Article ID: 822158 - View products that this article applies to.
Notice

Information for home users

For more information about virus scanning with recommendations for consumers, visit the following Microsoft Web page:
http://windows.microsoft.com/en-US/windows-vista/Viruses-frequently-asked-questions
Expand all | Collapse all

On This Page

INTRODUCTION

This article contains recommendations that may help an administrator determine the cause of potential instability on a computer that is running a supported version of Microsoft Windows when it is used with antivirus software in an Active Directory domain environment or in a managed business environment.

Note We recommend that you temporarily apply these procedures to evaluate a system. If your system performance or stability is improved by the recommendations that are made in this article, contact your antivirus software vendor for instructions or for an updated version of the antivirus software.

Important This article contains information that shows how to help lower security settings or how to temporarily turn off security features on a computer. You can make these changes to understand the nature of a specific problem. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this workaround in your particular environment. If you implement this workaround, take any appropriate additional steps to help protect the computer.

More information

For computers that are running Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows XP, Windows Vista, Windows 7, or Windows 8, Windows 8.1

Warning This workaround may make a computer or a network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk.

Notes
  • We are not aware of a risk of excluding the specific files or folders that are mentioned in this article from scans that are made by your antivirus software. However, your system may be safer if you do not exclude any files or folders from scans.
  • When you scan these files, performance and operating system reliability problems may occur because of file locking.
  • Do not exclude any one of these files based on the file name extension. For example, do not exclude all files that have a .dit extension. Microsoft has no control over other files that may use the same extensions as the files that are described in this article.
  • This article provides both file names and folders that can be excluded. All the files and folders that are described in this article are protected by default permissions to allow only SYSTEM and administrator access, and they contain only operating system components. Excluding an entire folder maybe simpler but may not provide as much protection as excluding specific files based on file names.

Turn off scanning of the Microsoft Forefront "tmp.edb" file

  • If you are using Forefront, turn off scanning of the Forefront database file (tmp.edb). This file is located in the following folder:
    %windir%\SoftwareDistribution\Datastore
  • Turn off scanning of the log files that are located in the following folder:
    %ProgramData%\Microsoft\Search\Data\Applications\Windows

Turn off scanning of Windows Update or Automatic Update related files

  • Turn off scanning of the Windows Update or Automatic Update database file (Datastore.edb). This file is located in the following folder:
    %windir%\SoftwareDistribution\Datastore
  • Turn off scanning of the log files that are located in the following folder:
    %windir%\SoftwareDistribution\Datastore\Logs
    Specifically, exclude the following files:
    • Edb*.jrs
    • Edb.chk
    • Tmp.edb
  • The wildcard character (*) indicates that there may be several files.

Turn off scanning of Windows Security files

  • Add the following files in the %windir%\Security\Database path of the exclusions list:
    • *.edb
    • *.sdb
    • *.log
    • *.chk
    • *.jrs
    Note If these files are not excluded, antivirus software may prevent proper access to these files, and security databases can become corrupted. Scanning these files can prevent the files from being used or may prevent a security policy from being applied to the files. These files should not be scanned because antivirus software may not correctly treat them as proprietary database files.

Turn off scanning of Group Policy related files

  • Group Policy user registry information. These files are located in the following folder:
    %allusersprofile%\
    Specifically, exclude the following file:
    NTUser.pol
  • Group Policy client settings files. These files are located in the following folder:
    %SystemRoot%\System32\GroupPolicy\Machine\
    %SystemRoot%\System32\GroupPolicy\User\
    Specifically, exclude the following file:
    Registry.pol
For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
951059 On a Windows Server 2003-based computer, registry-based policy settings are unexpectedly removed after a user logs on to the computer
930597 Some registry-based policy settings are lost and error messages are logged in the Application log on a Windows XP-based computer or on a Windows Vista-based computer

For Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, and Windows Server 2003 domain controllers

Because domain controllers provide an important service to clients, the risk of disruption of their activities from malicious code, from malware, or from a virus must be minimized. Antivirus software is the generally accepted way to lessen the risk of infection. Install and configure antivirus software so that the risk to the domain controller is reduced as much as possible and so that performance is affected as little as possible. The following list contains recommendations to help you configure and install antivirus software on a Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003 domain controller.

Warning We recommend that you apply the following specified configuration to a test system to make sure that in your specific environment it does not introduce unexpected factors or compromise the stability of the system. The risk from too much scanning is that files are inappropriately flagged as changed. This results in too much replication in Active Directory. If testing verifies that replication is not affected by the following recommendations, you can apply the antivirus software to the production environment.

Note Specific recommendations from antivirus software vendors may supersede the recommendations in this article.
  • Antivirus software must be installed on all domain controllers in the enterprise. Ideally, try to install such software on all other server and client systems that have to interact with the domain controllers. It is optimal to catch the malware at the earliest point, such as at the firewall or at the client system where the malware is introduced. This prevents the malware from ever reaching the infrastructure systems that the clients depend on.
  • Use a version of antivirus software that is designed to work with Active Directory domain controllers and that uses the correct Application Programming Interfaces (APIs) to access files on the server. Older versions of most vendor software inappropriately change a file's metadata as the file is scanned. This causes the File Replication Service engine to recognize a file change and therefore schedule the file for replication. Newer versions prevent this problem. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
    815263 Antivirus, backup, and disk optimization programs that are compatible with the File Replication Service
  • Do not use a domain controller to browse the Internet or to perform other activities that may introduce malicious code.
  • We recommend that you minimize the workloads on domain controllers. When possible, avoid using domain controllers in a file server role. This lowers virus-scanning activity on file shares and minimizes performance overhead.
  • Do not put Active Directory or FRS database and log files on NTFS file system compressed volumes.
    For more information, click the following article number to view the article in the Microsoft Knowledge Base:
    318116 Issues with Jet databases on compressed drives

Turn off scanning of Active Directory and Active Directory-related files

  • Exclude the Main NTDS database files. The location of these files is specified in the following registry key:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database File
    The default location is %windir%\Ntds. Specifically, exclude the following files:
    Ntds.dit
    Ntds.pat
  • Exclude the Active Directory transaction log files. The location of these files is specified in the following registry key:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files Path
    The default location is %windir%\Ntds. Specifically, exclude the following files:
    • EDB*.log
    • Res*.log
    • Edb*.jrs
    • Ntds.pat
    Note Windows Server 2003 no longer uses the Ntds.pat file.
  • Exclude the files in the NTDS Working folder that is specified in the following registry key:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory
    Specifically, exclude the following files:
    • Temp.edb
    • Edb.chk

Turn off scanning of SYSVOL files

  • Turn off scanning of files in the File Replication Service (FRS) Working folder that is specified in the following registry key:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Working Directory
    The default location is %windir%\Ntfrs. Exclude the following files that exist in the folder:
    • edb.chk in the %windir%\Ntfrs\jet\sys folder
    • Ntfrs.jdb in the %windir%\Ntfrs\jet folder
    • *.log in the %windir%\Ntfrs\jet\log folder
  • Turn off scanning of files in the FRS Database Log files that are specified in the following registry key:
    HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\Ntfrs\Parameters\DB Log File Directory
    The default location is %windir%\Ntfrs. Exclude the following files:
    • Edb*.log (if the registry key is not set).
    • FRS Working Dir\Jet\Log\Edb*.jrs (Windows Server 2008 and Windows Server 2008 R2).
    Note Settings for specific file exclusions is documented here for completeness. By default, these folders allow access only to System and Administrators. Please verify that the correct protections are in place. These folders contain only component working files for FRS and DFSR.
  • Turn off scanning of the Staging folder as specified in the following registry key.
    HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\NtFrs\Parameters\Replica Sets\GUID\Replica Set Stage

    By default, staging uses the following location:
    %systemroot%\Sysvol\Staging areas
    Exclude the following files:
    • Nntfrs_cmp*.*
  • Turn off scanning of files in the Sysvol\Sysvol folder.

    The current location of the Sysvol\Sysvol folder and all its subfolders is the file system reparse target of the replica set root. The Sysvol\Sysvol folder uses the following location:
    %systemroot%\Sysvol\Domain
    Exclude the following files from this folder and all its subfolders:
    • *.adm
    • *.admx
    • *.adml
    • Registry.pol
    • *.aas
    • *.inf
    • Scripts.ini
    • *.ins
    • Oscfilter.ini
  • Turn off scanning of files in the FRS Preinstall folder that is in the following location:
    Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_Directory
    The Preinstall folder is always open when FRS is running.

    Exclude the following files from this folder and all its subfolders:
    • Ntfrs*.*
  • Turn off scanning of files in the DFSR database and working folders. The location is specified by the following registry key:
    HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\DFSR\Parameters\Replication Groups\GUID\Replica Set Configuration File=Path >
    In this registry key, "Path" is the path of an XML file that states the name of the Replication Group. In this example, the path would contain "Domain System Volume."

    The default location is the following hidden folder:
    %systemdrive%\System Volume Information\DFSR
    Exclude the following files from this folder and all its subfolders:
    • $db_normal$
    • FileIDTable_*
    • SimilarityTable_*
    • *.xml
    • $db_dirty$
    • $db_clean$
    • $db_lost$
    • Dfsr.db
    • Fsr.chk
    • *.frx
    • *.log
    • Fsr*.jrs
    • Tmp.edb
    If any one of these folders or files is moved or is put in a different location, scan or exclude the equivalent element.

Turn off scanning of DFS files

The same resources that are excluded for a SYSVOL replica set must also be excluded when FRS or DFSR is used to replicate shares that are mapped to the DFS root and link targets on Windows Server 2008 R2-based, Windows Server 2008-based, Windows Server 2003-based member computers or domain controllers.

Turn off scanning of DHCP files

By default, DHCP files that should be excluded are present in the following folder on the server:
%systemroot%\System32\DHCP
Exclude the following files from this folder and all its subfolders:
  • *.mdb
  • *.pat
  • *.log
  • *.chk
  • *.edb
The location of DHCP files can be changed. To determine the current location of the DHCP files on the server, check the DatabasePath, DhcpLogFilePath, and BackupDatabasePath parameters that are specified in the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters

Turn off scanning of DNS files

By default, DNS uses the following folder:
%systemroot%\System32\Dns
Exclude the following files from this folder and all its subfolders:
  • *.log
  • *.dns
  • BOOT

Turn off scanning of WINS files

By default, WINS uses the following folder:
%systemroot%\System32\Wins
Exclude the following files from this folder and all its subfolders:
  • *.chk
  • *.log
  • *.mdb

For computers that are running Hyper-V based versions of Windows

In some scenarios, on a Windows Server 2008-based computer that has the Hyper-V role installed or on a Microsoft Hyper-V Server 2008 or on a Microsoft Hyper-V Server 2008 R2-based computer, it may be necessary to configure the real-time scanning component within the antivirus software to exclude files and entire folders. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
961804 Virtual machines are missing in the Hyper-V Manager Console or when you create or start a virtual machine, you receive one of the following error codes: "0x800704C8", "0x80070037" or "0x800703E3"

Properties

Article ID: 822158 - Last Review: June 24, 2014 - Revision: 20.0
Applies to
  • Windows Server 2012 R2 Datacenter
  • Windows Server 2012 R2 Essentials
  • Windows Server 2012 R2 Foundation
  • Windows Server 2012 R2 Standard
  • Windows Server 2012 Datacenter
  • Windows Server 2012 Essentials
  • Windows Server 2012 Foundation
  • Windows Server 2012 Standard
  • Windows RT 8.1
  • Windows 8.1
  • Windows 8.1 Enterprise
  • Windows 8.1 Pro
  • Windows RT
  • Windows 8
  • Windows 8 Enterprise
  • Windows 8 Pro
  • Windows 7 Service Pack 1, when used with:
    • Windows 7 Enterprise
    • Windows 7 Professional
    • Windows 7 Ultimate
    • Windows 7 Home Premium
    • Windows 7 Home Basic
  • Windows Server 2008 R2 Service Pack 1, when used with:
    • Windows Server 2008 R2 Standard
    • Windows Server 2008 R2 Enterprise
    • Windows Server 2008 R2 Datacenter
  • Windows Server 2008 Service Pack 2, when used with:
    • Windows Server 2008 for Itanium-Based Systems
    • Windows Server 2008 Datacenter
    • Windows Server 2008 Enterprise
    • Windows Server 2008 Standard
    • Windows Web Server 2008
  • Windows Vista Service Pack 2, when used with:
    • Windows Vista Business
    • Windows Vista Enterprise
    • Windows Vista Home Basic
    • Windows Vista Home Premium
    • Windows Vista Starter
    • Windows Vista Ultimate
    • Windows Vista Enterprise 64-bit Edition
    • Windows Vista Home Basic 64-bit Edition
    • Windows Vista Home Premium 64-bit Edition
    • Windows Vista Ultimate 64-bit Edition
    • Windows Vista Business 64-bit Edition
  • Microsoft Windows Server 2003 Service Pack 2, when used with:
    • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
    • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
    • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
    • Microsoft Windows Server 2003, Web Edition
    • Microsoft Windows Server 2003, Datacenter x64 Edition
    • Microsoft Windows Server 2003, Enterprise x64 Edition
    • Microsoft Windows Server 2003, Standard x64 Edition
    • Microsoft Windows XP Professional x64 Edition
    • Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
    • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Windows XP Service Pack 3, when used with:
    • Microsoft Windows XP Home Edition
    • Microsoft Windows XP Professional
Keywords: 
kbinfo kbprb kbexpertiseinter kbsecurity KB822158

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com