Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
KASPERSKY LAB SCAN EXCLUSIONS usa.kaspersky.com TABLE OF CONTENTS 2 KASPERSKY LAB SCAN EXCLUSIONS BY APPLICATION 5 GENERAL EXCLUSIONS FOR MICROSOFT 6 WINDOWS 2008 R2, WINDOWS 2008, WINDOWS 2003 R2, WINDOWS 2003, WINDOWS 2000, WINDOWS 7, WINDOWS VISTA AND WINDOWS XP Windows Updates or Automatic Updates related files (database) Windows Updates or Automatic Updates related files (logs) Windows Security files Group Policy related files. Print Spooler Paging file MSMQ 6 6 6 6 6 6 6 7 DOMAIN CONTROLLERS ON MICROSOFT WINDOWS 2008 R2, WINDOWS 2008, WINDOWS 2003 R2, WINDOWS 2003, WINDOWS 2000 Active Directory related files (NTDS database). Active Directory related files (transaction logs). Active Directory related files (NTDS working directory). Sysvol files (FRS working directory) Sysvol files (FRS database logs) Sysvol files (staging files). Sysvol subfolder. Sysvol files (FRS preinstall directory). DFS files (database, logs and working folders) 7 7 7 7 8 8 8 8 8 9 DHCP SERVERS 9 DNS SERVERS 10 WINS SERVERS 10 IIS SERVERS 6.0/7.0 10 WSUS SERVERS 10 SERVER CLUSTERS 11 SQL SERVERS Common Exclusions SQL Server 2005 SQL Server 2008 SQL Server 2008 R2 SQL Server 2012 11 11 12 12 12 12 KASPERSKY LAB SCAN EXCLUSIONS 3 ISA AND FOREFRONT SERVERS ISA 2000 ISA 2004/2006 SE/EE IAG 2007 TMG MBE TMG 2010. UAG 2010. 13 13 13 14 14 14 15 SYSTEM CENTER PRODUCTS AND THEIR PREDECESSORS SMS 2003. Logs. SCCM 2012 SCCM 2007. SCDPM 2007. SCOM 2007/2012 and MOM 2005. SMS_CCM\ServiceData The transaction log files SMS – inboxes directory. 15 15 15 16 16 16 16 17 17 17 SHAREPOINT SERVERS & SERVICES SharePoint Service 3.0. SharePoint Portal Server 2001/2003. SharePoint Server 2007. SharePoint Foundation 2010 SharePoint Foundation 2013 SharePoint Server 2010 SharePoint Foundation 2013 SharePoint Server 2013 18 18 18 18 18 19 19 19 19 VIRTUALIZATION SOLUTIONS Hyper-V Servers MED-V App-V 20 20 20 20 MICROSOFT SBS 2003 21 MICROSOFT EXCHANGE SERVERS Exchange 2003 Servers Exchange 2007 Servers Exchange 2010 Servers Exchange 2016 Servers 21 21 21 24 27 LYNC SERVER 2010 31 DATA PROTECTION MANAGER 32 DYNAMICS AX 2009 32 KASPERSKY LAB SCAN EXCLUSIONS 4 BIZTALK 2004 SERVERS 32 DYNAMICS CRM 32 MICROSOFT OFFICE COMMUNICATIONS SERVER 33 SKYPE FOR BUSINESS SERVER 2015 33 TEAM FOUNDATION SERVER 2010/2012/2013: 34 HOW TO ADD EXCLUSIONS IN KES 10 FOR WINDOWS 34 HOW TO ADD EXCLUSIONS IN KAV 8.0 FOR WINDOWS SERVERS EE 37 KASPERSKY LAB SCAN EXCLUSIONS KASPERSKY LAB SCAN EXCLUSIONS BY APPLICATION One of the first steps in the implementation of antivirus protection is creation of antivirus policies. On a product by product basis, software vendors generally provide information as to what files, folders, processes and file extensions should be excluded from scanning by an antivirus product. It’s not a strict requirement but it is generally done to improve performance of a system and/or increase system stability. In the end, it becomes a determination of stability / performance versus security and should be handled on a case by case basis given a specific product. This article describes exclusions provided by Microsoft for its products specifically for: • Kaspersky Endpoint Security 10 for Windows • Kaspersky Anti-Virus 8.0 for Windows Servers Enterprise Edition Transport level or product aware scanners like Kaspersky Anti-Virus for Microsoft ISA Server and Kaspersky Security for Microsoft Exchange Server are out of scope of this document. In addition, non-Windows based clients / servers are out of scope. In some cases, additional configuration, such as disabling the firewall component of the antivirus software, is required for optimal operation of a server; however, agent configuration beyond exclusions is out of scope. Many of these items are also included in the default exclusion list available in KES 10 & WSEE 8.0 however additional configuration may be required on a case by case basis. We have also included citations for the specific Microsoft sites that discuss the exclusion in each section. Below, all recommendations are given for default paths. If you use non default locations you should adjust these settings. All settings should be applied temporary at first to evaluate a system. 5 KASPERSKY LAB SCAN EXCLUSIONS GENERAL EXCLUSIONS FOR MICROSOFT WINDOWS 2008 R2, WINDOWS 2008, WINDOWS 2003 R2, WINDOWS 2003, WINDOWS 2000, WINDOWS 7, WINDOWS VISTA AND WINDOWS XP Windows Updates or Automatic Updates related files (database) Exclusion: • %windir%\SoftwareDistribution\Datastore\Datastore.edb Windows Updates or Automatic Updates related files (logs) Exclusion: • %windir%\SoftwareDistribution\Datastore\Logs\Res*.log • %windir%\SoftwareDistribution\Datastore\Logs\Res*.jrs • %windir%\SoftwareDistribution\Datastore\Logs\Edb.chk • %windir%\SoftwareDistribution\Datastore\Logs\Tmp.edb Windows Security files Scanning of these files may prevent security policy from being applied. Exclusion: • %windir%\Security\Database\*.edb • %windir%\Security\Database\*.sdb • %windir%\Security\Database\*.log • %windir%\Security\Database\*.chk • %windir%\Security\Database\*.jrs Group Policy related files. Exclusion: • %allusersprofile%\NTUser.pol • %Systemroot%\System32\GroupPolicy\Registry.pol Print Spooler Service which manages print queues and controls printing jobs Exclusion: • spoolsv.exe Paging file An important part of virtual memory implementation Exclusion: • pagefile.sys • %Systemdrive%\pagefile.sys 6 KASPERSKY LAB SCAN EXCLUSIONS MSMQ A messaging protocol that allows applications running on separate servers to communicate in a failsafe manner Exclusion: • %SystemRoot%\system32\MSMQ\ • %SystemRoot%\system32\MSMQ\storage Please use this link for more detailed information. DOMAIN CONTROLLERS ON MICROSOFT WINDOWS 2008 R2, WINDOWS 2008, WINDOWS 2003 R2, WINDOWS 2003, WINDOWS 2000 Active Directory related files (NTDS database). Exclusion: • %windir%\Ntds\Ntds.dit • %windir%\Ntds\Ntds.pat Non default path could be found here: • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database File Active Directory related files (transaction logs). Exclusion: • %windir%\Ntds\EDB*.log • %windir%\Ntds\Res*.log • %windir%\Ntds\Res*.jrs • %windir%\Ntds\Ntds.pat • %windir%\Ntds Non default path could be found here: • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory Active Directory related files (NTDS working directory). Exclusion: • %windir%\Ntds\Temp.edb • %windir%\Ntds\Edb.chk Non default path could be found here: • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory 7 KASPERSKY LAB SCAN EXCLUSIONS Sysvol files (FRS working directory) System volume is a shared folder that stores public files (elements of Group Policy, scripts, etc) distributed to other domain controllers via File Replication service. Exclusion: • %windir%\Ntfrs\edb.chk • %windir%\Ntfrs\Ntfrs.jdb • %windir%\Ntfrs\*.log Non default path could be found here: • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Working Directory Sysvol files (FRS database logs) Located in %windir%\Ntfrs. Exclusion: • Eedb*.log (if the registry key is not set) • FRS Working Dir\Jet\Log\Edb*.jrs (Windows 2008 and Windows 2008 R2) Non default path could be found here: • HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\Ntfrs\Parameters\DB Log File Directory Sysvol files (staging files). Exclusion: • %systemroot%\Sysvol\Staging areas\Nntfrs_cmp*.* Non default path could be found here: • HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\NtFrs\Parameters\Replica Sets\GUID\Replica\Set Stage Sysvol subfolder. Default location is %systemroot%\Sysvol\Sysvol. Exclude the following files from this folder and all its subfolders: • %systemroot%\Sysvol\Domain\*.adm • %systemroot%\Sysvol\Domain\*.admx • %systemroot%\Sysvol\Domain\*.adml • %systemroot%\Sysvol\Domain\Registry.pol • %systemroot%\Sysvol\Domain\*.aas • %systemroot%\Sysvol\Domain\*.inf • %systemroot%\Sysvol\Domain\Fdeploy.inf • %systemroot%\Sysvol\Domain\Scripts.ini • %systemroot%\Sysvol\Domain\*.ins • %systemroot%\Sysvol\Domain\Oscfilter.ini Sysvol files (FRS preinstall directory). Exclusion: • %windir%\sysvol\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory 8 KASPERSKY LAB SCAN EXCLUSIONS DFS files (database, logs and working folders) Distributed File System technology offers WAN friendly replication and simplified faulttolerant access to geographically dispersed files. Default location is %systemdrive%\System Volume Information\DFSR. Exclude the following files from this folder and all its subfolders: • $db_normal$ • FileIDTable_2 • SimilarityTable_2 • *.xml • $db_dirty$ • Dfsr.db • Fsr.chk • *.log • Fsr*.jrs • Tmp.edb Also, exclude the following replicated folder: • %systemdrive%\<replicated folder>\dfsrprivate\staging\*.frx Non default path could be found here: • HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\DFSR\Parameters\ Replication Groups\GUID\Replica Set Configuration File=Path > Please use this link & this link for more detailed information. DHCP SERVERS By default DHCP related files are located in %systemroot%\System32\DHCP. Exclude the following files from this folder and all its subfolders: • *.mdb • *.pat • *.log • *.chk • *.edb Excluding files from all DHCP Dir subfolders: • <DHCP folder>\*\*.mdb • <DHCP folder>\*\*.pat • <DHCP folder>\*\*.log • <DHCP folder>\*\*.chk • <DHCP folder>\*\*.edb Non default path could be found here: • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters Please use this link for more detailed information. 9 KASPERSKY LAB SCAN EXCLUSIONS DNS SERVERS By default DNS related files are located in %systemroot%\System32\Dns. Exclude the following files from this folder and all its subfolders: • *.log • *.dns • BOOT Please use this link for more detailed information. WINS SERVERS By default WINS related files are located in %systemroot%\System32\Wins. • Exclude the following files from this folder and all its subfolders: • %systemroot%\System32\Wins\*.chk • %systemroot%\System32\Wins\*.log • %systemroot%\System32\Wins\*.mdb Please use this link for more detailed information. IIS SERVERS 6.0/7.0 Exclude: • %systemroot%\IIS Temporary Compressed Files (IIS 6.0) • %SystemDrive%\inetpub\temp\IIS Temporary Compressed Files (IIS 7.0) • %systemroot%\system32\inetsrv Please use this link for more detailed information. WSUS SERVERS Exclude: • Wsusscan.cab • Wsusscn2.cab • %SystemDrive%\WSUS\WSUSContent • %SystemDrive%\WSUS\UpdateServicesDBFiles • %SystemRoot%\SoftwareDistribution\Datastore Please use this link and link for more detailed information. 10 KASPERSKY LAB SCAN EXCLUSIONS SERVER CLUSTERS Exclude: • Q:\ (Quorum drive) - The path of the \mscs folder on the quorum hard disk. For example, exclude the Q:\mscs folder from virus scanning. • C:\Windows\Cluster - The %Systemroot%\Cluster folder. • The temp folder for the Cluster Service account. For example, exclude the \ clusterserviceaccount\Local Settings\Temp folder from virus scanning. Please use this link for more detailed information. SQL SERVERS Common Exclusions Exclude data files: • *.mdf • *.ndf Exclude logs: • *.ldf Exclude backup files: • *.bak • *.trn Exclude SQL Audit Files • *.sqlaudit Exclude SQL Trace Files • *.trc Exclude full-text catalog files: “FTData” folders • Default instance: Program Files\Microsoft SQL Server\MSSQL\FTDATA • Named instance: Program Files\Microsoft SQL Server\MSSQL$instancename\FTDATA Exclude Analysis Services data: • %ProgramFiles%\Microsoft SQL Server\MSSQL.X\OLAP\data Exclude Analysis Services backup files: • %ProgramFiles%\Microsoft SQL Server\MSSQL.X\OLAP\Backup Exclude Analysis Services logs: • %ProgramFiles%\Microsoft SQL Server\MSSQL.X\OLAP\Log 11 KASPERSKY LAB SCAN EXCLUSIONS SQL Server 2005 • %ProgramFiles%\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLServr.exe • %ProgramFiles%\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\Bin\ ReportingServicesService.exe • %ProgramFiles%\Microsoft SQL Server\MSSQL.2\OLAP\Bin\MSMDSrv.exe SQL Server 2008 • %ProgramFiles%\Microsoft SQL Server\MSSQL10.<Instance Name>\MSSQL\Binn\ SQLServr.exe • %ProgramFiles%\Microsoft SQL Server\MSSQL10.<Instance Name>\Reporting Services\ ReportServer\Bin\ReportingServicesService.exe • %ProgramFiles%\Microsoft SQL Server\MSSQL10.<Instance Name>\OLAP\Bin\MSMDSrv. exe SQL Server 2008 R2 • %ProgramFiles%\Microsoft SQL Server\MSSQL10_50.<Instance Name>\MSSQL\Binn\ SQLServr.exe • %ProgramFiles%\Microsoft SQL Server\MSSQL10_50.<Instance Name>\Reporting Services\ReportServer\Bin\ReportingServicesService.exe • %ProgramFiles%\Microsoft SQL Server\MSSQL10_50.<Instance Name>\OLAP\Bin\ MSMDSrv.exe SQL Server 2012 • %ProgramFiles%\Microsoft SQL Server\MSSQL11.<Instance Name>\MSSQL\Binn\SQLServr. exe • %ProgramFiles%\Microsoft SQL Server\MSRS11.<Instance Name>\Reporting Services\ ReportServer\Bin\ReportingServicesService.exe • %ProgramFiles%\Microsoft SQL Server\MSAS11.<Instance Name>\OLAP\Bin\MSMDSrv.exe Exclusion overview SQL Server 2012 \ 2008 \ 2008 R2\ 2005 \ 2000 • “%ProgramFiles%\Microsoft SQL Server\MSSQL.?\*\Data\*.mdf • %ProgramFiles%\Microsoft SQL Server\MSSQL.?\*\Data\*.ldf • %ProgramFiles%\Microsoft SQL Server\MSSQL.?\*\Data\*.ndf” • “%ProgramFiles%\Microsoft SQL Server\MSSQL.?\*\Backup\*.bak • %ProgramFiles%\Microsoft SQL Server\MSSQL.?\*\Backup\*.trn” • %ProgramFiles%\Microsoft SQL Server\MSSQL\FTDATA • %ProgramFiles%\Microsoft SQL Server\MSSQL$instancename\FTDATA • %ProgramFiles%\Microsoft SQL Server\MSSQL.?\OLAP\Data • %ProgramFiles%\Microsoft SQL Server\MSSQL.?\OLAP\Log • %ProgramFiles%\Microsoft SQL Server\MSSQL.?\OLAP\Backup • “%ProgramFiles%\Microsoft SQL Server\MSSQL\data\*.mdf • %ProgramFiles%\Microsoft SQL Server\MSSQL\data\*.ldf • %ProgramFiles%\Microsoft SQL Server\MSSQL\data\*.ndf” • “%ProgramFiles%\Microsoft SQL Server\MSSQL\BACKUP\*.bak • %ProgramFiles%\Microsoft SQL Server\MSSQL\BACKUP\*.trn” Please use this link for more detailed information. 12 KASPERSKY LAB SCAN EXCLUSIONS ISA AND FOREFRONT SERVERS This section contains information about: • Internet Security and Acceleration (ISA) Server 2000/2004/2006 Standard/Enterprise Editions. • Intelligent Application Gateway (IAG) 2007. • Forefront Threat Management Gateway (TMG) Medium Business Edition. • Forefront Threat Management Gateway (TMG) 2010. • Forefront Unified Access Gateway (UAG) 2010. General exclusions: • Application’s working directory • Logs • Configuration storage • Cache storage • Application’s processes • General folders and files mentioned in sections above • ISA/Forefront-aware antivirus program folders. ISA 2000 Exclude: • %ProgramFiles%\Microsoft ISA Server • %ProgramFiles%\Microsoft ISA Server\ISALogs • ISA Server Web cache • %ProgramFiles%\Microsoft ISA Server\dailysum.exe • %ProgramFiles%\Microsoft ISA Server\repgen.exe • %ProgramFiles%\Microsoft ISA Server\mspadmin.exe • %ProgramFiles%\Microsoft ISA Server\w3prefch.exe • %ProgramFiles%\Microsoft ISA Server\wspsrv.exe ISA 2004/2006 SE/EE Exclude: • %ProgramFiles%\Microsoft ISA Server • %ProgramFiles%\Microsoft SQL Server • ISA Server Web cache • %ProgramFiles%\Microsoft ISA Server\dailysum.exe • %ProgramFiles%\Microsoft ISA Server\isastg.exe • %ProgramFiles%\Microsoft ISA Server\mspadmin.exe • %ProgramFiles%\Microsoft ISA Server\w3prefch.exe • %ProgramFiles%\Microsoft ISA Server\wspsrv.exe • %ProgramFiles%\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe • %ProgramFiles%\Microsoft SQL Server\MSSQL$MSFW\sqlservr.exe • %WinDir%\System32\dsamain.exe (Enterprise version only) 13 KASPERSKY LAB SCAN EXCLUSIONS IAG 2007 Exclude: • The same files which were excluded for IIS. • The same files which were excluded for ISA 2006. • c:\whale-com\e-gap\ • %WinDir%\System32\inetsrv\inetinfo.exe • %WinDir%\System32\inetsrv\w3wp.exe • %SystemDrive%\Whale-Com\e-Gap\common\bin\MonitorMgrCom.exe • %SystemDrive%\Whale-Com\e-Gap\common\bin\SessionMgrCom.exe • %SystemDrive%\Whale-Com\e-Gap\von\FileAccess\ShareAccess.exe • %SystemDrive%\Whale-Com\e-Gap\common\bin\UserMgrCom.exe • %SystemDrive%\Whale-Com\e-Gap\common\bin\whlerrsrvd.exe • %SystemDrive%\Whale-Com\e-Gap\common\bin\whlios.exe TMG MBE Exclude: • %ProgramFiles%\Microsoft ISA Server • %ProgramFiles(x86)%\Microsoft SQL Server • %SystemRoot%\Temp\ScanStorage • %ProgramFiles(x86)%\Microsoft ISA Server\Logs • TMG Web cache • %SystemDrive%\InetPub • %ProgramFiles(x86)%\Microsoft ISA Server\dailysum.exe • %ProgramFiles(x86)%\Microsoft ISA Server\isarepgen.exe • %ProgramFiles(x86)%\Microsoft ISA Server\isadlviewer.exe • %ProgramFiles(x86)%\Microsoft ISA Server\isastg.exe • %ProgramFiles(x86)%\Microsoft ISA Server\mspadmin.exe • %ProgramFiles(x86)%\Microsoft ISA Server\wspsrv.exe • %ProgramFiles(x86)%\Microsoft ISA Server\w3prefch.exe • %ProgramFiles(x86)%\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe • %ProgramFiles(x86)%\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe • %ProgramFiles(x86)%\Microsoft SQL Server\90\Shared\sqlwriter.exe • %WinDir%\System32\dsamain.exe • %WinDir%\System32\inetsrv\inetinfo.exe • %WinDir%\System32\inetsrv\w3wp.exe TMG 2010. Exclude: • %ProgramFiles%\Microsoft Forefront Threat Management Gateway • %ProgramFiles%\Microsoft SQL Server\MSSQL10.ISARS • %ProgramFiles%\Microsoft SQL Server\MSSQL10.MSFW • %SystemRoot%\Temp\ScanStorage • %ProgramFiles%\Microsoft Forefront Threat Management Gateway\Logs\Web cache • TMG Web cache • %ProgramFiles%\Microsoft Forefront Threat Management Gateway\dailysum.exe • %ProgramFiles%\Microsoft Forefront Threat Management Gateway\isarepgen.exe • %ProgramFiles%\Microsoft Forefront Threat Management Gateway\isadlviewer.exe • %ProgramFiles%\Microsoft Forefront Threat Management Gateway\IsaManagedCtrl.exe • %ProgramFiles%\Microsoft Forefront Threat Management Gateway\isastg.exe • %ProgramFiles%\Microsoft Forefront Threat Management Gateway\mspadmin.exe 14 KASPERSKY LAB SCAN EXCLUSIONS • %ProgramFiles%\Microsoft Forefront Threat Management Gateway\wspsrv.exe • %ProgramFiles%\Microsoft Forefront Threat Management Gateway\w3prefch.exe • %ProgramFiles%\Microsoft SQL Server\MSSQL10.ISARS\MSSQL\Binn\sqlservr.exe • %ProgramFiles%\Microsoft SQL Server\MSSQL10.ISARS\MSSQL\Binn\ ReportingServicesService.exe • %ProgramFiles%\Microsoft SQL Server\MSSQL10.MSFW\MSSQL\Binn\sqlservr.exe • %WinDir%\System32\dsamain.exe UAG 2010. Exclude: • The same files which were excluded for IIS. • The same files which were excluded for TMG 2010. • %ProgramFiles%\Microsoft Forefront Unified Access Gateway. • %ProgramFiles%\Microsoft Forefront Unified Access Gateway\DnsAlgSrv.exe • %ProgramFiles%\Microsoft Forefront Unified Access Gateway\MonitorMgrCom.exe • %ProgramFiles%\Microsoft Forefront Unified Access Gateway\SessionMgrCom.exe • %ProgramFiles%\Microsoft Forefront Unified Access Gateway\ShareAccess.exe • %ProgramFiles%\Microsoft Forefront Unified Access Gateway\uagqessvc.exe • %ProgramFiles%\Microsoft Forefront Unified Access Gateway\uagrdpsvc.exe • %ProgramFiles%\Microsoft Forefront Unified Access Gateway\UserMgrCom.exe • %ProgramFiles%\Microsoft Forefront Unified Access Gateway\WatchDogSrv.exe • %ProgramFiles%\Microsoft Forefront Unified Access Gateway\whlerrsrv.exe • %ProgramFiles%\Microsoft Forefront Unified Access Gateway\whlios.exe Please use this link for more detailed information. SYSTEM CENTER PRODUCTS AND THEIR PREDECESSORS This section contains information about: • Systems Management Server (SMS) 2003 and Configuration Manager (SCCM) 2007. • System Center Data Protection Manager (SCDPM) 2007. • System Center Operations Manager (SCOM) 2007 and Operations Manager (MOM) 2005. SMS 2003. Exclude: • SMS\Inboxes directory on Microsoft Systems Management Server site servers. • SMS_CCM\ServiceData directory on Microsoft SMS Management Points. Please use this link for more detailed information. Logs. Exclude: • %ProgramFiles%\Microsoft Configuration Manager\Logs\*.log 15 KASPERSKY LAB SCAN EXCLUSIONS SCCM 2012 Exclude: • C:\Windows\TEMP\BootImages\{GUID} • \Windows\TEMP\BootImages\* • \ConfigMgr_OfflineImageServicing • %allusersprofile%\NTUser.pol • %systemroot%\system32\GroupPolicy\registry.pol • %windir%\Security\database\*.chk • %windir%\Security\database\*.edb • %windir%\Security\database\*.jrs • %windir%\Security\database\*.log • %windir%\Security\database\*.sdb • %windir%\SoftwareDistribution\Datastore\Datastore.edb • %windir%\SoftwareDistribution\Datastore\Logs\edb.chk • %windir%\SoftwareDistribution\Datastore\Logs\edb*.log • %windir%\SoftwareDistribution\Datastore\Logs\Edbres00001.jrs • %windir%\SoftwareDistribution\Datastore\Logs\Edbres00002.jrs • %windir%\SoftwareDistribution\Datastore\Logs\Res1.log • %windir%\SoftwareDistribution\Datastore\Logs\Res2.log • %windir%\SoftwareDistribution\Datastore\Logs\tmp.edb • %programfiles%\Microsoft Configuration Manager\Inboxes\*.* • %programfiles(x86)%\Microsoft Configuration Manager\Inboxes\*.* Please use this link for more detailed information. SCCM 2007. Exclude: • %ProgramFiles%\Microsoft Configuration Manager\Inboxes Please use this link for more detailed information. SCDPM 2007. Exclude: • %ProgramFiles%\Microsoft Data Protection Manager\DPM\XSD • %ProgramFiles%\Microsoft Data Protection Manager\DPM\Temp\MTA • %ProgramFiles%\Microsoft Data Protection Manager\DPM\bin\dpmra.exe • %WinDir%\Microsoft.net\Framework\v2.0.50727\csc.exe Please use this link for more detailed information. SCOM 2007/2012 and MOM 2005. Exclude: • Momhost.exe (MOM 2005) • Monitoringhost.exe (SCOM 2007 & SCOM 2012) • %allusersprofile%\Application Data\Microsoft\Microsoft Operations Manager\ (MOM 2005) • %ProgramFiles%\System Center Operations Manager 2007\Health Service State\Health Service Store (SCOM 2007) • %ProgramFiles%\System Center 2012\Operations Manager\<Component>\Health Service State\Health Service Store (SCOM 2012) • %Program Files%\Microsoft SQL Server\MSSQL.1\MSSQL\Data 16 KASPERSKY LAB SCAN EXCLUSIONS • %ProgramFiles%\Microsoft SQL Server\MSSQL.1\MSSQL\Log • Extensions: WKF, PQF, PQF0, PQF1, EDB, CHK, LOG, MDF, LDF Please use this link for more detailed information. SMS_CCM\ServiceData • %ProgramFiles%\SMS_CCM\ServiceData\*.msg • %ProgramFiles%\SMS_CCM\ServiceData\*.que • %ProgramFiles%\SMS_CCM\ServiceData\*.xml The transaction log files • %windir%\SoftwareDistribution\Datastore\Logs\Edb*.log • %windir%\SoftwareDistribution\Datastore\Logs\Res?.log • %windir%\SoftwareDistribution\Datastore\Logs\Edb.chk • %windir%\SoftwareDistribution\Datastore\Logs\Tmp.edb • %allusersprofile%\NTUser.pol • %systemroot%\system32\GroupPolicy\Machine\registry.pol • ?:\SMSPKG\*.* • ?:\SMSPKG?$\*.* • ?:\SMSPKGSIG\*.* • ?:\SMSSIG$\*.* • ?:\SCCMContentLib\*.* SMS – inboxes directory. Exclude: • %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.adc • %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.box • %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.ccr • %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.cfg • %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.cmn • %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.ct0 • %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.ct1 • %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.ct2 • %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.dat • %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.dc • %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.ddr • %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.i* • %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.ins • %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.ist • %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.job • %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.lkp • %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.lo_ • %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.log • %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.mif • %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.mof • %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.nal • %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.ncf • %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.nhm • %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.ofn • %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.ofr 17 KASPERSKY LAB SCAN EXCLUSIONS • %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.p* • %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.pcf • %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.pck • %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.pdf • %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.pkg • %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.pkn • %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.rpl SHAREPOINT SERVERS & SERVICES SharePoint Service 3.0. Exclude: • %ProgramFiles%\Common Files\Microsoft Shared\Web Server Extensions\12\Logs • %ProgramFiles%\Common Files\Microsoft Shared\Web Server Extensions\12\Data\ Applications (if the computer is running the Windows SharePoint Services Search service) • %WinDir%\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files • %WinDir%\Microsoft.NET\Framework64\v2.0.50727\Temporary ASP.NET Files (on 64bit systems) • %allusersprofile%\Application Data\Microsoft\SharePoint\Config • %WinDir%\Temp\WebTempDir • %SystemDrive%\Documents and Settings\service_account\Local Settings\Temp\ Please use this link for more detailed information. SharePoint Portal Server 2001/2003. Exclude: • %ProgramFiles%\SharePoint Portal Server • %ProgramFiles%\Common Files\Microsoft Shared\Web Storage System • %WinDir%\Temp\Frontpagetempdir (If use are using SPS 2003 SP1) Please use this link for more detailed information. SharePoint Server 2007. Exclude: • %ProgramFiles%\Microsoft Office Servers\12.0\Data • %ProgramFiles%\Microsoft Office Servers\12.0\Logs • %ProgramFiles%\Microsoft Office Servers\12.0\Bin Please use this link for more detailed information. SharePoint Foundation 2010 Exclude: • Drive:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\Logs • Drive:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\Data\ Applications • Drive:\Windows\Microsoft.NET\Framework64\v2.0.50727\Temporary ASP.NET Files • Drive: \Users\ServiceAccount\AppData\Local\Temp\WebTempDir • Drive:\ProgramData\Microsoft\SharePoint 18 KASPERSKY LAB SCAN EXCLUSIONS • Drive:\Users\account that the search service is running as\AppData\Local\Temp • Drive:\WINDOWS\system32\LogFiles • Drive:\Windows\Syswow64\LogFiles • Drive:\Users\ServiceAccount\AppData\Local\Temp • Drive:\Users\Default\AppData\Local\Temp Please use this link for more detailed information. SharePoint Foundation 2013 Exclude: • %ProgramFiles%\Common Files\Microsoft Shared\Web Server Extensions\15\Logs • %ProgramFiles%\Common Files\Microsoft Shared\Web Server Extensions\15\Data\ Applications SharePoint Server 2010 Exclude: • %ProgramFiles%\Microsoft Office Servers\14.0\Data • %ProgramFiles%\Microsoft Office Servers\14.0\Logs • %ProgramFiles%\Microsoft Office Servers\14.0\Bin • %ProgramFiles%\Microsoft Office Servers\14.0\Synchronization Service • Any location in which you decided to store the disk-based binary large object (BLOB) cache (for example, C:\Blobcache) Please use this link for more detailed information. SharePoint Foundation 2013 Exclude: • Drive:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\Logs • Drive:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\Data\ Applications • Drive:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files • Drive: \Users\ServiceAccount\AppData\Local\Temp\WebTempDir • Drive:\ProgramData\Microsoft\SharePoint • Drive:\Users\account that the search service is running as\AppData\Local\Temp • Drive:\WINDOWS\System32\LogFiles • Drive:\Windows\Syswow64\LogFiles • Drive:\Users\ServiceAccount\AppData\Local\Temp • Drive:\Users\Default\AppData\Local\Temp Please use this link for more detailed information. SharePoint Server 2013 Exclude: • %ProgramFiles%\Microsoft Office Servers\15.0\Data • %ProgramFiles%\Microsoft Office Servers\15.0\Logs • %ProgramFiles%\Microsoft Office Servers\15.0\Bin • %ProgramFiles%\Microsoft Office Servers\15.0\Synchronization Service • Any location in which you decided to store the disk-based binary large object (BLOB) cache (for example, C:\Blobcache). Please use this link for more detailed information. 19 KASPERSKY LAB SCAN EXCLUSIONS VIRTUALIZATION SOLUTIONS Hyper-V Servers Exclude: • Vmms.exe • Vmwp.exe • C:\ProgramData\Microsoft\Windows\Hyper-V • C:\Users\Public\Documents\Hyper-V\Virtual Hard Disks • %systemdrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots • %systemdrive%\ClusterStorage Please use this link for more detailed information. MED-V Exclude: • *.VHD - These represent the Virtual Hard Disk Image files. These will appear on test workstations when test images are being used to finalize workspace policies. • *.VUD - These represent Virtual PC Undo Disk Files. These will appear on test workstations when test images are being used to finalize workspace policies. • *.VSV - These represent Virtual PC Saved State files. These will be on all MED-V clients running Workspaces. • *.CKM - This is the packed image format used by MED-V (Kidaro Compressed Machine.) These will be present on MED-V Servers, Image Distribution Servers, locally packed images on MED-V Administration workstations, and as pre-staged images on clients. • *.VMC - These represent the Base Virtual Machine Settings File. Will be found on all MED-V Clients and Test Workstations. • *.INDEX - These are index files used by the TrimTransfer Feature. These will be found on both clients and servers. • *.EVHD - These are the encrypted virtual hard disk files used on MED-V Clients running workspaces. Please use this link for more detailed information. App-V Windows Vista, Windows Server 2008 or later • %USERPROFILE%\AppData\Local\SoftGrid Client • %USERPROFILE%\AppData\Roaming\SoftGrid Client • %PROGRAMDATA%\Microsoft\Application Virtualization Client\SoftGrid Client Windows XP or Windows Server 2003 • %USERPROFILE%\Application Data\SoftGrid Client • %ALLUSERSPROFILE%\Application Data\Microsoft\Application Virtualization Client\ • %ALLUSERSPROFILE%\Documents\SoftGrid Client Please use this link for more detailed information. 20 KASPERSKY LAB SCAN EXCLUSIONS MICROSOFT SBS 2003 • %PROGRAMFILES%\Exchsrvr\Mailroot\vsi 1\PickUp • %PROGRAMFILES%\Exchsrvr\Mailroot\ • %PROGRAMFILES%\Microsoft Windows Small Business Server\\Networking\POP3\Failed Mail Please use this link for more detailed information. MICROSOFT EXCHANGE SERVERS Exchange 2003 Servers Exclude: • Databases and log files across all storage groups are located in Exchsrvr\Mdbdata. • MTA files are located in Exchsrvr\Mtadata. • Additional log files such as Exchsrvr\server_name.log directory. • Exchsrvr\Mailroot virtual server folder.Working folder used to store streaming .tmp files that are used for message conversion is located in • Exchsrvr\Mdbdata. • Temporary folder used in conjunction with offline maintenance utilities such as Eseutil.exe is located in folder where the .exe file is run from. • Site Replication Service files are located in Exchsrvr\Srsdata. • IIS system files are located in %SystemRoot%\System32\Inetsrv. • IIS 6.0 compression folder used with Outlook Web Access 2003 is located in %systemroot%\IIS Temporary • Compressed Files. • Quorum disk and %Winnt%\Cluster (for clusters). • Exchsrvr\Conndata. • Exchange-aware antivirus program folders. • Cdb.exe • Cidaemon.exe • Store.exe • Emsmta.exe • Mad.exe • Mssearch.exe • Inetinfo.exe • W3wp.exe Please use this link for more detailed information. Exchange 2007 Servers Mailbox server role including clustered mailbox server Exclude: • Databases, checkpoint files, log files and database content indexes located in subfolders under %Program Files%\Microsoft\Exchange Server\Mailbox. • General log files like message tracking log files are located in subfolders under %Program Files%\Microsoft\Exchange Server\TransportRoles\Logs and %Program Files%\Microsoft\ Exchange Server\Logging. 21 KASPERSKY LAB SCAN EXCLUSIONS • Offline Address Book files are located in subfolders under %Program Files%\Microsoft\ Exchange Server\ExchangeOAB. • IIS system files located in %SystemRoot%\System32\Inetsrv. • Temporary folder used in conjunction with offline maintenance utilities such as Eseutil.exe is located in the folder where the .exe file is run from. • Temporary folders used for conversions are located in server’s TMP folder, %Program Files%\Microsoft\Exchange Server\Working\OleConvertor and %Program Files%\Microsoft\ Exchange Server\Mailbox\MDBTEMP. • The quorum disk and the %Winnt%\Cluster. • Exchange-aware antivirus program folders. Hub Transport server role Exclude: • General log files are located in subfolders under %Program Files%\Microsoft\Exchange Server\TransportRoles\Logs. • Message folders are located in subfolders under %Program Files%\Microsoft\Exchange Server\TransportRoles. • Queue database, checkpoint and log files are located in %Program Files%\Microsoft\ Exchange Server\TransportRoles\Data\Queue. • Sender Reputation database, checkpoint and log files are located in %Program Files%\ Microsoft\Exchange Server\TransportRoles\Data\SenderReputation. • IP filter database, checkpoint and log files are located in %Program Files%\Microsoft\ Exchange Server\TransportRoles\Data\IpFilter. • Temporary folders used for conversions are located in server’s TMP folder and %Program Files%\Microsoft\Exchange Server\Working\OleConvertor. • Exchange-aware antivirus program folders. Edge Transport server role. Exclude: • Active Directory Application Mode (ADAM) database and log files are located in %Program Files%\Microsoft\Exchange Server\TransportRoles\Data\Adam. • General log files are located in subfolders under %Program Files%\Microsoft\Exchange Server\TransportRoles\Log • Message folders are located in %Program Files%\Microsoft\Exchange Server\ TransportRoles. • Queue database, checkpoint and log files are located in %Program Files%\Microsoft\ Exchange Server\TransportRoles\Data\Queue. • Sender Reputation database, checkpoint and log files are located in %Program Files%\ Microsoft\Exchange Server\TransportRoles\Data\SenderReputation. • IP filter database, checkpoint and log files are located in %Program Files%\Microsoft\ Exchange Server\TransportRoles\Data\IpFilter. • Temporary folders used for conversions are located in server’s TMP folder and %Program Files%\Microsoft\Exchange Server\Working\OleConvertor.Exchange-aware antivirus program folders. Client Access server role Exclude: • Internet Information Services (IIS) 6.0 compression folder used with Microsoft Outlook Web Access is located in %systemroot%\IIS Temporary Compressed Files. • IIS system files are located in %SystemRoot%\System32\Inetsrv. 22 KASPERSKY LAB SCAN EXCLUSIONS • Internet-related files are located in subfolders under %Program Files%\Microsoft\Exchange Server\ClientAccess. • Temporary folder used for conversions is located in server’s TMP folder. Unified Messaging server role Exclude: • Grammar files are located in subfolders under %Program Files%\Microsoft\Exchange Server\UnifiedMessaging\grammars. • Voice prompts located in subfolders under %Program Files%\Microsoft\Exchange Server\ UnifiedMessaging\Prompts. • Voicemail files are located in %Program Files%\Microsoft\Exchange Server\UnifiedMessaging\voicemail. • Bad voicemail files are located in %Program Files%\Microsoft\Exchange Server\UnifiedMessaging\badvoicemail. • Cdb.exe • Cidaemon.exe • Cluster.exe • Dsamain.exe • Edgecredentialsvc.exe • Edgetransport.exe • Galgrammargenerator.exe • Inetinfo.exe • Mad.exe • Microsoft.Exchange.Antispamupdatesvc.exe • Microsoft.Exchange.Contentfilter.Wrapper.exe • Microsoft.Exchange.Cluster.Replayservice.exe • Microsoft.Exchange.Edgesyncsvc.exe • Microsoft.Exchange.Imap4.exe • Microsoft.Exchange.Imap4service.exe • Microsoft.Exchange.Infoworker.Assistants.exe • Microsoft.Exchange.Monitoring.exe • Microsoft.Exchange.Pop3.exe • Microsoft.Exchange.Pop3service.exe • Microsoft.Exchange.Search.Exsearch.exe • Microsoft.Exchange.Servicehost.exe • Msexchangeadtopologyservice.exe • Msexchangefds.exe • Msexchangemailboxassistants.exeMsexchangemailsubmission.exe • Msexchangetransport.exe • Msexchangetransportlogsearch.exe • Msftefd.exe • Msftesql.exe • Oleconverter.exe • Powershell.exe • Sesworker.exe • Speechservice.exe • Store.exe • Transcodingservice.exe • Umservice.exe • Umworkerprocess.exe • W3wp.exe 23 KASPERSKY LAB SCAN EXCLUSIONS Extension exclusions In addition to excluding specific directories and processes, you should exclude the following Exchange specific file name extensions in case directory exclusions fail or files are moved from their default locations. Application-related extensions: • .config • .dia • .wsb Database-related extensions: • .chk • .log • .edb • .jrs • .que Offline address book-related extensions: • .lzx Content Index-related extensions: • .ci • .dir • .wid • .000 • .001 • .002 Unified Messaging-related extensions: • .cfg • .grxml GroupMetrics: • .dsc • .bin • .xml Please use this link for more detailed information. Exchange 2010 Servers Mailbox server role including clustered mailbox server Exclude: • Databases, checkpoint files, log files and database content indexes located in subfolders under %ExchangeInstallPath%\Mailbox. • Group Metrics files are located in %ExchangeInstallPath%\GroupMetrics. • General log files like message tracking log files are located in subfolders under %ExchangeInstallPath%\TransportRoles\Logs and %ExchangeInstallPath%\Logging. • Offline Address Book files are located in subfolders under %ExchangeInstallPath%\ExchangeOAB. • IIS system files located in %SystemRoot%\System32\Inetsrv. 24 KASPERSKY LAB SCAN EXCLUSIONS • Temporary folder used in conjunction with offline maintenance utilities such as Eseutil.exe is located in the folder where the .exe file is run from. • Mailbox database temporary folder is located in %ExchangeInstallPath%\Mailbox\MDBTEMP. • The quorum disk and the %Winnt%\Cluster. • Exchange-aware antivirus program folders. Hub Transport server role Exclude: • General log files are located in subfolders under %ExchangeInstallPath%\TransportRoles\ Logs. • Pickup and Replay message directory folders are located in %ExchangeInstallPath%\TransportRoles. • Queue database, checkpoint and log files are located in %ExchangeInstallPath%\TransportRoles\Data\Queue. • Sender Reputation database, checkpoint and log files are located in %ExchangeInstallPath%\TransportRoles\Data\SenderReputation. • IP filter database, checkpoint and log files are located in %ExchangeInstallPath%\TransportRoles\Data\IpFilter. • Temporary folders used for conversions are located in server’s TMP folder and %ExchangeInstallPath%\Working\OleConvertor. • Exchange-aware antivirus program folders. Edge Transport server role Exclude: • Active Directory Application Mode (ADAM) database and log files are located in %ExchangeInstallPath%\TransportRoles\Data\Adam. • General log files are located in subfolders under %ExchangeInstallPath%\TransportRoles\ Logs.Pickup and Replay message folders are located in %ExchangeInstallPath%\TransportRoles. • Queue database, checkpoint and log files are located in %ExchangeInstallPath%\TransportRoles\Data\Queue. • Sender Reputation database, checkpoint and log files are located in %ExchangeInstallPath%\TransportRoles\Data\SenderReputation. • IP filter database, checkpoint and log files are located in %ExchangeInstallPath%\TransportRoles\Data\IpFilter. • Temporary folders used for conversions are located in server’s TMP folder and %ExchangeInstallPath%\Working\OleConvertor. • Exchange-aware antivirus program folders. Client Access server role Exclude: • Internet Information Services (IIS) 7.0 compression folder used with Microsoft Outlook Web App is located in %SystemDrive%\inetpub\temp\IIS Temporary Compressed Files. • Internet Information Services (IIS) 7.0 compression folder used with Microsoft Outlook Web App is located in %systemroot%\IIS Temporary Compressed Files. • IIS system files are located in %SystemRoot%\System32\Inetsrv. • Inetpub\logs\logfiles\w3svc. • Internet-related files are located in subfolders under %ExchangeInstallPath%\ClientAccess. • For servers that have protocol logging enabled for POP3 or IMAP4: %ExchangeInstall- 25 KASPERSKY LAB SCAN EXCLUSIONS Path%\Logging\POP3 and %ExchangeInstallPath%\Logging\IMAP4. • Temporary folder used for conversions is located in server’s TMP folder and %ExchangeInstallPath%\Working\OleConvertor. Unified Messaging server role Exclude: • Grammar files are located in subfolders under %ExchangeInstallPath%\UnifiedMessaging\ grammars. • Voice prompts, greetings and informational message files are located in subfolders under %ExchangeInstallPath%\UnifiedMessaging\Prompts. • Voicemail files are located in %ExchangeInstallPath%\UnifiedMessaging\voicemail. • Temporary files generated by Unified Messaging are located in %ExchangeInstallPath%\ UnifiedMessaging\temp. • Cdb.exe • Cidaemon.exe • Cluster.exeDsamain.exe • EdgeCredentialSvc.exe • EdgeTransport.exe • ExFBA.exe • GalGrammarGenerator.exe • Inetinfo.exe • Mad.exe • Microsoft.Exchange.AddressBook.Service.exe • Microsoft.Exchange.AntispamUpdateSvc.exe • Microsoft.Exchange.ContentFilter.Wrapper.exe • Microsoft.Exchange.EdgeSyncSvc.exe • Microsoft.Exchange.Imap4.exe • Microsoft.Exchange.Imap4service.exe • Microsoft.Exchange.Infoworker.Assistants.exe • Microsoft.Exchange.Monitoring.exe • Microsoft.Exchange.Pop3.exe • Microsoft.Exchange.Pop3service.exe • Microsoft.Exchange.ProtectedServiceHost.exe • Microsoft.Exchange.RPCClientAccess.Service.exe • Microsoft.Exchange.Search.Exsearch.exe • Microsoft.Exchange.Servicehost.exe • MSExchangeASTopologyService.exe • MSExchangeFDS.exe • MSExchangeMailboxAssistants.exe • MSExchangeMailboxReplication.exe • MSExchangeMailSubmission.exe • MSExchangeRepl.exe • MSExchangeTransport.exe • MSExchangeTransportLogSearch.exe • MSExchangeThrottling.exe • Msftefd.exe • Msftesql.exe • OleConverter.exe • Powershell.exe • SESWorker.exe 26 KASPERSKY LAB SCAN EXCLUSIONS • SpeechService.exe • Store.exe • TranscodingService.exe • UmService.exe • UmWorkerProcess.exe • W3wp.exe Extension exclusions In addition to excluding specific directories and processes, you should exclude the following Exchange specific file name extensions in case directory exclusions fail or files are moved from their default locations. Application-related extensions: • .config • .dia • .wsb Database-related extensions: • .chk.log • .edb • .jrs • .que Offline address book-related extensions: • .lzx Content Index-related extensions: • .ci • .dir • .wid • .000 • .001 • .002 Unified Messaging-related extensions: • .cfg • .grxml GroupMetrics: • .dsc • .bin • .xml Exchange 2016 Servers Folder Exclusions • %SystemRoot%\Cluster • %SystemDrive%\DAGFileShareWitnesses\<DAGFQDN> • %ExchangeInstallPath%ClientAccess\OAB • %ExchangeInstallPath%FIP-FS • %ExchangeInstallPath%GroupMetrics 27 KASPERSKY LAB SCAN EXCLUSIONS • %ExchangeInstallPath%Logging • %ExchangeInstallPath%Mailbox • %ExchangeInstallPath%TransportRoles\Data\Adam • %ExchangeInstallPath%TransportRoles\Data\IpFilter • %ExchangeInstallPath%TransportRoles\Data\Queue • %ExchangeInstallPath%TransportRoles\Data\SenderReputation • %ExchangeInstallPath%TransportRoles\Data\Temp • %ExchangeInstallPath%TransportRoles\Logs • %ExchangeInstallPath%TransportRoles\Pickup • %ExchangeInstallPath%TransportRoles\Replay • %ExchangeInstallPath%UnifiedMessaging\Grammars • %ExchangeInstallPath%UnifiedMessaging\Prompts • %ExchangeInstallPath%UnifiedMessaging\Temp • %ExchangeInstallPath%UnifiedMessaging\Voicemail • %ExchangeInstallPath%Working\OleConverter • %SystemDrive%\inetpub\temp\IIS Temporary Compressed Files • %SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files • %SystemRoot%\System32\Inetsrv Process exclusions • ComplianceAuditService.exe - %ExchangeInstallPath%Bin • Dsamain.exe - %SystemRoot%\System32 • EdgeTransport.exe - %ExchangeInstallPath%Bin • fms.exe - %ExchangeInstallPath%FIP-FS\Bin • hostcontrollerservice.exe - %ExchangeInstallPath%Bin\Search\Ceres\HostController • inetinfo.exe - %SystemRoot%\System32\inetsrv • Microsoft.Exchange.AntispamUpdateSvc.exe - %ExchangeInstallPath%Bin • Microsoft.Exchange.ContentFilter.Wrapper.exe - %ExchangeInstallPath%TransportRoles\ agents\Hygiene • Microsoft.Exchange.Diagnostics.Service.exe - %ExchangeInstallPath%Bin • Microsoft.Exchange.Directory.TopologyService.exe - %ExchangeInstallPath%Bin • Microsoft.Exchange.EdgeCredentialSvc.exe - %ExchangeInstallPath%Bin • Microsoft.Exchange.EdgeSyncSvc.exe - %ExchangeInstallPath%Bin • Microsoft.Exchange.Imap4.exe - ExchangeInstallPath%FrontEnd\PopImap • Microsoft.Exchange.Imap4service.exe - %ExchangeInstallPath%ClientAccess\PopImap • Microsoft.Exchange.Notifications.Broker.exe - %ExchangeInstallPath%Bin • Microsoft.Exchange.Pop3.exe - %ExchangeInstallPath%FrontEnd\PopImap • Microsoft.Exchange.Pop3service.exe - %ExchangeInstallPath%ClientAccess\PopImap • Microsoft.Exchange.ProtectedServiceHost.exe - %ExchangeInstallPath%Bin • Microsoft.Exchange.RPCClientAccess.Service.exe - %ExchangeInstallPath%Bin • Microsoft.Exchange.Search.Service.exe- %ExchangeInstallPath%Bin • Microsoft.Exchange.Servicehost.exe - %ExchangeInstallPath%Bin • Microsoft.Exchange.Store.Service.exe - %ExchangeInstallPath%Bin • Microsoft.Exchange.Store.Worker.exe - %ExchangeInstallPath%Bin • Microsoft.Exchange.UM.CallRouter.exe - %ExchangeInstallPath%FrontEnd\CallRouter • MSExchangeCompliance.exe - %ExchangeInstallPath%Bin • MSExchangeDagMgmt.exe - %ExchangeInstallPath%Bin • MSExchangeDelivery.exe - %ExchangeInstallPath%Bin • MSExchangeFrontendTransport.exe - %ExchangeInstallPath%Bin • MSExchangeHMHost.exe - %ExchangeInstallPath%Bin 28 KASPERSKY LAB SCAN EXCLUSIONS • MSExchangeHMWorker.exe - %ExchangeInstallPath%Bin • MSExchangeMailboxAssistants.exe - %ExchangeInstallPath%Bin • MSExchangeMailboxReplication.exe - %ExchangeInstallPath%Bin • MSExchangeRepl.exe - %ExchangeInstallPath%Bin • MSExchangeSubmission.exe - %ExchangeInstallPath%Bin • MSExchangeTransport.exe - %ExchangeInstallPath%Bin • MSExchangeTransportLogSearch.exe - %ExchangeInstallPath%Bin • MSExchangeThrottling.exe - %ExchangeInstallPath%Bin • Noderunner.exe - %ExchangeInstallPath%Bin\Search\Ceres\Runtime\1.0 • OleConverter.exe - %ExchangeInstallPath%Bin • ParserServer.exe - %ExchangeInstallPath%Bin\Search\Ceres\ParserServer • Powershell.exe - C:\Windows\System32\WindowsPowerShell\v1.0 • ScanEngineTest.exe - %ExchangeInstallPath%FIP-FS\Bin • ScanningProcess.exe - %ExchangeInstallPath%FIP-FS\Bin • UmService.exe - %ExchangeInstallPath%Bin • UmWorkerProcess.exe - %ExchangeInstallPath%Bin • UpdateService.exe - %ExchangeInstallPath%FIP-FS\Bin • W3wp.exe - %SystemRoot%\System32\inetsrv • wsbexchange.exe - %ExchangeInstallPath%Bin Extension exclusions • .config • .chk • .edb • .jfm • .jrs • .log • .que • .dsc • .txt • .cfg • .grxml • .lzx Please use this link for more detailed information. Exclusion overview Exchange server 2013 \ 2010 SP3 \ 2010 SP2\ 2007 – SP1 - SP2 - SP3 • %ProgramFiles%\Microsoft\Exchange Server\Mailbox • %ProgramFiles%\Microsoft\Exchange Server\GroupMetrics • %ProgramFiles%\Microsoft\Exchange Server\TransportRoles\Logs • %ProgramFiles%\Microsoft\Exchange Server\TransportRoles\Logging • %ProgramFiles%\Microsoft\Exchange Server\ClientAccess\OAB • %ProgramFiles%\Microsoft\Exchange Server\ExchangeOAB • %SystemRoot%\System32\Inetsrv • %ProgramFiles%\Microsoft\Exchange Server\Mailbox\MDBTEMP • %Windir%\Cluster • %SystemDrive%\DAGFileShareWitnesses\ • %ProgramFiles%\Microsoft\Exchange Server\Logs • %ProgramFiles%\Microsoft\Exchange Server\Logging • %ProgramFiles%\Microsoft\Exchange Server\TransportRoles 29 KASPERSKY LAB SCAN EXCLUSIONS • %ProgramFiles%\Microsoft\Exchange Server\TransportRoles\Data\Queue • %ProgramFiles%\Microsoft\Exchange Server\TransportRoles\Data\SenderReputation • %ProgramFiles%\Microsoft\Exchange Server\Working\OleConverter • %ProgramFiles%\Microsoft\Exchange Server\FIP-FS • %ProgramFiles%\Microsoft\Exchange Server\TransportRoles\Logs\Mailbox • %ProgramFiles%\Microsoft\Exchange Server\TransportRoles\Data\Adam • %ProgramFiles%\Microsoft\Exchange Server\TransportRoles\Data\IpFilter • %ProgramFiles%\Microsoft\Exchange Server\UnifiedMessaging\grammars • %ProgramFiles%\Microsoft\Exchange Server\UnifiedMessaging\Prompts • %ProgramFiles%\Microsoft\Exchange Server\UnifiedMessaging\voicemail • %ProgramFiles%\Microsoft\Exchange Server\UnifiedMessaging\badvoicemail • %ProgramFiles%\Microsoft\Exchange Server\UnifiedMessaging\temp • %SystemDrive%\inetpub\temp\IIS Temporary Compressed Files • %systemroot%\IIS Temporary Compressed Files • %SystemRoot%\System32\Inetsrv • %SystemDrive%\Inetpub\logs\logfiles\w3svc • %ProgramFiles%\Microsoft\Exchange Server\ClientAccess • %ProgramFiles%\Microsoft\Exchange Server\Logging\POP3 • %ProgramFiles%\Microsoft\Exchange Server\Logging\IMAP4” • %ProgramFiles%\Microsoft\Exchange Server\TransportRoles\Logs\FrontEnd • %ProgramFiles(x86)%\Microsoft Forefront Protection for Exchange Server\ • %ProgramFiles(x86)%\Microsoft Forefront Protection for Exchange Server\Data\Archive • %ProgramFiles%\Microsoft ForeFront Security\Exchange Server\Data\Archive • %ProgramFiles(x86)%\Microsoft Forefront Protection for Exchange Server\Data\Quarantine • %ProgramFiles%\Microsoft Forefront Protection for Exchange Server\Data\Quarantine • %ProgramFiles(x86)%\Microsoft Forefront Protection for Exchange Server\Data\Engines\ x86 • %ProgramFiles%\Microsoft ForeFront Security\Exchange Server\Data\Engines\x86 • %ProgramFiles(x86)%\Microsoft Forefront Protection for Exchange Server\Data\Engines\ amd64 • %ProgramFiles(x86)%\Microsoft Forefront Protection for Exchange Server\Data • %ProgramFiles%\Microsoft Forefront Protection for Exchange Server\Data • %ProgramFiles%\Microsoft\Exchange Server\Mdbdata • %ProgramFiles%\Microsoft\Exchange Server\Mtadata • %ProgramFiles%\Microsoft\Exchange Server\Mailroot • %ProgramFiles%\Microsoft\Exchange Server\Srsdata • %ProgramFiles%\Microsoft\Exchange Server\Conndata • %ProgramFiles%\Microsoft\Exchange Server\IMCData Please use this link for more detailed information. 30 KASPERSKY LAB SCAN EXCLUSIONS LYNC SERVER 2010 Processes: • ASMCUSvc.exe • AVMCUSvc.exe • DataMCUSvc.exe • DataProxy.exe • FileTransferAgent.exe • IMMCUSvc.exe • MasterReplicatorAgent.exe • MediaRelaySvc.exe • MediationServerSvc.exe • MeetingMCUSvc.exe • MRASSvc.exe • OcsAppServerHost.exe • QmsSvc.exe • ReplicaReplicatorAgent.exe • RTCArch.exe • RtcCdr.exe • RTCSrv.exe IIS processes: • %systemroot%\system32\inetsrv\w3wp.exe • %systemroot%\SysWOW64\inetsrv\w3wp.exe SQL Server processes: • %ProgramFiles%\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\Binn\SQLServr. exe • %ProgramFiles%\Microsoft SQL Server\MSRS10.MSSQLSERVER\Reporting Services\ReportServer\Bin\ReportingServicesService.exe • %ProgramFiles%\Microsoft SQL Server\MSAS10.MSSQLSERVER\OLAP\Bin\MSMDSrv.exe Directories and files: Lync 2010 • %systemroot%\System32\LogFiles • %systemroot%\SysWow64\LogFiles • %systemroot%\Windows\Assembly\GAC_MSIL • %programfiles%\Microsoft Lync Server 2010 • %programfiles%\commonfiles\Microsoft Lync Server 2010 • %SystemDrive%\RtcReplicaRoot • File share store (specified in Topology Builder). File stores are specified in Topology Builder. • SQL Server data and log files, including those for the back-end database, user store, archiving store, monitoring store, and application store. Database and log files can be specified in Topology Builder. Directories and files: Lync 2013 • %systemroot%\System32\LogFiles • %systemroot%\SysWow64\LogFiles • %systemroot%\Windows\Microsoft.NET\assembly\GAC_MSIL • %programfiles%\Microsoft Lync Server 2013 31 KASPERSKY LAB SCAN EXCLUSIONS • %systemroot%\Program Files\Common Files\Microsoft Lync Server 2013\Watcher Node • %programfiles%\commonfiles\Microsoft Lync Server 2013 • %SystemDrive%\RtcReplicaRoot Please use this link for more detailed information. DATA PROTECTION MANAGER • \XSD • \Temp\MTA • Dpmra.exe • Csc.exe Please use this link for more detailed information. DYNAMICS AX 2009 For versions up to AX 2009 exclude: • All the AOD, AOI, ADD, ADI, KHD & KHI files, or • alternatively, the whole application folder Please use this link for more detailed information. BIZTALK 2004 SERVERS • Exclude any file receive queue folders. • EntSSO.exe, MSDTC.exe, BTSNTSvc.exe, BTSNTSvc64.exe, SQLServr.exe, but also others as IIS, Customer WCF services, MSMQ, Rule Engine, SQL Agent, SSIS, SSNS and other applications used in integration scenarios. Please use this link for more detailed information. DYNAMICS CRM Microsoft Dynamics CRM servers • %SystemDrive%\inetpub\temp\IIS Temporary Compressed File • %systemroot%\system32\inetsrv • %windir%\SecurityDatabase\*.edbo • %windir%\SecurityDatabase\*.sdbo • %windir%\SecurityDatabase\*.logo • %windir%\SecurityDatabase\*.chko • %windir%\SecurityDatabase\*.jrs 32 KASPERSKY LAB SCAN EXCLUSIONS Microsoft CRM Email Service • %Program Files%\Microsoft CRM EmailService\Microsoft.crm.tools.email.management.exe • %Program Files%\Microsoft CRM EmailService\Microsoft.crm.tools.emailagent.exe • %Program Files%\Microsoft CRM EmailService\Microsoft.crm.tools.emailproviders.dll • %Program Files%\Microsoft CRM EmailService\Microsoft.Exchange.WebServices.dll • %Program Files%\Microsoft CRM EmailService\Microsoft.Crm.Passport.IdCrl.dll • %Program Files%\Microsoft CRM EmailService\Microsoft.Crm.Tools.EmailAgent.Configuration.bin • %Program Files%\Microsoft CRM EmailService\Microsoft.Crm.Tools.EmailAgent.xml • %Program Files%\Microsoft CRM EmailService\Microsoft.Crm.Tools.EmailAgent.SystemState.xml MICROSOFT OFFICE COMMUNICATIONS SERVER • %ProgramFiles%\Microsoft Office Communications Server 2007 • %ProgramFiles%\Microsoft Office Communications Server 2007 R2 SKYPE FOR BUSINESS SERVER 2015 Exclude processes: • ABServer.exe • AcpMcuSvc.exe • ASMCUSvc.exe • AVMCUSvc.exe • ChannelService.exe • ClsAgent.exe • ComplianceService.exe • DataMCUSvc.exe • DataProxy.exe • FileTransferAgent.exe • HealthAgent.exe • IMMCUSvc.exe • LysSvc.exe • MasterReplicatorAgent.exe • MediaRelaySvc.exe • MediationServerSvc.exe • MRASSvc.exe • OcsAppServerHost.exe • ReplicaReplicatorAgent.exe • ReplicationApp.exe • RtcHost.exe • RTCSrv.exe • XmppProxy.exe • XmppTGW.exe • Windows Fabric Host Service processes: • Fabric.exe • FabricDCA.exe • FabricHost.exe 33 KASPERSKY LAB SCAN EXCLUSIONS IIS processes: • %systemroot%\system32\inetsrv\w3wp.exe • %systemroot%\SysWOW64\inetsrv\w3wp.exe SQL Server Back-End processes: • %ProgramFiles%\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\Binn\SQLServr. exe • %ProgramFiles%\Microsoft SQL Server\MSRS11.MSSQLSERVER\Reporting Services\ReportServer\Bin\ReportingServicesService.exe • %ProgramFiles%\Microsoft SQL Server\MSAS11.MSSQLSERVER\OLAP\Bin\MSMDSrv.exe SQL Server Front-End processes: • %ProgramFiles%\Microsoft SQL Server\MSSQL12.LYNCLOCAL\MSSQL\Binn\SQLServr.exe • %ProgramFiles%\Microsoft SQL Server\MSSQL12.RTCLOCAL\MSSQL\Binn\SQLServr.exe • Standard Edition Installation RTC Instance • %ProgramFiles%\Microsoft SQL Server\MSSQL12.RTC\MSSQL\Binn\SQLServr.exe Directories and files: • %systemroot%\System32\LogFiles • %systemroot%\SysWow64\LogFiles • %systemroot%\Microsoft.NET\assembly\GAC_MSIL • %programfiles%\Skype for Business Server 2015 • %programfiles%\Common Files\Skype for Business Server 2015\Watcher Node • %programfiles%\Common Files\Skype for Business Server 2015 • %programfiles%\Common Files\Skype for Business Online • %SystemDrive%\RtcReplicaRoot TEAM FOUNDATION SERVER 2010/2012/2013: • C:\Windows\System32\inetsrv\w3wp.exe • %ProgramFiles%\Microsoft Team Foundation Server 12.0\Application Tier\Web Services\ bin HOW TO ADD EXCLUSIONS IN KES 10 FOR WINDOWS The first way to create a default exclusion which includes many of the default Windows Workstation / Server lists list is during policy creation. 34 KASPERSKY LAB SCAN EXCLUSIONS During creation, the two checkboxes to create default rules will need to be checked. Examples of auto-generated rules: 35 KASPERSKY LAB SCAN EXCLUSIONS Alternatively, specific exclusions can be created after the policy has been created in the General Protection Settings area of the policy. 36 KASPERSKY LAB SCAN EXCLUSIONS HOW TO ADD EXCLUSIONS IN KAV 8.0 FOR WINDOWS SERVERS EE Please note that many of the exclusions mentioned above are prepopulated due to this product being specifically targeted at Server environment. Review these default exclusions will be necessary if there has been customization in your environment, specifically looking for nondefault installation paths and updating as needed will ensure proper exclusion. The exclusion rules can be found in the Advanced area of the policy under Trusted Zone -> Settings. 37 KASPERSKY LAB SCAN EXCLUSIONS AO Kaspersky Lab 500 Unicorn Park, 3rd Floor Woburn, MA 01801 USA Tel: 866-563-3099 | Email: [email protected] To learn more visit us at: usa.kaspersky.com © 2016 AO Kaspersky Lab. All rights reserved. Registered trademarks and service marks are the property of their respective owners.