meet one or more of the following criteria: The servers are on the public Internet. The servers have open ports to servers that are not behind a firewall. The servers read or execute files from other servers. The servers run HTTP servers, such as Microsoft Internet Information Services (IIS) or Apache. (For example: SQL XML for SQL Server 2000.) The servers are also hosting file shares. The servers use SQL Mail to handle inbound or outbound e-mail messages. Servers that do not meet the criteria for a high-risk server are generally at a lower risk, although not always.

Virus tool types

Active virus scanning: This type of scanning checks incoming and outgoing files for viruses. Virus sweep software: Virus sweep software scans existing files for file infection. It detects files after they are infected with a virus. This type of scanning may cause the following SQL Server database recovery and SQL Server full-text catalog file issues: If the virus sweep has opened a database file and still has it open when SQL Server tries to open the database (such as when SQL Server starts or when SQL Server opens a database that AutoClose has closed), the database to which the file belongs might be marked suspect. The SQL Server database files typically have the .mdf, .ldf, and .ndf file suffixes. If the virus sweep software has a SQL Server full-text catalog file open when the Microsoft Search service (MSSearch) tries to access the file, you may experience problems with the full text catalog. Vulnerability scanning software: The Microsoft Security Tool Kit CD includes best practice guidelines, information about securing your system, and service packs and patches that can protect your system against virus attacks. It also provides Microsoft tools to help you secure your systems and keep them secure. To download it, visit the following Microsoft Web site: http://www.microsoft.com/security/ (http://www.microsoft.com/security/) Antispyware software: Spyware and unwanted software refers to software that performs certain tasks on your

1 of 4

5/20/2009 5:04 PM

Guidelines for choosing antivirus software to run on the computers that are...

http://support.microsoft.com/kb/309422/

computer, typically without your consent. For more information about how to help protect the computer from spyware and unwanted software, visit the following Microsoft Web site: http://www.microsoft.com/protect Additionally, Microsoft /computer/spyware/default.mspx (http://www.microsoft.com/protect/computer/spyware/default.mspx) has released the Microsoft Windows Malicious Software Removal Tool to help remove specific, prevalent malicious software from computers that are running Microsoft Windows Server 2003, Microsoft Windows XP, or Microsoft Windows 2000. For more information about the Microsoft Windows Malicious Software Removal Tool, click the following article number to view the article in the Microsoft Knowledge Base: 890830 (http://support.microsoft.com/kb/890830/ ) The Microsoft Windows Malicious Software Removal Tool helps remove specific, prevalent malicious software from computers that are running Windows Vista, Windows Server 2003, Windows XP, or Windows 2000

Directories to exclude from virus scanning

When you configure your antivirus software settings, make sure that you exclude the following files and directories from virus scanning. Doing this improves the performance of the files and helps make sure that the files are not locked when the SQL Server service must use them. However, if these files become infected, your antivirus software will not unable to detect the infection. SQL Server data files These files usually have one of the following file name extensions: .mdf .ldf .ndf SQL Server backup files These files frequently have one of the following file name extensions: .bak .trn Full-Text catalog files The directory that holds Analysis Services data Note The directory that holds all Analysis Services 2005 data and Analysis Services 2008 data is specified by the DataDir property of the Analysis Services instance. By default, the path of this directory is C:\Program Files\Microsoft SQL Server\MSSQL.X\OLAP\Data. If you use Analysis Services 2000, you can view and change the data directory by using Analysis Manager. To do this, follow these steps: 1. In Analysis Manager, right-click the server, and then click Properties. 2. In the Properties dialog box, click the General tab. The directory appears under Data folder. The directory that holds Analysis Services temporary files that are used during Analysis Services processing Note The directory that holds all Analysis Services 2005 and Analysis Services 2008 temporary files during processing is specified by the TempDir property of the Analysis Services instance. By default, this property is empty. When this property is empty, the default directory is used. This directory is C:\Program Files\Microsoft SQL Server\MSSQL.X\OLAP\Data. If you use Analysis Services 2000, you can view and change the directory that holds temporary files in Analysis Manager. To do this, follow these steps: 1. In Analysis Manager, right-click the server, and then click Properties. 2. In the Properties dialog box, click the General tab. 3. On the General tab, notice Note the directory under Temporary file folder. Optionally, you can add a second temporary directory for Analysis Services 2000 by using the TempDirectory2 registry entry. If you use this registry entry, consider excluding from virus scanning the directory to which this registry entry points. For more information about the TempDirecotry2 registry entry, see the "TempDirectory2" section of the following Microsoft Developer Network (MSDN) Web site: http://msdn.microsoft.com/en-us /library/aa902654(SQL.80).aspx#sql2k_anservregsettings_topic52 (http://msdn.microsoft.com/en-us/library
/aa902654(SQL.80).aspx#sql2k_anservregsettings_topic52)

Analysis Services backup files

2 of 4

5/20/2009 5:04 PM

Guidelines for choosing antivirus software to run on the computers that are...

http://support.microsoft.com/kb/309422/

Note By default, in Analysis Services 2005 and in Analysis Services 2008, the backup file location is the location that is specified by the BackupDir property. By default, this directory is C:\Program Files\Microsoft SQL Server\MSSQL.X \OLAP\Backup. You can change this directory in the Analysis Services instance properties. Any backup command can point to a different location. Or, the backup files may be copied elsewhere. The directory that holds Analysis Services log files Note By default, in Analysis Services 2005 and in Analysis Services 2008, the backup file location is the location that is specified by the LogDir property. By default, this directory is C:\Program Files\Microsoft SQL Server\MSSQL.X \OLAP\Log. Directories for any Analysis Services 2005 or Analysis Services 2008 partitions that are not stored in the default data directory When you create the partitions, these locations are defined in the Storage location section of the Processing and Storage Locations page of the Partition Wizard.

Considerations for clustering

You can run antivirus software on a SQL Server cluster, but you must make sure that the antivirus software is a cluster-aware version. Contact your antivirus vendor about cluster-aware versions and interoperability. If you are running antivirus software on a cluster, make sure that you also exclude these locations from virus scanning: Q:\ (Quorum drive) c:\Windows\Cluster If you back up the database to a disk or if you back up the transaction log to a disk, you can exclude the backup files from the virus scanning.

For updated security related information, Microsoft recommends that you subscribe to the security alert alias. To subscribe, visit the following Microsoft Web site, and then view the Security Bulletins To find general information regarding section: http://www.microsoft.com/security/ (http://www.microsoft.com/security/) SQL Server security, including best practices, various security models, and security bulletins, visit the following Microsoft Web site: http://www.microsoft.com/sql/technologies/security/default.mspx (http://www.microsoft.com/sql/technologies
/security/default.mspx)

For more information about additional antivirus considerations on a cluster, click the following article 250355 (http://support.microsoft.com/kb/250355/ ) Antivirus

number to view the article in the Microsoft Knowledge Base: software may cause problems with Cluster services

APPLIES TO
Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft SQL SQL SQL SQL SQL SQL SQL SQL SQL SQL SQL SQL SQL SQL SQL SQL Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server 7.0 Standard Edition 2000 Developer Edition 2000 Enterprise Edition 2000 Enterprise Edition 64-bit 2000 Personal Edition 2000 Standard Edition 2005 Standard Edition 2005 Developer Edition 2005 Enterprise Edition 2005 Express Edition 2005 Workgroup Edition 2008 Developer 2008 Enterprise 2008 Standard 2008 Web 2008 Workgroup

3 of 4

5/20/2009 5:04 PM

Guidelines for choosing antivirus software to run on the computers that are...

http://support.microsoft.com/kb/309422/

Keywords: kbsql2005cluster kbinfo KB309422

Get Help Now

Contact a support professional by E-mail, Online, or Phone

Help and Support

2009 Microsoft

4 of 4

5/20/2009 5:04 PM

Antivirus software that is not cluster-aware may cause problems with Clus...

http://support.microsoft.com/kb/250355

Article ID: 250355 - Last Review: February 18, 2009 - Revision: 5.0

Antivirus software that is not cluster-aware may cause problems with Cluster Services
This article was previously published under Q250355

Antivirus software that is not cluster-aware may cause unexpected problems on a server that is running Cluster Services. For example, you may experience resource failures or problems when you try to move a group to a different node.

Warning This workaround may make a computer or a network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk. Note Antivirus software helps protect your computer from viruses. You must not download or open files from sources that you do not trust, visit Web sites that you do not trust, or open e-mail attachments when the antivirus software is disabled. For more information about computer viruses, click the following article number to view the article in the Microsoft Knowledge Base: 129972 (http://support.microsoft.com/kb/129972/ ) Computer viruses: description, prevention, and recovery Most antivirus software uses filter drivers (device drivers) that work together with a service to scan for viruses. These filter drivers reside above the file system recognizer and scan files as they are opened and closed on a local hard disk. Antivirus software may not understand the shared disk model and may not correctly allow for failover. If you are troubleshooting failover issues or general problems with a Cluster services and antivirus software is installed, temporarily uninstall the antivirus software or check with the manufacturer of the software to determine whether the antivirus software works with Cluster services. Just disabling the antivirus software is insufficient in most cases. Even if you disable the antivirus software, the filter driver is still loaded when you restart the computer. For more information about how to fully disable antivirus software, click the following article number to view the article in the Microsoft Knowledge Base: 240309 (http://support.microsoft.com/kb/240309/ ) How to fully disable antivirus software from filtering files Even if you are not monitoring the shared disk, the filter drivers are still loaded and may affect the operation of the cluster. You can run antivirus software on a SQL Server cluster. However, you must make sure that the antivirus software is clusteraware. Contact your antivirus software vendor about cluster-aware versions and interoperability. Additionally, you should exclude the following file system locations from virus scanning on a server that is running Cluster Services: The path of the \mscs folder on the quorum hard disk. For example, exclude the Q:\mscs folder from virus scanning. The %Systemroot%\Cluster folder. The temp folder for the Cluster Service account. For example, exclude the \clusterserviceaccount\Local Settings\Temp folder from virus scanning.

For more information about running antivirus software on servers that are running SQL Server, click the following article number to view the article in the Microsoft Knowledge Base: 309422 (http://support.microsoft.com/kb/309422/ ) Guidelines for choosing antivirus software to run on the computers that are running SQL Server

APPLIES TO

1 of 2

5/20/2009 5:05 PM

Antivirus software that is not cluster-aware may cause problems with Clus...

http://support.microsoft.com/kb/250355

Microsoft Microsoft Microsoft Microsoft Microsoft

Windows Windows Windows Windows Windows

Server 2003, Enterprise Edition (32-bit x86) Server 2003, Datacenter Edition (32-bit x86) 2000 Advanced Server 2000 Datacenter Server NT Server 4.0 Enterprise Edition

Keywords: kb3rdparty kbclustering kbinfo KB250355

Get Help Now

Contact a support professional by E-mail, Online, or Phone

Help and Support

2009 Microsoft

2 of 2

5/20/2009 5:05 PM