Views:
  • Pagefile.sys
  • *.pst
  • %systemroot%\System32\Spool (replace %systemroot% with actual directory)
  • %systemroot%\SoftwareDistribution\Datastore (replace %systemroot% with actual directory)
  • %allusersprofile%\NTUser.pol
  • %Systemroot%\system32\GroupPolicy\registry.pol
  • Drive:\Program Files\Call Manager
  • Drive:\Program Files\Call Manager Serviceability
  • Drive:\Program Files\Call Manager Attendant

On Citrix systems, the following extensions have been causing performance problems. Exclude these file extensions to avoid any performance problems: *.LOG, *.DAT, *.TMP, *.POL, *.PF.

The data directory is used to store Domino email messages. Repeated scanning of this folder while it is being updated with new messages is not an efficient way to scan locally stored email. Use virus scanning applications such as ScanMail for Domino to handle email viruses. By default, the Domino data directory for a non-partitioned installation is <drive>: \ Lotus \ Domino \ Data.

  • <drive>: \ EXCHSRVR \ MDBData
  • <drive>: \ EXCHSRVR \ MTAData
  • <drive>: \ EXCHSRVR \ Mailroot
  • <drive>: \ EXCHSRVR \ SrsData
  • <drive>: \ WINNT \ system32 \ InetSrv
  • %SystemDrive%\Windows\System32\InetSrv
  • <drive>: \ EXCHSRVR \ MDBData
  • <drive>: \ EXCHSRVR \ MTAData
  • <drive>: \ EXCHSRVR \ Mailroot
  • <drive>: \ EXCHSRVR \ SrsData
  • <drive>: \ WINNT \ system32 \ InetSrv
  • <drive>: \ EXCHSRVR \ MdbDataUtility
  • %SystemDrive%\Windows\System32\InetSrv
  • <drive>: \ EXCHSRVR \ IMCData
  • <drive>: \ EXCHSRVR \ MDBData

To configure the scan exclusions for G-Buster Anti-Fraud Syste, refer to the knowledge base article: Setting scan exclusons for G-Buster Anti-Fraud System in Worry-Free Business Security (WFBS)

This option is best disabled. If it is enabled, it may create unnecessary network traffic when the end users access remote paths or mapped network drives. It can severely impact the user’s experience. Consider disabling this function if all workstations have OfficeScan client installed and are updated to the latest virus signature.

Exclude the directory or partition where MS Exchange stores its mailbox. Use virus scanning applications like ScanMail for Exchange to handle email viruses. Installable File System (IFS) drive M must also be excluded to prevent the corruption of the Exchange Information Store.

Web Server log files should be excluded from scanning. By default, IIS logs are saved in <drive>:\inetpub\logs\.

Web Server log files should be excluded from scanning. By default, IIS logs are saved in:

  • <drive>: \ WINNT \ system32 \ LogFiles
  • <drive>: \ WINNT \ system32 \ IIS Temporary Compressed Files
  • %SystemDrive%\inetpub\logs\LogFiles
  • %SystemDrive%\inetpub\logs\IIS Temporary Compressed Files
  • <drive>: \ Program Files \ Microsoft ISA Server \ ISALogs
  • <drive>: \ Program Files \ Microsoft SQL Server \ MSSQL$MSFW \ Data
  • <drive>: \ Documents and Settings \ All Users \ Application Data \ Microsoft \ Microsoft Operations Manager
  • <drive>: \ Program Files \ Microsoft Operations Manager 2005
  • <drive>: \ Program Files \ SharePoint Portal Server
  • <drive>: \ Program Files \ Common Files \ Microsoft Shared \ Web Storage System
  • <drive>: \ Windows \ Temp \ Frontpagetempdir
  • M:\
  • Drive:\Program Files\Common Files\Microsoft Shared\Web Server Extensions
  • Drive:\Windows\Microsoft.NET\Framework64\v2.0.50727\Temporary ASP.NET Files
  • Drive:\Users\ServiceAccount\AppData\Local\Temp
  • Drive:\Users\Default\AppData\Local\Temp
  • Drive:\Users\<the account that the search service is running as>\AppData\Local\Temp
  • Drive:\WINDOWS\system32\LogFiles
  • Drive:\Windows\Syswow64\LogFiles
Reference: Certain folders may have to be excluded from antivirus scanning when you use a file-level antivirus program in SharePoint

Because scanning may hinder performance, large databases should not be scanned. Since Microsoft SQL Server databases are dynamic, they exclude the directory and backup folders from the scan list. If it is necessary to scan database files, a scheduled task can be created to scan them during off-peak hours.

  • <drive>:\ WINNT \ Cluster (if using SQL Clustering)
  • <drive>: \ Program Files \ Microsoft SQL Server \ MSSQL \ Data
  • Q:\ (if using SQL Clustering)
  • C:\Program Files\Microsoft SQL Server\MSSQL.X\OLAP\Data
  • File extensions to exclude: .mdf, .ldf, .ndf, .bak, .tm

SQL Server 2012

  • %ProgramFiles%\Microsoft SQL Server\MSSQL11.<Instance Name>\MSSQL\Binn\SQLServr.exe
  • %ProgramFiles%\Microsoft SQL Server\MSRS11.<Instance Name>\Reporting Services\ReportServer\Bin\ReportingServicesService.exe
  • %ProgramFiles%\Microsoft SQL Server\MSAS11.<Instance Name>\OLAP\Bin\MSMDSrv.exe

SQL Server 2008 R2

  • %ProgramFiles%\Microsoft SQL Server\MSSQL10_50.<Instance Name>\MSSQL\Binn\SQLServr.exe
  • %ProgramFiles%\Microsoft SQL Server\MSSQL10_50.<Instance Name>\Reporting Services\ReportServer\Bin\ReportingServicesService.exe
  • %ProgramFiles%\Microsoft SQL Server\MSSQL10_50.<Instance Name>\OLAP\Bin\MSMDSrv.exe

SQL Server 2008

  • %ProgramFiles%\Microsoft SQL Server\MSSQL10.<Instance Name>\MSSQL\Binn\SQLServr.exe
  • %ProgramFiles%\Microsoft SQL Server\MSSQL10.<Instance Name>\Reporting Services\ReportServer\Bin\ReportingServicesService.exe
  • %ProgramFiles%\Microsoft SQL Server\MSSQL10.<Instance Name>\OLAP\Bin\MSMDSrv.exe

SQL Server 2005

  • %ProgramFiles%\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLServr.exe
  • %ProgramFiles%\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\Bin\ReportingServicesService.exe
  • %ProgramFiles%\Microsoft SQL Server\MSSQL.2\OLAP\Bin\MSMDSrv.exe

Considerations for clustering

You can run antivirus software on a SQL Server cluster. However, you must make sure that the antivirus software is a cluster-aware version. Contact your antivirus vendor about cluster-aware versions and interoperability.

If you are running antivirus software on a cluster, make sure that you also exclude these locations from virus scanning:

  • Q:\ (Quorum drive)
  • C:\Windows\Cluster
  • SMS \ Inboxes \ SMS_Executive Thread Name
  • SMS_CCM \ ServiceData
  • <drive:>\ WSUS
  • <drive:>\ WsusDatabase
  • MySQL main directory - <Drive>:\mysql\
  • MySQL Temporary Files - Uses the Windows system default, which is usually C:\windows\temp\
  • C:\Program Files\Novell\Zenworks
  • Exclude the following files: NalView.exe, RMenf.exe, ZenNotifyIcon.exe, ZenUserDaemon.exe, casa.msi, dluenf.dll, fileInfo.db, lcredmgr.dll, objInfo.db
  • Exclude the following extensions: .APPSTATE, .LOG, .TMP, .ZC
  • .dbf - Database file
  • .log - Online Redo Log
  • .rdo - Online Redo Log
  • .arc - Archive log
  • .ctl - Control files

Make sure the checkbox for "Do not scan the directories where Trend Micro products are installed." is enabled in WFBS’s Exclusion List settings (Security Settings>Antivirus/Anti-spyware>Exclusions).

All directories that contain the following files:

  • Virtual Hard Disk file (*.vhd)
  • Virtual Hard Disk v2 file (*.vhdx)
  • Virtual Hard Disk snapshot file (*.avhd)
  • Virtual Hard Disk v2 snapshot file (*.avhdx)
  • VHD Set file (*.vhds)
  • Virtual PMEM VHD file (*.vhdpmem)
  • Virtual Optical Disk images (*.iso)
  • Resilient Change Tracking file (*.rct)
  • Modified Region Table file (*.mrt)
  • Device state file (*.vsv)

    The processes that create, open, or update the file: vmms.exe, vmwp.exe, vmcompute.exe.

  • Memory state file (*.bin)

    The processes that create, open, or update the file: vmwp.exe

  • VM Configuration file (*.xml)
  • The processes that create, open, or update the file: vmms.exe

  • VM Configuration v2 file (*.vmcx)
  • The processes that create, open, or update the file: vmms.exe

  • VM Runtime State file (*.vmrs)
  • The processes that create, open, or update the file: vmms.exe, vmwp.exe, vmcompute.exe.

  • VM Guest State file (*.vmgs)

  • The default virtual machine configuration directory, if it's used, and any of its subdirectories:

    %ProgramData%\Microsoft\Windows\Hyper-V

  • The default virtual machine virtual hard disk files directory, if it's used, and any of its subdirectories:

    %Public%\Documents\Hyper-V\Virtual Hard Disks

  • The default snapshot files directory, if it's used, and any of its subdirectories:

    %SystemDrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots

  • The default Cluster Shared Volumes path, if you're using Cluster Shared Volumes, and any of its subdirectories:

    C:\ClusterStorage

  • The default virtual machine configuration directory, if it's used, and any of its subdirectories:

  • Any custom virtual machine configuration directories, if applicable
  • Any custom virtual hard disk drive directories, if applicable
  • Any custom replication data directories, if you're using Hyper-V Replica
  • If antivirus software is running on your file servers, any Server Message Block protocol 3.0 (SMB 3.0) file shares on which you store virtual machine files.

  • Vmms.exe (%systemroot%\System32\Vmms.exe)

    This file may have to be configured as a process exclusion within the antivirus software.

  • Vmwp.exe (%systemroot%\System32\Vmwp.exe)

    This file may have to be configured as a process exclusion within the antivirus software.

  • Vmsp.exe (%systemroot%\System32\Vmsp.exe)

    Starting with Windows Server 2016, this file may have to be configured as a process exclusion within the antivirus software.

  • Vmcompute.exe (%systemroot%\System32\Vmcompute.exe)
  • The default virtual machine configuration directory, if it's used, and any of its subdirectories:

Reference: Recommended antivirus exclusions for Hyper-V hosts

  • SAP ABAP or Java installs:

    \usr\sap\ 

  • SAP Content Server Install:

    \SAPDB\

  • SAP Printer Server:

    SAPSprint.exe

  • Servers where are SAPGui is installed:

    lsagent.exe

  • During SAP installs or upgrades, it is recommended to exclude the base SAPinst directories and subdirectories:

    ..\Program Files\SAPinst_instdir\

NTDS database files

The database files are specified in the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database File

  • %windir%\Ntds\ntds.dit
  • %windir%\Ntds\ntds.pat

The AD DS transaction log files

The transaction log files are specified in the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files Path

  • %windir%\Ntds\EDB*.log
  • %windir%\Ntds\Res*.log
  • %windir%\Ntds\Edb*.jrs
  • %windir%\Ntds\Ntds*.pat
  • %windir%\Ntds\TEMP.edb

The NTDS working folder

This folder is specified in the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory

  • %windir%\Ntds\Temp.edb
  • %windir%\Ntds\Edb.chk

Process exclusions for AD DS and AD DS-related support files

  • %systemroot%\System32\ntfrs.exe
  • %systemroot%\System32\lsass.exe

Reference:
Microsoft Defender Antivirus exclusions on Windows Server

This section applies to Windows Server 2022, Windows Server 2019, Windows Server 2016, Azure Stack HCI, versions 21H2 and 20H2.

Exclude the following file system locations from virus scanning on a server that is running Cluster Services:

  • The path of the FileShare Witness
  • The %Systemroot%\Cluster folder

Configure the real-time scanning component within your antivirus software to exclude the following directories and files:

  • Default virtual machine configuration directory (C:\ProgramData\Microsoft\Windows\Hyper-V)
  • Custom virtual machine configuration directories
  • Default virtual hard disk drive directory (C:\Users\Public\Documents\Hyper-V\Virtual Hard Disks)
  • Custom virtual hard disk drive directories
  • Custom replication data directories, if you're using Hyper-V Replica
  • Snapshot directories
  • mms.exe
​​
 
This file may have to be configured as a process exclusion within the antivirus software.
  • Vmwp.exe
​​
 
This file may have to be configured as a process exclusion within the antivirus software.

Additionally, when you use Live Migration together with Cluster Shared Volumes, exclude the CSV path C:\Clusterstorage and all its subdirectories.

Reach out to Trend Micro Support if have further concern.

For more information, refer to this article.

Other file extension types that should be added to the exclusion list include large flat and designed files, such as VMWare disk partition. Scanning VMWare partitions while attempting to access them can affect session loading performance and the ability to interact with the virtual machine. Exclusions can be configured for the directory(ies) that contain the Virtual Machines, or by excluding *.vmdk and *.vmem files.

Backup process takes longer to finish when real-time scan is enabled. There are also instances when real-time scan detects an infected file in the volume shadow copy but cannot enforce the scan action because volume shadow copies have read-only access.
It is also advisable to apply the latest Microsoft patches for the Volume Shadow Copies service. Refer to this Microsoft article: A Volume Shadow Copy Service (VSS) update package is available for Windows Server 2003.

To learn how to set exclusions in WFBS, refer to this KB article: Configuring exclusions in Worry-Free Business Security (WFBS) File, Folder, and File Type Scanning

To know more about Microsoft's exclusion list, refer to the TechNet article Microsoft Anti-Virus Exclusion List.