Virus scanning recommendations for Enterprise computers that are running currently supported versions of Windows
Information for home usersFor more information about virus scanning with recommendations for consumers, visit the following Microsoft Web page:
Note We recommend that you temporarily apply these procedures to evaluate a system. If your system performance or stability is improved by the recommendations that are made in this article, contact your antivirus software vendor for instructions or for an updated version of the antivirus software.
ImportantThis article contains information that shows how to help lower security settings or how to temporarily turn off security features on a computer. You can make these changes to understand the nature of a specific problem. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this workaround in your particular environment. If you implement this workaround, take any appropriate additional steps to help protect the computer.
For computers that are running Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows XP, Windows Vista, Windows 7, or Windows 8, Windows 8.1WarningThis workaround may make a computer or a network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk.
- We are aware of a risk of excluding the specific files or folders that are mentioned in this article from scans that are made by your antivirus software. Your system will be safer if you do not exclude any files or folders from scans.
- When you scan these files, performance and operating system reliability problems may occur because of file locking.
- Do not exclude any one of these files based on the file name extension. For example, do not exclude all files that have a .dit extension. Microsoft has no control over other files that may use the same extensions as the files that are described in this article.
- This article provides both file names and folders that can be excluded. All the files and folders that are described in this article are protected by default permissions to allow only SYSTEM and administrator access, and they contain only operating system components. Excluding an entire folder maybe simpler but may not provide as much protection as excluding specific files based on file names.
Turn off scanning of Windows Update or Automatic Update related files
- Turn off scanning of the Windows Update or Automatic Update database file (Datastore.edb). This file is located in the following folder:%windir%\SoftwareDistribution\Datastore
- Turn off scanning of the log files that are located in the following folder:%windir%\SoftwareDistribution\Datastore\LogsSpecifically, exclude the following files:
- The wildcard character (*) indicates that there may be several files.
Turn off scanning of Windows Security files
- Add the following files in the %windir%\Security\Database path of the exclusions list:
Turn off scanning of Group Policy related files
- Group Policy user registry information. These files are located in the following folder:%allusersprofile%\Specifically, exclude the following file:NTUser.pol
- Group Policy client settings files. These files are located in the following folder:%SystemRoot%\System32\GroupPolicy\Machine\Specifically, exclude the following file:
For Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, and Windows Server 2003 domain controllersBecause domain controllers provide an important service to clients, the risk of disruption of their activities from malicious code, from malware, or from a virus must be minimized. Antivirus software is the generally accepted way to lessen the risk of infection. Install and configure antivirus software so that the risk to the domain controller is reduced as much as possible and so that performance is affected as little as possible. The following list contains recommendations to help you configure and install antivirus software on a Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003 domain controller.
WarningWe recommend that you apply the following specified configuration to a test system to make sure that in your specific environment it does not introduce unexpected factors or compromise the stability of the system. The risk from too much scanning is that files are inappropriately flagged as changed. This results in too much replication in Active Directory. If testing verifies that replication is not affected by the following recommendations, you can apply the antivirus software to the production environment.
Note Specific recommendations from antivirus software vendors may supersede the recommendations in this article.
- Antivirus software must be installed on all domain controllers in the enterprise. Ideally, try to install such software on all other server and client systems that have to interact with the domain controllers. It is optimal to catch the malware at the earliest point, such as at the firewall or at the client system where the malware is introduced. This prevents the malware from ever reaching the infrastructure systems that the clients depend on.
- Use a version of antivirus software that is designed to work with Active Directory domain controllers and that uses the correct Application Programming Interfaces (APIs) to access files on the server. Older versions of most vendor software inappropriately change a file's metadata as the file is scanned. This causes the File Replication Service engine to recognize a file change and therefore schedule the file for replication. Newer versions prevent this problem.For more information, click the following article number to view the article in the Microsoft Knowledge Base:815263Antivirus, backup, and disk optimization programs that are compatible with the File Replication Service
- Do not use a domain controller to browse the Internet or to perform other activities that may introduce malicious code.
- We recommend that you minimize the workloads on domain controllers. When possible, avoid using domain controllers in a file server role. This lowers virus-scanning activity on file shares and minimizes performance overhead.
- Do not put Active Directory or FRS database and log files on NTFS file system compressed volumes.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:318116Issues with Jet databases on compressed drives
Turn off scanning of Active Directory and Active Directory-related files
- Exclude the Main NTDS database files. The location of these files is specified in the following registry key:The default location is %windir%\Ntds. Specifically, exclude the following files:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database FileNtds.dit
- Exclude the Active Directory transaction log files. The location of these files is specified in the following registry key:The default location is %windir%\Ntds.Specifically, exclude the following files:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files Path
- Exclude the files in the NTDS Working folder that is specified in the following registry key:Specifically, exclude the following files:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory
Turn off scanning of SYSVOL files
- Turn off scanning of files in the File Replication Service (FRS) Working folder that is specified in the following registry key:The default location is %windir%\Ntfrs. Exclude the following files that exist in the folder:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Working Directory
- edb.chk in the %windir%\Ntfrs\jet\sys folder
- Ntfrs.jdb in the %windir%\Ntfrs\jet folder
- *.log in the %windir%\Ntfrs\jet\log folder
- Turn off scanning of files in the FRS Database Log files that are specified in the following registry key:The default location is %windir%\Ntfrs. Exclude the following files:HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\Ntfrs\Parameters\DB Log File Directory
- Edb*.log (if the registry key is not set).
- FRS Working Dir\Jet\Log\Edb*.jrs (Windows Server 2008 and Windows Server 2008 R2).
- Turn off scanning of the Staging folder as specified in the following registry key.HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\NtFrs\Parameters\Replica Sets\GUID\Replica Set Stage
By default, staging uses the following location:%systemroot%\Sysvol\Staging areasExclude the following files:
- Turn off scanning of files in the Sysvol\Sysvol folder.
The current location of the Sysvol\Sysvol folder and all its subfolders is the file system reparse target of the replica set root. The Sysvol\Sysvol folder uses the following location:%systemroot%\Sysvol\DomainExclude the following files from this folder and all its subfolders:
- Turn off scanning of files in the FRS Preinstall folder that is in the following location:Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_DirectoryThe Preinstall folder is always open when FRS is running.
Exclude the following files from this folder and all its subfolders:
- Turn off scanning of files in the DFSR database and working folders. The location is specified by the following registry key:In this registry key, "Path" is the path of an XML file that states the name of the Replication Group. In this example, the path would contain "Domain System Volume."HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\DFSR\Parameters\Replication Groups\GUID\Replica Set Configuration File=Path >
The default location is the following hidden folder:%systemdrive%\System Volume Information\DFSRExclude the following files from this folder and all its subfolders:
Turn off scanning of DFS filesThe same resources that are excluded for a SYSVOL replica set must also be excluded when FRS or DFSR is used to replicate shares that are mapped to the DFS root and link targets on Windows Server 2008 R2-based, Windows Server 2008-based, Windows Server 2003-based member computers or domain controllers.
Turn off scanning of DHCP filesBy default, DHCP files that should be excluded are present in the following folder on the server:
Turn off scanning of DNS filesBy default, DNS uses the following folder:
Turn off scanning of WINS filesBy default, WINS uses the following folder:
For computers that are running Hyper-V based versions of WindowsIn some scenarios, on a Windows Server 2008-based computer that has the Hyper-V role installed or on a Microsoft Hyper-V Server 2008 or on a Microsoft Hyper-V Server 2008 R2-based computer, it may be necessary to configure the real-time scanning component within the antivirus software to exclude files and entire folders. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
Article ID: 822158 - Last Review: 04/13/2015 16:36:00 - Revision: 20.1
- kbinfo kbprb kbexpertiseinter kbsecurity KB822158