L.E.M.S.S. Excluding files, folders and processes from Lumension AntiVirus Malware Scans

Version 3

    Details

    Lumension Endpoing Management and Security Suite (LEMSS) AntiVirus 7.x


    Understanding Exclusions

    Exclusions are sets of conditions used to verify if a file or path is deemed safe and therefore can be skipped during an antivirus scan. Prevented through the use of exclusions are:

    •   False positives - incorrect determination of a program as malware.
    •   Decreases in program performance caused when files are accessed during a scan (file locking).
    •   Long scan durations caused when large amounts of safe files like graphics are unnecessarily scanned.

    The default setting when creating a policy or Scan Now is that all files and paths on an endpoint are scanned.

    HEATsoftware provides two types of reference XML files you can import into L.E.M.S.S. that contain recommended exclusions:

    •   Core System Exclusions
    •   Common Application Exclusions

     
    IMPORTANT: The files and paths contained in this article are based on vendor recommendations. Consult vendor Web sites to validate their current exclusion recommendations.
    Your system's security is less likely to be compromised if no files and paths are excluded from scans. Only implement an exclusion if you have full knowledge of a file or path.


    Exclusions and Scan Types

    Both On-Demand (Scan Now, Recurring) and On-Access (Real-time) AntiVirus scans support the exclusions setting functionality via their configuration Wizards.
    The use of a combination of On-Demand and On-Access scans is necessary to guarantee protection against viruses and malware. On-Demand scans are used to go deep into an endpoint to scan a wide range and large number of files (for example, archive type files and boot sectors). Though On-Demand scans can have a significant impact on endpoint performance, using exclusions to improve performance would render the scan less efficient and endpoints more vulnerable to infection.

    TIP: On-Demand scan performance issues can be addressed by setting the CPU utilization % to low, clearing the Scan archives option, and scheduling scans to run at off-peak hours (for example, late at night)


    An On-Access scan runs in the background and actively checks all files for potential threats before they are accessed by the processes running on an endpoint. This can result in slowdowns when accessing paths containing large amounts of files or when opening applications that need access to many resources. As an On-Demand scan provides a second layer of protection, exclusions can be safely implemented to improve endpoint and application performance without compromising overall security.


    Adding Exclusions to Scans

    The configuration wizard for each scan type contains a page that enables:

    •   Manual exclusion of specific items from a scan.
    •   Import of an XML containing a list of file and path exclusions using a specific format:

    <?xml version="1.0"?>
    <excludes>
    <exclude path=""/>
    <pexclude path="">
    </excludes>
     

    Where:

    •   <exclude path=""/> is used for file and folder exclusion paths.
    •   <pexclude path=""/> is used for process exclusion paths (Real-time Monitoring Policies only)


    To work correctly, exclusions must be defined according to the Exclusion Rules that apply (presented in the Exclusion Rules section and accessible in L.E.M.S.S. by clicking on the Help button on the Wizard page).


    Exclusion Rules

    Use masks and system variables to precisely choose files and paths to exclude from AntiVirus policies and a Scan Now.


    Masks without file paths
     

    CAUTION: Do not exclude files or folders unless their contents are known to be threat-free.

                                                               
       

         *.exe

      
       

         All files with extension EXE. 

      
       

         test.*

      
       

         All files named test with any extension. 

      
       

         test

      
       

         All files named test with no extension.

      
       

         test.exe

      
       

         All text.exe files.

      

     

    Masks with absolute file paths

    IMPORTANT: Folder paths must end with a path separator (\).

                                                                                                                                     
       

         c:\temp\

      
       

         All files in the c:\temp folder recursively.

      
        *\temp\    All files in the temp folder on all drives recursively.
       

         c:\temp\*.* or c:\temp\*

      
       

         All files in the c:\temp folder but not recursively.

      
       

         c:\temp

      
       

         The file named temp with no extension on c:\.

      
       

         c:\temp\test

      
       

         The file named test in the c:\temp folder.

      
       

         c:\temp\*.exe

      
       

         All files with the extension EXE in the c:\temp folder.

      
       

         c:\temp\test.doc

      
       

         The test.doc file in the c:\temp folder.

      
       

         c:\*\test.doc

      
        A test.doc file in any folders on the c:\ drive.
        *\*\test.doc    A test.doc file in any folders on any drive.

     

    Environment variable directories

     

                                                 
       

         %WINDIR%\

      
       

         All files in the Windows folder recursively.

      
       

         %WINDIR%\*

      
       

         All files in the Windows folder but not recursively.

      
        %WINDIR%\*\temp\    All files in a subfolder named temp recursively within any folder in the Windows folder.


    Wildcard Usage

    Exclusions can contain the “*” single asterisk wildcard (mask) character in specific combinations, with a maximum of two per exclusion.

    CAUTION: Improper wildcard usage can exclude incorrect files and directories.

    NOTE: Characters ^ { [ ] } $ + are not allowed in wildcard exclude paths (c:\*\^temp\ is invalid).


    Full Directory

    Restrictions:
     

    •   Cannot be used with a file exclusion (c:\directory1\*\file.exe is invalid)
    •   Cannot be used in an exclusion that uses a filename wildcard (c:\directory1\*\*.exe is invalid)
    •   Use of multiple directory wildcards in a single exclusion is not permitted (c:\*\*\directory3\ is invalid)
    •   For exclusions without a specific file or filename with wildcard, a trailing backslash must be present or the exclusion will be treated as a file exclusion.
                                                                   
        Valid    Invalid
        c:\*\directory1\directory2\    c:\directory1\directory*\
        c:\directory1\*\directory3\    c:\directory1\*\directory3\*\directory5\
        %system_variable%\*\directory1\    c:\*\*\directory3\

     

    Full filename and extension

    Restrictions: Cannot be used in conjunction with full directory wildcards (c:\directory1\*\*.exe is invalid).

                                                                                                             
        Valid    Invalid
        *.exe    *file.exe
        abc.*    file*.exe
        c:\directory1\*.exe    c:\directory1\*file.exe
        c:\directory1\file.*    c:\directory1\file*.exe
        %system_variable%\directory1\*.exe    c:\*\file.exe
             %system_variable%\directory1\*\*.exe

     

    Drives and System Variables

    Restrictions:  Cannot be used with a file exclusion (*\directory1\file.exe is invalid)
     

                                                                   
        Valid    Invalid
        *\directory1\directory2\    *\directory1\*.exe
        *\*\directory2\    *\directory1\file.*
        *\%system_variable%\directory1\*\    *\directory1\file.exe

     

    Implementation Checklist

    •   You are aware of the risks associated with excluding the specific files and paths contained in this article. Only implement exclusions if you have full knowledge of a file or path.
    •   You understand how exclusions affect On-Demand and On-Access AntiVirus scans.
    •   You understand the exclusion rules (e.g. folder paths must end with a path separator \)
    •   Create a list of the software used in your network.
    •   Download the Exclusions Reference XML files
    •   Review the reference XML files and delete those exclusions that do not apply to your environment. Consult vendors of those applications not represented in the file for their exclusion recommendations.


    Recommended Exclusions

    Core System Exclusions

    Download the Core System Exclusions XML reference file

    IMPORTANT: Carefully review the corresponding vendor knowledge base articles referenced in each section below. HEATsoftware is not responsible for the content of external links.

    Active Directory

    %windir%\ntds\Ntds.dit
    %windir%\Ntds\Ntds.pat
    %windir%\Ntds\*.log
    %windir%\Ntds\*.jrs


    Group Policy

    %Systemroot%\System32\GroupPolicy\Registry.pol
    %allusersprofile%\NTUser.pol


    SYSVOL

    %windir%\Ntfrs\edb.chk
    %windir%\Ntfrs\Ntfrs.jdb
    %windir%\Ntfrs\*.log
    %windir%\Ntfrs\Working Dir\Jet\Log\*.jrs
    %systemroot%\Sysvol\
    %systemdrive%\System Volume Information\


    DHCP

    %systemroot%\System32\DHCP\*.mdb    
    %systemroot%\System32\DHCP\*.pat    
    %systemroot%\System32\DHCP\*.log    
    %systemroot%\System32\DHCP\*.chk    
    %systemroot%\System32\DHCP\*.edb

    IMPORTANT: DHCP service may not start on Windows 2003 if the %systemroot%\System32\DHCP\ folder is not excluded.


    DNS

    %systemroot%\System32\Dns\*.log
    %systemroot%\System32\Dns\*.dns
    %systemroot%\System32\Dns\BOOT


    WINS

    %systemroot%\System32\Wins\*.chk
    %systemroot%\System32\Wins\*.log
    %systemroot%\System32\Wins\*.mdb


    Certification Service

    %SystemRoot%\system32\CatRoot2\Domain.edb
    %SystemRoot%\system32\CatRoot2\tmp.edb
    %SystemRoot%\system32\CatRoot2\edb.chk
    %SystemRoot%\system32\CatRoot2\res1.log
    %SystemRoot%\system32\CatRoot2\res2.log


    Index Service

    Catalog.wci


    Page

    %systemdrive%\pagefile.sys
    %systemdrive%\hiberfil.sys    


    Windows Update

    %windir%\SoftwareDistribution\Datastore\Logs\Edb.chk
    %windir%\SoftwareDistribution\Datastore\*.edb
    %windir%\SoftwareDistribution\Datastore\*.log
    %windir%\SoftwareDistribution\Datastore\Logs\*.jrs
    %windir%\SoftwareDistribution\Datastore\Logs\Tmp.edb


    Windows Security

    %windir%\Security\Database\*.edb
    %windir%\Security\Database\*.sdb
    %windir%\Security\Database\*.log
    %windir%\Security\Database\*.chk
    %windir%\Security\Database\*.jrs


    Windows Defender

    %ProgramData%\Microsoft\Windows Defender\


    Printer Service

    %SystemRoot%\system32\spool\


    Base OS working files

    %systemroot%\winsxs\Manifests\*.manifest
    %systemroot%\winsxs\FileMaps\*.cdf-ms
    %systemroot%\rescache\
    %systemroot%\System32\winevt\
    %systemroot%\AppPatch\sysmain.sdb
    %systemroot%\Prefetch\
    %systemroot%\System32\Config\
    %systemroot%\Media\


    Microsoft Outlook (commonly used application)

    *.ost
    *.pst


    Common Application Exclusions

    Download the Common Application Exclusions XML reference file

    IMPORTANT:

    Review and customize the contents of the file before importing it (for example, remove exclusions for software not installed in your network, or modify paths to reflect your chosen installation locations).
    Carefully review the corresponding vendor knowledge base articles referenced in each section. HEATsoftware is not responsible for the content of external links.
    Apply the recommended SQL and IIS exclusions as the L.E.M.S.S. server uses both.

    Failover Clustering

    Q:\
    %Systemroot%\Cluster\
    %Winnt%\Cluster\

    Reference: Antivirus software that is not cluster-aware may cause problems with Cluster Services (http://support.microsoft.com/kb/250355).

    IMPORTANT: Most antivirus software programs use filter drivers (device drivers) that work together with a service to scan for viruses. These filter drivers reside above the file system recognizer and scan files as they are opened and closed on a local hard disk. Antivirus software may not understand the shared disk model and may not correctly allow for failover.
    If you are troubleshooting failover issues or general problems with a Cluster services and antivirus software is installed, temporarily uninstall the antivirus software or check with the manufacturer of the software to determine whether the antivirus software works with Cluster services. Simply disabling the antivirus software is insufficient in most cases
    .


    Messaging Exclusions

    Microsoft Exchange 2007

    %ProgramFiles%\Microsoft\Exchange Server\Mailbox\
    %ProgramFiles%\Microsoft\Exchange Server\TransportRoles\
    %ProgramFiles%\Microsoft\Exchange Server\Logging\
    %ProgramFiles%\Microsoft\Exchange Server\ExchangeOAB\
    %ProgramFiles%\Microsoft\Exchange Server\Working\OleConvertor\
    %ProgramFiles%\Microsoft\Exchange Server\Mailbox\MDBTEMP\
    %ProgramFiles%\Microsoft\Exchange Server\ClientAccess\
    %ProgramFiles%\Microsoft\Exchange Server\UnifiedMessaging\grammars\
    %ProgramFiles%\Microsoft\Exchange Server\UnifiedMessaging\Prompts\
    %ProgramFiles%\Microsoft\Exchange Server\UnifiedMessaging\voicemail\
    %ProgramFiles%\Microsoft\Exchange Server\UnifiedMessaging\badvoicemail\
    %systemroot%\IIS Temporary Compressed Files\
    %SystemRoot%\System32\Inetsrv\


    Microsoft Exchange 2010

    %ExchangeInstallPath%\Mailbox\    
    %ExchangeInstallPath%\TransportRoles\logs\    
    %ExchangeInstallPath%\ExchangeOAB\    
    %SystemRoot%\System32\Inetsrv\    
    %ExchangeInstallPath%\Mailbox\MDBTEMP\

    If using Database Availability group apply cluster related exclude:

    %ExchangeInstallPath%\Mailbox\MDBTEMP\

    Witness server (can be specific to each machine)

    %SystemDrive%\DAGFileShareWitnesses\
    C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\Data\Queue\
    %ExchangeInstallPath%\TransportRoles\Data\SenderReputation\
    %ExchangeInstallPath%\Working\OleConvertor\
    %ExchangeInstallPath%\TransportRoles\Data\Adam\
    %ExchangeInstallPath%\TransportRoles\Data\SenderReputation\
    %ExchangeInstallPath%\Logging\POP3\
    %ExchangeInstallPath%\Logging\IMAP4\

    IMPORTANT: Exclude the default TMP folder on the Exchange server.

    %ExchangeInstallPath%\UnifiedMessaging\grammars\    
    %ExchangeInstallPath%\UnifiedMessaging\Prompts\    
    %ExchangeInstallPath%\UnifiedMessaging\voicemail\    
    %ExchangeInstallPath%\UnifiedMessaging\badvoicemail\


    File extension exclusions for Microsoft Exchange 2007 and 2010

    *.config
    *.dia
    *.wsb
    *.chk
    *.log
    *.edb
    *.jrs
    *.que
    *.lzx
    *.ci
    *.wid
    *.dir
    *.001
    *.002
    *.cfg
    *.grxml


    IIS and ASP.NET applications

    Global.asax


    IIS 5-6

    %SystemRoot%\system32\inetsrv\metabase.bin
    %SystemRoot%\system32\inetsrv\MetaBase.xml
    %SystemRoot%\system32\inetsrv\MBSchema.xml


    Index Service

    C:\System Volume Information\*.wci


    MSMQ queues

    %SystemRoot%\system32\MSMQ\
    %SystemRoot%\system32\MSMQ\storage\


    WSUS

    C:\WSUS\MSSQL$WSUS\Data\*.mdf
    C:\WSUS\MSSQL$WSUS\Data\*.ldf


    Database Exclusions

    SQL Server data files

    IMPORTANT:
    Limit excludes to the particular SQL Server instance (see WSUS exclusions).
    When performing tracing work on SQL Server then exclude *.trn files.
    If full text indexing is in use on am endpoint then the instance name will need to be specified as an exclude. The default location is: %Program Files%\Microsoft SQL Server\MSSQL\FTDATA\

    *.ldf
    *.mdf
    *.ndf
    *.bak
    *.trn

    Reference: How to choose antivirus software to run on computers that are running SQL Server (http://support.microsoft.com/kb/309422).


    Virtualization Exclusions

    Hyper V

    C:\ProgramData\Microsoft\Windows\Hyper-V\
    C:\Users\Public\Documents\Hyper-V\Virtual Hard Disks\

    IMPORTANT: Exclude custom virtual machine configuration, hard disk and snapshot directories.


    VMWare

    *.VMDK
    *.VMEM

    Reference: Virtual machines are missing, or error 0x800704C8, 0x80070037, or 0x800703E3 occurs when you try to start or create a virtual machine (http://support.microsoft.com/kb/961804).