One of the first steps in the implementation of antivirus protection is creation of antivirus policies. On a
product by product basis, software vendors generally provide information as to what files, folders, processes
and file extensions should be excluded from scanning by an antivirus product. Its not a strict requirement
but it is generally done to improve performance of a system and/or increase system stability. In the end, it
becomes a determination of stability / performance versus security and should be handled on a case by case
basis given a specific product.
This article describes exclusions provided by Microsoft for its products specifically for:
Transport level or product aware scanners like Kaspersky Anti-Virus for Microsoft ISA Server and Kaspersky
Security for Microsoft Exchange Server are out of scope of this document. In addition, non-Windows based
clients / servers are out of scope. In some cases, additional configuration, such as disabling the firewall
component of the antivirus software, is required for optimal operation of a server; however, agent
configuration beyond exclusions is out of scope.
Many of these items are also included in the default exclusion list available in KES 10 & WSEE 8.0 however
additional configuration may be required on a case by case basis. We have also included citations for the
specific Microsoft sites that discuss the exclusion in each section. Below, all recommendations are given for
default paths. If you use non default locations you should adjust these settings. All settings should be applied
temporary at first to evaluate a system.
In the current article you can find exclusions for:
Virus Scan Exclusions for Microsoft Products ..................................................................................................1
General Exclusions for Microsoft Windows 2008 R2, Windows 2008, Windows 2003 R2, Windows 2003,
Windows 2000, Windows 7, Windows Vista and Windows XP .........................................................................3
Windows Updates or Automatic Updates related files (database) ...........................................................3
Windows Updates or Automatic Updates related files (logs) ...................................................................4
Windows Security files ............................................................................................................................4
Group Policy related files. .......................................................................................................................4
Print Spooler ...........................................................................................................................................4
Paging file ...............................................................................................................................................4
MSMQ ....................................................................................................................................................4
Domain Controllers on Microsoft Windows 2008 R2, Windows 2008, Windows 2003 R2, Windows 2003,
Windows 2000................................................................................................................................................5
Active Directory related files (NTDS database).........................................................................................5
Active Directory related files (transaction logs). ......................................................................................5
Page 1 of 29
Page 2 of 29
Information about how to add these exclusions is located at the end of article.
Page 3 of 29
Page 4 of 29
Page 5 of 29
Page 6 of 29
DHCP Servers
By default DHCP related files are located in %systemroot%\System32\DHCP.
Exclude the following files from this folder and all its subfolders:
*.mdb
*.pat
*.log
*.chk
*.edb
Non default path could be found here:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters
Please use this link for more detailed information.
DNS Servers
By default DNS related files are located in %systemroot%\System32\Dns.
Exclude the following files from this folder and all its subfolders:
*.log
*.dns
BOOT
Please use this link for more detailed information.
WINS Servers
By default WINS related files are located in %systemroot%\System32\Wins.
Exclude the following files from this folder and all its subfolders:
*.chk
*.log
*.mdb
Please use this link for more detailed information.
Page 7 of 29
WSUS Servers
Exclude:
Wsusscan.cab
Wsusscn2.cab
\WSUS\WSUSContent
\WSUS\UpdateServicesDBFiles
\SoftwareDistribution\Datastore
\SoftwareDistribution\Download
Please use this link and link for more detailed information.
Server Clusters
Exclude:
Q:\ (Quorum drive) - The path of the \mscs folder on the quorum hard disk. For example, exclude
the Q:\mscs folder from virus scanning.
C:\Windows\Cluster - The %Systemroot%\Cluster folder.
The temp folder for the Cluster Service account. For example, exclude the
\clusterserviceaccount\Local Settings\Temp folder from virus scanning.
Please use this link for more detailed information.
SQL Servers
Common Exclusions
Exclude data files:
*.mdf
*.ndf
Exclude logs:
*.ldf
Exclude backup files:
*.bak
*.trn
Exclude SQL Audit Files
*.sqlaudit
Exclude SQL Trace Files
*.trc
Exclude full-text catalog files:
FTData folders
Page 8 of 29
Page 9 of 29
Logs
Configuration storage
Cache storage
Applications processes
General folders and files mentioned in sections above
ISA/Forefront-aware antivirus program folders.
ISA 2000
Exclude:
%ProgramFiles%\Microsoft ISA Server
%ProgramFiles%\Microsoft ISA Server\ISALogs
ISA Server Web cache
%ProgramFiles%\Microsoft ISA Server\dailysum.exe
%ProgramFiles%\Microsoft ISA Server\repgen.exe
%ProgramFiles%\Microsoft ISA Server\mspadmin.exe
%ProgramFiles%\Microsoft ISA Server\w3prefch.exe
%ProgramFiles%\Microsoft ISA Server\wspsrv.exe
ISA 2004/2006 SE/EE
Exclude:
%ProgramFiles%\Microsoft ISA Server
%ProgramFiles%\Microsoft SQL Server
ISA Server Web cache
%ProgramFiles%\Microsoft ISA Server\dailysum.exe
%ProgramFiles%\Microsoft ISA Server\isastg.exe
%ProgramFiles%\Microsoft ISA Server\mspadmin.exe
%ProgramFiles%\Microsoft ISA Server\w3prefch.exe
%ProgramFiles%\Microsoft ISA Server\wspsrv.exe
%ProgramFiles%\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
%ProgramFiles%\Microsoft SQL Server\MSSQL$MSFW\sqlservr.exe
%WinDir%\System32\dsamain.exe (Enterprise version only)
IAG 2007
Exclude:
The same files which were excluded for IIS.
The same files which were excluded for ISA 2006.
c:\whale-com\e-gap\
%WinDir%\System32\inetsrv\inetinfo.exe
%WinDir%\System32\inetsrv\w3wp.exe
%SystemDrive%\Whale-Com\e-Gap\common\bin\MonitorMgrCom.exe
%SystemDrive%\Whale-Com\e-Gap\common\bin\SessionMgrCom.exe
%SystemDrive%\Whale-Com\e-Gap\von\FileAccess\ShareAccess.exe
%SystemDrive%\Whale-Com\e-Gap\common\bin\UserMgrCom.exe
%SystemDrive%\Whale-Com\e-Gap\common\bin\whlerrsrvd.exe
%SystemDrive%\Whale-Com\e-Gap\common\bin\whlios.exe
Page 10 of 29
TMG MBE
Exclude:
%ProgramFiles%\Microsoft ISA Server
%ProgramFiles(x86)%\Microsoft SQL Server
%SystemRoot%\Temp\ScanStorage
%ProgramFiles(x86)%\Microsoft ISA Server\Logs
TMG Web cache
%SystemDrive%\InetPub
%ProgramFiles(x86)%\Microsoft ISA Server\dailysum.exe
%ProgramFiles(x86)%\Microsoft ISA Server\isarepgen.exe
%ProgramFiles(x86)%\Microsoft ISA Server\isadlviewer.exe
%ProgramFiles(x86)%\Microsoft ISA Server\isastg.exe
%ProgramFiles(x86)%\Microsoft ISA Server\mspadmin.exe
%ProgramFiles(x86)%\Microsoft ISA Server\wspsrv.exe
%ProgramFiles(x86)%\Microsoft ISA Server\w3prefch.exe
%ProgramFiles(x86)%\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
%ProgramFiles(x86)%\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
%ProgramFiles(x86)%\Microsoft SQL Server\90\Shared\sqlwriter.exe
%WinDir%\System32\dsamain.exe
%WinDir%\System32\inetsrv\inetinfo.exe
%WinDir%\System32\inetsrv\w3wp.exe
TMG 2010.
Exclude:
%ProgramFiles%\Microsoft Forefront Threat Management Gateway
%ProgramFiles%\Microsoft SQL Server\MSSQL10.ISARS
%ProgramFiles%\Microsoft SQL Server\MSSQL10.MSFW
%SystemRoot%\Temp\ScanStorage
%ProgramFiles%\Microsoft Forefront Threat Management Gateway\Logs\Web cache
TMG Web cache
%ProgramFiles%\Microsoft Forefront Threat Management Gateway\dailysum.exe
%ProgramFiles%\Microsoft Forefront Threat Management Gateway\isarepgen.exe
%ProgramFiles%\Microsoft Forefront Threat Management Gateway\isadlviewer.exe
%ProgramFiles%\Microsoft Forefront Threat Management Gateway\IsaManagedCtrl.exe
%ProgramFiles%\Microsoft Forefront Threat Management Gateway\isastg.exe
%ProgramFiles%\Microsoft Forefront Threat Management Gateway\mspadmin.exe
%ProgramFiles%\Microsoft Forefront Threat Management Gateway\wspsrv.exe
%ProgramFiles%\Microsoft Forefront Threat Management Gateway\w3prefch.exe
%ProgramFiles%\Microsoft SQL Server\MSSQL10.ISARS\MSSQL\Binn\sqlservr.exe
%ProgramFiles%\Microsoft SQL Server\MSSQL10.ISARS\MSSQL\Binn\ReportingServicesService.exe
%ProgramFiles%\Microsoft SQL Server\MSSQL10.MSFW\MSSQL\Binn\sqlservr.exe
%WinDir%\System32\dsamain.exe
UAG 2010.
Exclude:
The same files which were excluded for IIS.
The same files which were excluded for TMG 2010.
Page 11 of 29
Page 12 of 29
Page 13 of 29
Page 14 of 29
Drive:\Program Files\Microsoft Office Servers\15.0\Data (This folder is used for the indexing process.
If the index files are configured to be located in a different folder, you also have to exclude that
location.)
Drive:\Program Files\Microsoft Office Servers\15.0\Logs
Drive:\Program Files\Microsoft Office Servers\15.0\Bin
Drive:\Program Files\Microsoft Office Servers\15.0\Synchronization Service
Any location in which you decided to store the disk-based binary large object (BLOB) cache (for
example, C:\Blobcache).
Virtualization Solutions
Hyper-V Servers
Exclude:
Vmms.exe
Vmwp.exe
C:\ProgramData\Microsoft\Windows\Hyper-V
C:\Users\Public\Documents\Hyper-V\Virtual Hard Disks
%systemdrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots
Please use this link for more detailed information.
MED-V
Exclude:
*.VHD - These represent the Virtual Hard Disk Image files. These will appear on test workstations
when test images are being used to finalize workspace policies.
*.VUD - These represent Virtual PC Undo Disk Files. These will appear on test workstations when test
images are being used to finalize workspace policies.
Page 15 of 29
*.VSV - These represent Virtual PC Saved State files. These will be on all MED-V clients running
Workspaces.
*.CKM - This is the packed image format used by MED-V (Kidaro Compressed Machine.) These will
be present on MED-V Servers, Image Distribution Servers, locally packed images on MED-V
Administration workstations, and as pre-staged images on clients.
*.VMC - These represent the Base Virtual Machine Settings File. Will be found on all MED-V Clients
and Test Workstations.
*.INDEX - These are index files used by the TrimTransfer Feature. These will be found on both clients
and servers.
*.EVHD - These are the encrypted virtual hard disk files used on MED-V Clients running workspaces.
%PROGRAMFILES%\Exchsrvr\Mailroot\vsi 1\PickUp
%PROGRAMFILES%\Exchsrvr\Mailroot\
%PROGRAMFILES%\Microsoft Windows Small Business Server\\Networking\POP3\Failed Mail
Page 16 of 29
IIS 6.0 compression folder used with Outlook Web Access 2003 is located in %systemroot%\IIS
Temporary
Compressed Files.
Quorum disk and %Winnt%\Cluster (for clusters).
Exchsrvr\Conndata.
Exchange-aware antivirus program folders.
Cdb.exe
Cidaemon.exe
Store.exe
Emsmta.exe
Mad.exe
Mssearch.exe
Inetinfo.exe
W3wp.exe
Page 17 of 29
IP filter database, checkpoint and log files are located in %Program Files%\Microsoft\Exchange
Server\TransportRoles\Data\IpFilter.
Temporary folders used for conversions are located in servers TMP folder and %Program
Files%\Microsoft\Exchange Server\Working\OleConvertor.
Exchange-aware antivirus program folders.
Page 18 of 29
Edgetransport.exe
Galgrammargenerator.exe
Inetinfo.exe
Mad.exe
Microsoft.Exchange.Antispamupdatesvc.exe
Microsoft.Exchange.Contentfilter.Wrapper.exe
Microsoft.Exchange.Cluster.Replayservice.exe
Microsoft.Exchange.Edgesyncsvc.exe
Microsoft.Exchange.Imap4.exe
Microsoft.Exchange.Imap4service.exe
Microsoft.Exchange.Infoworker.Assistants.exe
Microsoft.Exchange.Monitoring.exe
Microsoft.Exchange.Pop3.exe
Microsoft.Exchange.Pop3service.exe
Microsoft.Exchange.Search.Exsearch.exe
Microsoft.Exchange.Servicehost.exe
Msexchangeadtopologyservice.exe
Msexchangefds.exe
Msexchangemailboxassistants.exeMsexchangemailsubmission.exe
Msexchangetransport.exe
Msexchangetransportlogsearch.exe
Msftefd.exe
Msftesql.exe
Oleconverter.exe
Powershell.exe
Sesworker.exe
Speechservice.exe
Store.exe
Transcodingservice.exe
Umservice.exe
Umworkerprocess.exe
W3wp.exe
Extension exclusions
In addition to excluding specific directories and processes, you should exclude the following Exchange specific
file name extensions in case directory exclusions fail or files are moved from their default locations.
Application-related extensions:
.config
.dia
.wsb
Database-related extensions:
.chk
.log
.edb
.jrs
Page 19 of 29
.que
Page 20 of 29
Page 21 of 29
Cidaemon.exe
Cluster.exeDsamain.exe
EdgeCredentialSvc.exe
EdgeTransport.exe
ExFBA.exe
GalGrammarGenerator.exe
Inetinfo.exe
Mad.exe
Microsoft.Exchange.AddressBook.Service.exe
Microsoft.Exchange.AntispamUpdateSvc.exe
Microsoft.Exchange.ContentFilter.Wrapper.exe
Microsoft.Exchange.EdgeSyncSvc.exe
Microsoft.Exchange.Imap4.exe
Microsoft.Exchange.Imap4service.exe
Microsoft.Exchange.Infoworker.Assistants.exe
Microsoft.Exchange.Monitoring.exe
Microsoft.Exchange.Pop3.exe
Microsoft.Exchange.Pop3service.exe
Microsoft.Exchange.ProtectedServiceHost.exe
Microsoft.Exchange.RPCClientAccess.Service.exe
Microsoft.Exchange.Search.Exsearch.exe
Microsoft.Exchange.Servicehost.exe
MSExchangeASTopologyService.exe
MSExchangeFDS.exe
MSExchangeMailboxAssistants.exe
MSExchangeMailboxReplication.exe
MSExchangeMailSubmission.exe
MSExchangeRepl.exe
MSExchangeTransport.exe
MSExchangeTransportLogSearch.exe
MSExchangeThrottling.exe
Msftefd.exe
Msftesql.exe
OleConverter.exe
Powershell.exe
SESWorker.exe
SpeechService.exe
Store.exe
TranscodingService.exe
UmService.exe
UmWorkerProcess.exe
W3wp.exe
Extension exclusions
In addition to excluding specific directories and processes, you should exclude the following Exchange specific
file name extensions in case directory exclusions fail or files are moved from their default locations.
Page 22 of 29
Application-related extensions:
.config
.dia
.wsb
Database-related extensions:
.chk.log
.edb
.jrs
.que
Offline address book-related extensions:
.lzx
Content Index-related extensions:
.ci
.dir
.wid
.000
.001
.002
Unified Messaging-related extensions:
.cfg
.grxml
GroupMetrics:
.dsc
.bin
.xml
Please use this link for more detailed information.
Page 23 of 29
MRASSvc.exe
OcsAppServerHost.exe
QmsSvc.exe
ReplicaReplicatorAgent.exe
RTCArch.exe
RtcCdr.exe
RTCSrv.exe
IIS processes:
%systemroot%\system32\inetsrv\w3wp.exe
%systemroot%\SysWOW64\inetsrv\w3wp.exe
SQL Server processes:
%ProgramFiles%\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\Binn\SQLServr.exe
%ProgramFiles%\Microsoft SQL Server\MSRS10.MSSQLSERVER\Reporting
Services\ReportServer\Bin\ReportingServicesService.exe
%ProgramFiles%\Microsoft SQL Server\MSAS10.MSSQLSERVER\OLAP\Bin\MSMDSrv.exe
Directories and files:
%systemroot%\System32\LogFiles
%systemroot%\SysWow64\LogFiles
%systemroot%\Windows\Assembly\GAC_MSIL
%programfiles%\Microsoft Lync Server 2010
%programfiles%\commonfiles\Microsoft Lync Server 2010
%SystemDrive%\RtcReplicaRoot
File share store (specified in Topology Builder). File stores are specified in Topology Builder.
SQL Server data and log files, including those for the back-end database, user store, archiving store,
monitoring store, and application store. Database and log files can be specified in Topology Builder.
Please use this link for more detailed information.
\XSD
\Temp\MTA
Dpmra.exe
Csc.exe
Dynamics AX 2009
For versions up to AX 2009 exclude:
All the AOD, AOI, ADD, ADI, KHD & KHI files, or
alternatively, the whole application folder
Page 24 of 29
Page 25 of 29
During creation, the two checkboxes to create default rules will need to be checked.
Page 26 of 29
Alternatively, specific exclusions can be created after the policy has been created in the General Protection
Settings area of the policy.
Page 27 of 29
Page 28 of 29
Page 29 of 29