Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Recommended scan exclusion list for Trend Micro Endpoint products in OfficeScan (OSCE)

    • Updated:
    • 6 Jul 2017
    • Product/Version:
    • OfficeScan 10.6
    • OfficeScan 11.0
    • OfficeScan XG.All
    • Platform:
    • Windows 10
    • Windows 10 32-bit
    • Windows 10 64-bit
    • Windows 2003 Enterprise
    • Windows 2003 Enterprise 64-bit
    • Windows 2003 Home Server
    • Windows 2003 Server R2
    • Windows 2003 Small Business Server
    • Windows 2003 Small Business Server R2
    • Windows 2003 Standard
    • Windows 2003 Standard 64-bit
    • Windows 2008 Enterprise
    • Windows 2008 Essential Business Server
    • Windows 2008 Server Core
    • Windows 2008 Server Foundation
    • Windows 2008 Server R2
    • Windows 2008 Small Business Server
    • Windows 2008 Standard
    • Windows 2011 Small Business Server Essentials
    • Windows 2011 Small Business Server Standard
    • Windows 2012 Enterprise
    • Windows 2012 Server Essentials
    • Windows 2012 Web Server Edition
    • Windows 7 32-bit
    • Windows 7 64-bit
    • Windows 8 32-Bit
    • Windows 8 64-Bit
    • Windows 8.1 32-Bit
    • Windows 8.1 64-Bit
    • Windows Vista 32-bit
    • Windows Vista 64-bit
Summary

Database and encrypted type files should generally be excluded from scanning to avoid performance and functionality issues.

To get the exclusions to consider for OSCE Security Agent Real-time scan, please contact Trend Micro Technical Support.

Details
Public

To exclude the following in OSCE, you need to log on to the OfficeScan management console and go the following section:

  • For OSCE 10.6: Networked Computers > Client Management > Scan Settings > Real-time Scan Settings
  • For OSCE 11.0/XG: Agents > Agent Management > Scan Settings > Real-time Scan Settings
  • Pagefile.sys
  • *.pst
  • %systemroot%\System32\Spool (replace %systemroot% with actual directory)
  • %systemroot%\SoftwareDistribution\Datastore (replace %systemroot% with actual directory)
  • %allusersprofile%\NTUser.pol
  • %Systemroot%\system32\GroupPolicy\registry.pol
  • C:\Program Files\Autodesk\Inventor 2013\Bin\Inventor.exe
  • C:\Program Files\Autodesk\Vault Professional 201\Explorer\Connectivity.VaultPro.exe
  • C:\Program Files\Autodesk\AutoCAD 2013\acad.exe
  • C:\Program Files\Autodesk\Inventor Fusion 2013\Inventor Fusion.exe
  • C:\Program Files\Autodesk\DWG TrueView 2013\dwgviewr.exe
  • C:\Program Files (x86)\Autodesk\Autodesk Design Review 2013\DesignReview.exe
  • C:\Program Files\Autodesk\Product Design Suite 2013\Bin\ProductDesignSuite.exe
  • Drive:\Program Files (x86)\cisco\cisco anyconnect vpn client\vpnagent.exe
  • Drive:\Program Files (x86)\cisco\cisco anyconnect vpn client\vpnui.exe

On Citrix systems, the following extensions have been causing performance problems. Exclude these file extensions to avoid any performance problems: *.LOG, *.DAT, *.TMP, *.POL, *.PF.

For more information, refer to the Citrix articles:

The data directory is used to store Domino email messages. Repeated scanning of this folder while it is being updated with new messages is not an efficient way to scan locally stored email. Use virus scanning applications such as ScanMail for Domino to handle email viruses. By default, the Domino data directory for a non-partitioned installation is: \ Lotus \ Domino \ Data.

Exclude the directory or partition where MS Exchange stores its mailbox. Use virus scanning applications like ScanMail for Exchange to handle email viruses. Installable File System (IFS) drive M must also be excluded to prevent the corruption of the Exchange Information Store.

This option is best disabled. If it is enabled, it may create unnecessary network traffic when the end users access remote paths or mapped network drives. It can severely impact the user’s experience. Consider disabling this function if all workstations have OfficeScan client installed and are updated to the latest virus signature.

  • : \ WINNT \ SYSVOL
  • : \ WINNT \ NTDS
  • : \ WINNT \ ntfrs
  • : \ WINNT \ system32 \ dhcp
  • : \ WINNT \ system32 \ dns

Web Server log files should be excluded from scanning. By default, IIS logs are saved in:\inetpub\logs\*.log.

Scan exclusion guidelines for Microsoft Lync:

  • Microsoft Lync 2010: Specifying Antivirus Scanning Exclusions
  • Microsoft Lync 2013: Antivirus Scanning Exclusions for Lync Server 2013

Because scanning may hinder performance, large databases should not be scanned. Since Microsoft SQL Server databases are dynamic, they exclude the directory and backup folders from the scan list. If it is necessary to scan database files, a scheduled task can be created to scan them during off-peak hours.

Refer to the following article from Microsoft to obtain advised SQL server exclusion list: How to choose antivirus software to run on computers that are running SQL Server.

  • .dbf - Database file
  • .log - Online Redo Log
  • .rdo - Online Redo Log
  • .arc - Archive log
  • .ctl - Control files
  • SAP ABAP or Java installs: \usr\sap\
  • SAP Content Server Install: \SAPDB\
  • SAP Printer Server: SAPSprint.exe
  • Servers where are SAPGui is installed: lsagent.exe
 
During SAP installs or upgrades, it is recommended to exclude the base SAPinst directories and subdirectories: ..\Program Files\SAPinst_instdir\.
  • ~\Symantec\Backup Exec\beremote.exe
  • ~\Symantec\Backup Exec\beserver.exe
  • ~\Symantec\Backup Exec\bengine.exe
  • ~\Symantec\Backup Exec\benetns.exe
  • ~\Symantec\Backup Exec\pvlsvr.exe
  • ~\Symantec\Backup Exec\BkUpexec.exe

SCCM 2012 Manager

  • Boot image: C:\Windows\TEMP\BootImages\
  • OS image: \ConfigMgr_OfflineImageServicing and subfolders.\

SCCM 2012 Endpoint Protection

  • %allusersprofile%\NTUser.pol
  • %systemroot%\system32\GroupPolicy\registry.pol
  • %windir%\Security\database\*.chk
  • %windir%\Security\database\*.edb
  • %windir%\Security\database\*.jrs
  • %windir%\Security\database\*.log
  • %windir%\Security\database\*.sdb
  • %windir%\SoftwareDistribution\Datastore\Datastore.edb
  • %windir%\SoftwareDistribution\Datastore\Logs\edb.chk
  • %windir%\SoftwareDistribution\Datastore\Logs\edb*.log
  • %windir%\SoftwareDistribution\Datastore\Logs\Edbres00001.jrs
  • %windir%\SoftwareDistribution\Datastore\Logs\Edbres00002.jrs
  • %windir%\SoftwareDistribution\Datastore\Logs\Res1.log
  • %windir%\SoftwareDistribution\Datastore\Logs\Res2.log
  • %windir%\SoftwareDistribution\Datastore\Logs\tmp.edb
  • %programfiles%\Microsoft Configuration Manager\Inboxes\*.*
  • %programfiles(x86)%\Microsoft Configuration Manager\Inboxes\*.*

Exclusion by Directory

  • For Operations Manager 2007 or Operations Manager 2007 R2: C:\Program Files\System Center Operations Manager\Health Service State

    The placeholder represents "" for Operations Manager 2007 or Operations Manager 2007 R2.

  • For Operations Manager 2012: C:\Program Files\System Center Operations Manager\\Health Service State

    The placeholder represents "Agent" or "Server" for Operations Manager

  • For Operations Manager 2012 R2 (management server): C:\Program Files\Microsoft System Center 2012 R2\Operations Manager\Server\Health Service State
  • For Operations Manager 2012 R2 (gateway server): C:\Program Files\System Center Operations Manager\Gateway\Health Service State
  • For Operations Manager 2012 R2 (agent): C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State

Exclusion by Extension

  • SQL database servers:

    These exclusions include the SQL Server database files that are used by Operations Manager components and the system database files for the master database and for the tempdb database.For example:

    • MDF
    • LDF
  • Operations Manager (management servers, gateways, and agents):

    These exclusions include the queue and log files that are used by Operations Manager. For Example:

    • EDB
    • CHK
    • LOG

Other file extension types that should be added to the exclusion list include large flat and designed files, such as VMWare disk partition. Scanning VMWare partitions while attempting to access them can affect session loading performance and the ability to interact with the virtual machine. Exclusions can be configured for the directory(ies) that contain the Virtual Machines, or by excluding *.vmdk and *.vmem files.

Backup process takes longer to finish when real-time scan is enabled. There are also instances when real-time scan detects an infected file in the volume shadow copy but cannot enforce the scan action because volume shadow copies have read-only access.

You can refer to the Knowledgebase article: Excluding Volume Shadow copies from OfficeScan client real-time scans

.

It is also advisable to apply the latest Microsoft patches for the Volume Shadow Copies service. Refer to this Microsoft article: A Volume Shadow Copy Service (VSS) update package is available for Windows Server 2003.

Make sure the checkbox for Do not scan the directories where Trend Micro products are installed is enabled in WFBS’s Exclusion List settings (Security Settings > Antivirus/Anti-spyware > Exclusions).

Add the .bkf extension to the list of real-time scan exclusions.

To know more about Microsoft's exclusion list, refer to this TechNet article: Microsoft Anti-Virus Exclusion List.

Premium
Internal
Rating:
Category:
Configure
Solution Id:
1059770
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.