Applies to:
Windows Server 2022, all editions Windows Server 2019, all editions Windows Server 2016, all editions Windows Server 2012 R2, all editions Windows Server 2012, all editions Windows Server 2008 R2 SP1, all editions Windows 11, all editions Windows 10, all editions Windows 8.1, all editions Windows 7, all editionsIntroduction
This article contains recommendations to help an administrator determine the cause of potential instability in the following scenario:
-
The issue occurs on a computer that is running a version of Windows or Windows Server that is listed in the “Applies to” section.
-
The local system is used together with antivirus software in an Active Directory domain environment or in a managed business environment.
-
If you are using Microsoft Defender Antivirus, some or all of the suggested exclusions that are mentioned in this article might be built-in or provided by automatic exclusions. For more information, see the following articles:
Symptoms
Your Windows-based or Windows Server-based computer experiences the following issues:
-
System performance
-
High CPU or increased CPU use
-
User mode
-
Kernel mode
-
-
Kernel memory leaks
-
Nonpaged pool
-
Paged pool
-
Handle leak
-
-
Slowness
-
File copy when you use Windows Explorer
-
File copy when you use a console app (for example, cmd.exe)
-
-
Backup operations
-
-
-
Stability
-
Application slowness
-
Accessing a network share or a mapped drive
-
Windows Explorer temporary lack of response
-
-
Application failure
-
Access violation
-
-
Application stops responding
-
Deadlocks
-
Remote procedure call (RPC)
-
Named pipes
-
-
Race conditions
-
Private bytes memory leak
-
Virtual bytes memory leak
-
Virtual bytes memory fragmentation
-
-
-
Operating system reliability issues
-
System stops responding (you have to force a restart to recover)
-
Deadlocks
-
Race conditions
-
Handle leaks
-
Nonpaged pool leaks
-
Paged pool leaks
-
-
-
Stop errors (also known as bug checks)
For more information, see the following articles:
Resolution
Before you add antivirus exclusions, follow these steps:
-
Update the definitions for your third-party antivirus program. If the issue persists, please submit a false positive (fp) to the third-party antivirus vendor support.
-
Verify that you didn’t set a specific functionality in a hardened or aggressive mode that causes more of the following symptoms:
-
False positives
-
Application compatibility problems
-
Increased resource use (for example, high CPU use (user mode or kernel mode) or high memory use (user mode or kernel mode)
-
Slowdowns
-
Applications stop responding
-
Application failures
-
Unresponsive system
-
-
Update the version of the third-party antivirus program. Or, for testing, see How to temporarily deactivate the kernel mode filter driver in Windows
-
Work with your third-party antivirus vendor to further troubleshoot. You might have to have the following kind of advanced data available to help narrow down the problem:
Workaround
Important This article contains information that shows how to help lower security settings or how to temporarily turn off security features on a computer. You can make these changes to understand the nature of a specific problem. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this workaround in your particular environment. If you implement this workaround, take any appropriate additional steps to help protect the computer.
Warning
-
We do not recommend this workaround. However, we are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk.
-
This workaround might make a computer or a network more vulnerable to attack by malicious users or by malicious software such as viruses.
-
We recommend that you apply these settings temporarily to evaluate system behavior.
-
We are aware of the risk of excluding the specific files or folders that are mentioned in this article from scans that are made by your antivirus software. Your system will be safer if you do not exclude any files or folders from scans.
-
When you scan these files, performance and operating system reliability problems might occur because of file locking.
-
Do not exclude any one of these files based on the file name extension. For example, do not exclude all files that have a .dit extension. Microsoft has no control over other files that might use the same extensions as the files that are described in this article.
-
This article provides both file names and folders that can be excluded. All the files and folders that are described in this article are protected by default permissions to allow only SYSTEM and administrator access, and they contain only operating system components. Excluding an entire folder might be simpler but might not provide as much protection as excluding specific files based on file names.
-
Adding antivirus exclusions should always be the last resort if no other option is feasible.
Turn off scanning of Windows Update or Automatic Update files
-
Turn off scanning of the Windows Update or Automatic Update database file (Datastore.edb). This file is located in the following folder:
%windir%\SoftwareDistribution\Datastore
-
Turn off scanning of the log files that are located in the following folder:
%windir%\SoftwareDistribution\Datastore\Logs
Specifically, exclude the following files:-
Edb*.jrs
-
Edb.chk
-
Tmp.edb
-
-
The wildcard character (*) indicates that there might be several files.
Turn off scanning of Windows Security files
-
Add the following files in the %windir%\Security\Database path of the exclusions list:
-
*.edb
-
*.sdb
-
*.log
-
*.chk
-
*.jrs
-
*.xml
-
*.csv
-
*.cmtx
Note If these files are not excluded, antivirus software might prevent appropriate access to these files, and security databases can become corrupted. Scanning these files can prevent the files from being used or might prevent a security policy from being applied to the files. These files should not be scanned because antivirus software might not correctly treat them as proprietary database files.
These are the recommended exclusions. There might be other file types that are not included in this article that should be excluded. -
Turn off scanning of Group Policy-related files
-
Group Policy user registry information. These files are located in the following folder:
%allusersprofile%\
Specifically, exclude the following file:NTUser.pol
-
Group Policy client settings files. These files are located in the following folder:
%SystemRoot%\System32\GroupPolicy\Machine\
%SystemRoot%\System32\GroupPolicy\User\ Specifically, exclude the following files:Registry.pol
Registry.tmp
Note: Group Policy exclusions apply to Windows Server only. If you're using Microsoft Defender Antivirus, Group Policy exclusions are included in automatic server role exclusions.
Turn off scanning of user profile files
-
User registry information and supporting files. The files are located in the following folder:
userprofile%\ Specifically, exclude the following files: NTUser.dat*
Running antivirus software on domain controllers
Because domain controllers provide an important service to clients, the risk of disruption of their activities from malicious code, from malware, or from a virus must be minimized. Antivirus software is the generally accepted way to reduce the risk of infection. Install and configure antivirus software so that the risk to the domain controller is reduced as much as possible and performance is affected as little as possible. The following list contains recommendations to help you configure and install antivirus software on a Windows Server domain controller.
Warning We recommend that you apply the following specified configuration to a test system to make sure that in your specific environment it does not introduce unexpected factors or compromise the stability of the system. The risk from too much scanning is that files are inappropriately flagged as changed. This causes too much replication in Active Directory. If testing verifies that replication is not affected by the following recommendations, you can apply the antivirus software to the production environment. Note Specific recommendations from antivirus software vendors might supersede the recommendations in this article.-
Antivirus software must be installed on all domain controllers in the enterprise. Ideally, try to install such software on all other server and client systems that have to interact with the domain controllers. It is optimal to catch the malware at the earliest point, such as at the firewall or at the client system where the malware is introduced. This prevents the malware from ever reaching the infrastructure systems that the clients depend on.
-
Use a version of antivirus software that is designed to work with Active Directory domain controllers and that uses the correct Application Programming Interfaces (APIs) to access files on the server. Older versions of most vendor software inappropriately change a file's metadata as the file is scanned. This causes the File Replication Service engine to recognize a file change and therefore schedule the file for replication. Newer versions prevent this problem.
For more information, see the following article in the Microsoft Knowledge Base:815263 Antivirus, backup, and disk optimization programs that are compatible with the File Replication Service
-
Do not use a domain controller to browse the internet or to perform other activities that might introduce malicious code.
-
We recommend that you minimize the workloads on domain controllers. When possible, avoid using domain controllers in a file server role. This lowers virus-scanning activity on file shares and minimizes performance overhead.
-
Do not put Active Directory or FRS database and log files on NTFS file system compressed volumes.
Turn off scanning of Active Directory and Active Directory-related files
-
Exclude the Main NTDS database files. The location of these files is specified in the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\DSA Database File
The default location is %windir%\Ntds. Specifically, exclude the following files:-
Ntds.dit
-
Ntds.pat
-
-
Exclude the Active Directory transaction log files. The location of these files is specified in the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Database Log Files Path
The default location is %windir%\Ntds. Specifically, exclude the following files:-
EDB*.log
-
Res*.log
-
Edb*.jrs
-
Ntds.pat
-
-
Exclude the files in the NTDS Working folder that is specified in the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory
Specifically, exclude the following files:-
Temp.edb
-
Edb.chk
-
Turn off scanning of SYSVOL files
-
Turn off scanning of files in the File Replication Service (FRS) Working folder that is specified in the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Working Directory
The default location is %windir%\Ntfrs. Exclude the following files that exist in the folder:-
edb.chk in the %windir%\Ntfrs\jet\sys folder
-
Ntfrs.jdb in the %windir%\Ntfrs\jet folder
-
*.log in the %windir%\Ntfrs\jet\log folder
-
-
Turn off scanning of files in the FRS Database Log files that are specified in the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\Currentcontrolset\Services\Ntfrs\Parameters\DB Log File Directory
The default location is %windir%\Ntfrs. Exclude the following files:-
Edb*.log (if the registry key is not set)
-
FRS Working Dir\Jet\Log\Edb*.jrs
-
-
Note Settings for specific file exclusions are documented here for completeness. By default, these folders allow access only to System and Administrators. Please verify that the correct protections are in effect. These folders contain only component working files for FRS and DFSR.
-
Turn off scanning of the NTFRS Staging folder, as specified in the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\Currentcontrolset\Services\NtFrs\Parameters\Replica Sets\GUID\Replica Set Stage
By default, staging uses the following location:%systemroot%\Sysvol\Staging areas
-
Turn off scanning of the DFSR Staging folder as specified in the msDFSR-StagingPath attribute of the object CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=DomainControllerName,OU=Domain Controllers,DC=DomainName in AD DS. This attribute contains the path to the actual location that DFS replication uses to stage files. Specifically, exclude the following files:
-
Ntfrs_cmp*.*
-
*.frx
-
-
Turn off scanning of files in the Sysvol\Sysvol folder or the SYSVOL_DFSR\Sysvol folder.
The current location of the Sysvol\Sysvol or SYSVOL_DFSR\Sysvol folder and all the subfolders is the file system reparse target of the replica set root. The Sysvol\Sysvol and SYSVOL_DFSR\Sysvol folders use the following locations by default:%systemroot%\Sysvol\Domain
%systemroot%\Sysvol_DFSR\DomainThe path to the currently active SYSVOL is referenced by the NETLOGON share and can be determined by the SysVol value name in the following subkey:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Netlogon\Parameters
-
Exclude the following files from this folder and all its subfolders:
-
*.adm
-
*.admx
-
*.adml
-
Registry.pol
-
Registry.tmp
-
*.aas
-
*.inf
-
Scripts.ini
-
*.ins
-
Oscfilter.ini
-
-
Turn off scanning of files in the FRS Preinstall folder that is in the following location:
Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_Directory
The Preinstall folder is always open when FRS is running. Exclude the following files from this folder and all its subfolders:-
Ntfrs*.*
-
-
Turn off scanning of files in the DFSR database and working folders. The location is specified by the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\Currentcontrolset\Services\DFSR\Parameters\Replication Groups\GUID\Replica Set Configuration File=Path
In this registry subkey, "Path" is the path of an XML file that states the name of the Replication Group. In this example, the path would contain "Domain System Volume." The default location is the following hidden folder:%systemdrive%\System Volume Information\DFSR
Exclude the following files from this folder and all its subfolders:-
$db_normal$
-
FileIDTable_*
-
SimilarityTable_*
-
*.xml
-
$db_dirty$
-
$db_clean$
-
$db_lost$
-
Dfsr.db
-
Fsr.chk
-
*.frx
-
*.log
-
Fsr*.jrs
-
Tmp.edb
-
-
Note If any one of these folders or files is moved or put into a different location, scan or exclude the equivalent element.
Turn off scanning of DFS files
The same resources that are excluded for a SYSVOL replica set must also be excluded when FRS or DFSR is used to replicate shares that are mapped to the DFS root and link targets on Windows Server 2008 R2-based or Windows Server 2008-based member computers or domain controllers.
Turn off scanning of DHCP files
By default, DHCP files that should be excluded are present in the following folder on the server:
%systemroot%\System32\DHCP Exclude the following files from this folder and all its subfolders:
-
*.mdb
-
*.pat
-
*.log
-
*.chk
-
*.edb
The location of DHCP files can be changed. To determine the current location of the DHCP files on the server, check the DatabasePath, DhcpLogFilePath, and BackupDatabasePath parameters that are specified in the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters
Turn off scanning of DNS files
By default, DNS uses the following folder:
%systemroot%\System32\Dns Exclude the following files from this folder and all its subfolders:
-
*.log
-
*.dns
-
BOOT
Turn off scanning of WINS files
By default, WINS uses the following folder:
%systemroot%\System32\Wins
Exclude the following files from this folder and all its subfolders:-
*.chk
-
*.log
-
*.mdb
For computers that are running Hyper-V based versions of Windows
In some scenarios, on a Windows Server 2008-based computer that has the Hyper-V role installed or on a Microsoft Hyper-V Server 2008 or on a Microsoft Hyper-V Server 2008 R2-based computer, it might be necessary to configure the real-time scanning component within the antivirus software to exclude files and entire folders. For more information, see the following article in the Microsoft Knowledge Base:
-
961804 Virtual machines are missing, or error 0x800704C8, 0x80070037, or 0x800703E3 occurs when you try to start or create a virtual machine
Next steps
If your system performance or stability is improved by the recommendations that are made in this article, contact your antivirus software vendor for instructions or for an updated version or settings of the antivirus software.
Note Your third-party antivirus vendor can work with the Microsoft Support team on a commercially reasonable efforts.
References
Microsoft Customer Support Service Agreement
Agreement for Microsoft Services
Change history
The following table summarizes some of the most important changes to this topic.
Date |
Description |
---|---|
August 17, 2021 |
Updated the note in the "More information" section: "Note On Windows 10, Windows Server 2016, and later..." |
November 2, 2021 |
Updated the note in the "More information" section: "This also applies to Windows Server 2012 R2..." |
March 14, 2022 |
Revision of whole article. Added "Symptoms" and "Resolution" sections, and reorganized the remaining content. |
July 14, 2023 |
Added a third bullet item in the "Introduction" section. Added a "Symptoms" section heading. Removed the "More information" section. |
August 7, 2023 |
Fixed layout problems that ran several lines together in the exclusions lists |