Download KASPERSKY LAB SCAN EXCLUSIONS

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
Document related concepts
no text concepts found
Transcript 
KASPERSKY LAB
SCAN EXCLUSIONS
usa.kaspersky.com
TABLE OF CONTENTS
2
KASPERSKY LAB SCAN EXCLUSIONS BY APPLICATION
5
GENERAL EXCLUSIONS FOR MICROSOFT
6
WINDOWS 2008 R2, WINDOWS 2008, WINDOWS 2003 R2, WINDOWS 2003, WINDOWS
2000, WINDOWS 7, WINDOWS VISTA AND WINDOWS XP
Windows Updates or Automatic Updates related files (database)
Windows Updates or Automatic Updates related files (logs)
Windows Security files
Group Policy related files.
Print Spooler
Paging file
MSMQ 6
6
6
6
6
6
6
7
DOMAIN CONTROLLERS ON MICROSOFT WINDOWS 2008 R2, WINDOWS 2008,
WINDOWS 2003 R2, WINDOWS 2003, WINDOWS 2000
Active Directory related files (NTDS database).
Active Directory related files (transaction logs).
Active Directory related files (NTDS working directory).
Sysvol files (FRS working directory)
Sysvol files (FRS database logs) Sysvol files (staging files).
Sysvol subfolder.
Sysvol files (FRS preinstall directory).
DFS files (database, logs and working folders)
7
7
7
7
8
8
8
8
8
9
DHCP SERVERS
9
DNS SERVERS
10
WINS SERVERS
10
IIS SERVERS 6.0/7.0
10
WSUS SERVERS
10
SERVER CLUSTERS
11
SQL SERVERS Common Exclusions
SQL Server 2005
SQL Server 2008
SQL Server 2008 R2
SQL Server 2012
11
11
12
12
12
12
KASPERSKY LAB SCAN EXCLUSIONS
3
ISA AND FOREFRONT SERVERS
ISA 2000
ISA 2004/2006 SE/EE
IAG 2007
TMG MBE
TMG 2010.
UAG 2010.
13
13
13
14
14
14
15
SYSTEM CENTER PRODUCTS AND THEIR PREDECESSORS
SMS 2003.
Logs.
SCCM 2012
SCCM 2007.
SCDPM 2007.
SCOM 2007/2012 and MOM 2005.
SMS_CCM\ServiceData
The transaction log files
SMS – inboxes directory.
15
15
15
16
16
16
16
17
17
17
SHAREPOINT SERVERS & SERVICES
SharePoint Service 3.0.
SharePoint Portal Server 2001/2003.
SharePoint Server 2007.
SharePoint Foundation 2010
SharePoint Foundation 2013
SharePoint Server 2010
SharePoint Foundation 2013
SharePoint Server 2013
18
18
18
18
18
19
19
19
19
VIRTUALIZATION SOLUTIONS
Hyper-V Servers
MED-V
App-V
20
20
20
20
MICROSOFT SBS 2003
21
MICROSOFT EXCHANGE SERVERS
Exchange 2003 Servers
Exchange 2007 Servers
Exchange 2010 Servers
Exchange 2016 Servers
21
21
21
24
27
LYNC SERVER 2010 31
DATA PROTECTION MANAGER
32
DYNAMICS AX 2009 32
KASPERSKY LAB SCAN EXCLUSIONS
4
BIZTALK 2004 SERVERS
32
DYNAMICS CRM
32
MICROSOFT OFFICE COMMUNICATIONS SERVER
33
SKYPE FOR BUSINESS SERVER 2015
33
TEAM FOUNDATION SERVER 2010/2012/2013:
34
HOW TO ADD EXCLUSIONS IN KES 10 FOR WINDOWS
34
HOW TO ADD EXCLUSIONS IN KAV 8.0 FOR WINDOWS SERVERS EE
37
KASPERSKY LAB SCAN EXCLUSIONS
KASPERSKY LAB SCAN
EXCLUSIONS BY APPLICATION
One of the first steps in the implementation of antivirus protection is creation of antivirus
policies. On a product by product basis, software vendors generally provide information
as to what files, folders, processes and file extensions should be excluded from scanning
by an antivirus product. It’s not a strict requirement but it is generally done to improve
performance of a system and/or increase system stability. In the end, it becomes a
determination of stability / performance versus security and should be handled on a case by
case basis given a specific product.
This article describes exclusions provided by Microsoft for its products specifically for:
• Kaspersky Endpoint Security 10 for Windows
• Kaspersky Anti-Virus 8.0 for Windows Servers Enterprise Edition
Transport level or product aware scanners like Kaspersky Anti-Virus for Microsoft ISA Server
and Kaspersky Security for Microsoft Exchange Server are out of scope of this document. In
addition, non-Windows based clients / servers are out of scope. In some cases, additional
configuration, such as disabling the firewall component of the antivirus software, is required
for optimal operation of a server; however, agent configuration beyond exclusions is out of
scope.
Many of these items are also included in the default exclusion list available in KES 10 &
WSEE 8.0 however additional configuration may be required on a case by case basis. We
have also included citations for the specific Microsoft sites that discuss the exclusion in
each section. Below, all recommendations are given for default paths. If you use non
default locations you should adjust these settings. All settings should be applied temporary
at first to evaluate a system.
5
KASPERSKY LAB SCAN EXCLUSIONS
GENERAL EXCLUSIONS FOR MICROSOFT
WINDOWS 2008 R2, WINDOWS 2008, WINDOWS 2003
R2, WINDOWS 2003, WINDOWS 2000, WINDOWS 7,
WINDOWS VISTA AND WINDOWS XP
Windows Updates or Automatic Updates related files (database)
Exclusion:
• %windir%\SoftwareDistribution\Datastore\Datastore.edb
Windows Updates or Automatic Updates related files (logs)
Exclusion:
• %windir%\SoftwareDistribution\Datastore\Logs\Res*.log
• %windir%\SoftwareDistribution\Datastore\Logs\Res*.jrs
• %windir%\SoftwareDistribution\Datastore\Logs\Edb.chk
• %windir%\SoftwareDistribution\Datastore\Logs\Tmp.edb
Windows Security files
Scanning of these files may prevent security policy from being applied.
Exclusion:
• %windir%\Security\Database\*.edb
• %windir%\Security\Database\*.sdb
• %windir%\Security\Database\*.log
• %windir%\Security\Database\*.chk
• %windir%\Security\Database\*.jrs
Group Policy related files.
Exclusion:
• %allusersprofile%\NTUser.pol
• %Systemroot%\System32\GroupPolicy\Registry.pol
Print Spooler
Service which manages print queues and controls printing jobs
Exclusion:
• spoolsv.exe
Paging file
An important part of virtual memory implementation
Exclusion:
• pagefile.sys
• %Systemdrive%\pagefile.sys
6
KASPERSKY LAB SCAN EXCLUSIONS
MSMQ
A messaging protocol that allows applications running on separate servers to communicate in
a failsafe manner
Exclusion:
• %SystemRoot%\system32\MSMQ\
• %SystemRoot%\system32\MSMQ\storage
Please use this link for more detailed information.
DOMAIN CONTROLLERS ON MICROSOFT WINDOWS
2008 R2, WINDOWS 2008, WINDOWS 2003 R2,
WINDOWS 2003, WINDOWS 2000
Active Directory related files (NTDS database).
Exclusion:
• %windir%\Ntds\Ntds.dit
• %windir%\Ntds\Ntds.pat
Non default path could be found here:
• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA
Database File
Active Directory related files (transaction logs).
Exclusion:
• %windir%\Ntds\EDB*.log
• %windir%\Ntds\Res*.log
• %windir%\Ntds\Res*.jrs
• %windir%\Ntds\Ntds.pat
• %windir%\Ntds
Non default path could be found here:
• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA
Working Directory
Active Directory related files (NTDS working directory).
Exclusion:
• %windir%\Ntds\Temp.edb
• %windir%\Ntds\Edb.chk
Non default path could be found here:
• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA
Working Directory
7
KASPERSKY LAB SCAN EXCLUSIONS
Sysvol files (FRS working directory)
System volume is a shared folder that stores public files (elements of Group Policy, scripts,
etc) distributed to other domain controllers via File Replication service.
Exclusion:
• %windir%\Ntfrs\edb.chk
• %windir%\Ntfrs\Ntfrs.jdb
• %windir%\Ntfrs\*.log
Non default path could be found here:
• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Working
Directory
Sysvol files (FRS database logs)
Located in %windir%\Ntfrs.
Exclusion:
• Eedb*.log (if the registry key is not set)
• FRS Working Dir\Jet\Log\Edb*.jrs (Windows 2008 and Windows 2008 R2)
Non default path could be found here:
• HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\Ntfrs\Parameters\DB Log
File Directory
Sysvol files (staging files).
Exclusion:
• %systemroot%\Sysvol\Staging areas\Nntfrs_cmp*.*
Non default path could be found here:
• HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\NtFrs\Parameters\Replica
Sets\GUID\Replica\Set Stage
Sysvol subfolder.
Default location is %systemroot%\Sysvol\Sysvol.
Exclude the following files from this folder and all its subfolders:
• %systemroot%\Sysvol\Domain\*.adm
• %systemroot%\Sysvol\Domain\*.admx
• %systemroot%\Sysvol\Domain\*.adml
• %systemroot%\Sysvol\Domain\Registry.pol
• %systemroot%\Sysvol\Domain\*.aas
• %systemroot%\Sysvol\Domain\*.inf
• %systemroot%\Sysvol\Domain\Fdeploy.inf
• %systemroot%\Sysvol\Domain\Scripts.ini
• %systemroot%\Sysvol\Domain\*.ins
• %systemroot%\Sysvol\Domain\Oscfilter.ini
Sysvol files (FRS preinstall directory).
Exclusion:
• %windir%\sysvol\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory
8
KASPERSKY LAB SCAN EXCLUSIONS
DFS files (database, logs and working folders)
Distributed File System technology offers WAN friendly replication and simplified faulttolerant access to geographically dispersed files.
Default location is %systemdrive%\System Volume Information\DFSR.
Exclude the following files from this folder and all its subfolders:
• $db_normal$
• FileIDTable_2
• SimilarityTable_2
• *.xml
• $db_dirty$
• Dfsr.db
• Fsr.chk
• *.log
• Fsr*.jrs
• Tmp.edb
Also, exclude the following replicated folder:
• %systemdrive%\<replicated folder>\dfsrprivate\staging\*.frx
Non default path could be found here:
• HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\DFSR\Parameters\
Replication Groups\GUID\Replica Set Configuration File=Path >
Please use this link & this link for more detailed information.
DHCP SERVERS
By default DHCP related files are located in %systemroot%\System32\DHCP.
Exclude the following files from this folder and all its subfolders:
• *.mdb
• *.pat
• *.log
• *.chk
• *.edb
Excluding files from all DHCP Dir subfolders:
• <DHCP folder>\*\*.mdb
• <DHCP folder>\*\*.pat
• <DHCP folder>\*\*.log
• <DHCP folder>\*\*.chk
• <DHCP folder>\*\*.edb
Non default path could be found here:
• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters
Please use this link for more detailed information.
9
KASPERSKY LAB SCAN EXCLUSIONS
DNS SERVERS
By default DNS related files are located in %systemroot%\System32\Dns.
Exclude the following files from this folder and all its subfolders:
• *.log
• *.dns
• BOOT
Please use this link for more detailed information.
WINS SERVERS
By default WINS related files are located in %systemroot%\System32\Wins.
• Exclude the following files from this folder and all its subfolders:
• %systemroot%\System32\Wins\*.chk
• %systemroot%\System32\Wins\*.log
• %systemroot%\System32\Wins\*.mdb
Please use this link for more detailed information.
IIS SERVERS 6.0/7.0
Exclude:
• %systemroot%\IIS Temporary Compressed Files (IIS 6.0)
• %SystemDrive%\inetpub\temp\IIS Temporary Compressed Files (IIS 7.0)
• %systemroot%\system32\inetsrv
Please use this link for more detailed information.
WSUS SERVERS
Exclude:
• Wsusscan.cab
• Wsusscn2.cab
• %SystemDrive%\WSUS\WSUSContent
• %SystemDrive%\WSUS\UpdateServicesDBFiles
• %SystemRoot%\SoftwareDistribution\Datastore
Please use this link and link for more detailed information.
10
KASPERSKY LAB SCAN EXCLUSIONS
SERVER CLUSTERS
Exclude:
• Q:\ (Quorum drive) - The path of the \mscs folder on the quorum hard disk. For example,
exclude the Q:\mscs folder from virus scanning.
• C:\Windows\Cluster - The %Systemroot%\Cluster folder.
• The temp folder for the Cluster Service account. For example, exclude the \
clusterserviceaccount\Local Settings\Temp folder from virus scanning.
Please use this link for more detailed information.
SQL SERVERS
Common Exclusions
Exclude data files:
• *.mdf
• *.ndf
Exclude logs:
• *.ldf
Exclude backup files:
• *.bak
• *.trn
Exclude SQL Audit Files
• *.sqlaudit
Exclude SQL Trace Files
• *.trc
Exclude full-text catalog files:
“FTData” folders
• Default instance: Program Files\Microsoft SQL Server\MSSQL\FTDATA
• Named instance: Program Files\Microsoft SQL Server\MSSQL$instancename\FTDATA
Exclude Analysis Services data:
• %ProgramFiles%\Microsoft SQL Server\MSSQL.X\OLAP\data
Exclude Analysis Services backup files:
• %ProgramFiles%\Microsoft SQL Server\MSSQL.X\OLAP\Backup
Exclude Analysis Services logs:
• %ProgramFiles%\Microsoft SQL Server\MSSQL.X\OLAP\Log
11
KASPERSKY LAB SCAN EXCLUSIONS
SQL Server 2005
• %ProgramFiles%\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLServr.exe
• %ProgramFiles%\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\Bin\
ReportingServicesService.exe
• %ProgramFiles%\Microsoft SQL Server\MSSQL.2\OLAP\Bin\MSMDSrv.exe
SQL Server 2008
• %ProgramFiles%\Microsoft SQL Server\MSSQL10.<Instance Name>\MSSQL\Binn\
SQLServr.exe
• %ProgramFiles%\Microsoft SQL Server\MSSQL10.<Instance Name>\Reporting Services\
ReportServer\Bin\ReportingServicesService.exe
• %ProgramFiles%\Microsoft SQL Server\MSSQL10.<Instance Name>\OLAP\Bin\MSMDSrv.
exe
SQL Server 2008 R2
• %ProgramFiles%\Microsoft SQL Server\MSSQL10_50.<Instance Name>\MSSQL\Binn\
SQLServr.exe
• %ProgramFiles%\Microsoft SQL Server\MSSQL10_50.<Instance Name>\Reporting
Services\ReportServer\Bin\ReportingServicesService.exe
• %ProgramFiles%\Microsoft SQL Server\MSSQL10_50.<Instance Name>\OLAP\Bin\
MSMDSrv.exe
SQL Server 2012
• %ProgramFiles%\Microsoft SQL Server\MSSQL11.<Instance Name>\MSSQL\Binn\SQLServr.
exe
• %ProgramFiles%\Microsoft SQL Server\MSRS11.<Instance Name>\Reporting Services\
ReportServer\Bin\ReportingServicesService.exe
• %ProgramFiles%\Microsoft SQL Server\MSAS11.<Instance Name>\OLAP\Bin\MSMDSrv.exe
Exclusion overview SQL Server 2012 \ 2008 \ 2008 R2\ 2005 \ 2000
• “%ProgramFiles%\Microsoft SQL Server\MSSQL.?\*\Data\*.mdf
• %ProgramFiles%\Microsoft SQL Server\MSSQL.?\*\Data\*.ldf
• %ProgramFiles%\Microsoft SQL Server\MSSQL.?\*\Data\*.ndf”
• “%ProgramFiles%\Microsoft SQL Server\MSSQL.?\*\Backup\*.bak
• %ProgramFiles%\Microsoft SQL Server\MSSQL.?\*\Backup\*.trn”
• %ProgramFiles%\Microsoft SQL Server\MSSQL\FTDATA
• %ProgramFiles%\Microsoft SQL Server\MSSQL$instancename\FTDATA
• %ProgramFiles%\Microsoft SQL Server\MSSQL.?\OLAP\Data
• %ProgramFiles%\Microsoft SQL Server\MSSQL.?\OLAP\Log
• %ProgramFiles%\Microsoft SQL Server\MSSQL.?\OLAP\Backup
• “%ProgramFiles%\Microsoft SQL Server\MSSQL\data\*.mdf
• %ProgramFiles%\Microsoft SQL Server\MSSQL\data\*.ldf
• %ProgramFiles%\Microsoft SQL Server\MSSQL\data\*.ndf”
• “%ProgramFiles%\Microsoft SQL Server\MSSQL\BACKUP\*.bak
• %ProgramFiles%\Microsoft SQL Server\MSSQL\BACKUP\*.trn”
Please use this link for more detailed information.
12
KASPERSKY LAB SCAN EXCLUSIONS
ISA AND FOREFRONT SERVERS
This section contains information about:
• Internet Security and Acceleration (ISA) Server 2000/2004/2006 Standard/Enterprise
Editions.
• Intelligent Application Gateway (IAG) 2007.
• Forefront Threat Management Gateway (TMG) Medium Business Edition.
• Forefront Threat Management Gateway (TMG) 2010.
• Forefront Unified Access Gateway (UAG) 2010.
General exclusions:
• Application’s working directory
• Logs
• Configuration storage
• Cache storage
• Application’s processes
• General folders and files mentioned in sections above
• ISA/Forefront-aware antivirus program folders.
ISA 2000
Exclude:
• %ProgramFiles%\Microsoft ISA Server
• %ProgramFiles%\Microsoft ISA Server\ISALogs
• ISA Server Web cache
• %ProgramFiles%\Microsoft ISA Server\dailysum.exe
• %ProgramFiles%\Microsoft ISA Server\repgen.exe
• %ProgramFiles%\Microsoft ISA Server\mspadmin.exe
• %ProgramFiles%\Microsoft ISA Server\w3prefch.exe
• %ProgramFiles%\Microsoft ISA Server\wspsrv.exe
ISA 2004/2006 SE/EE
Exclude:
• %ProgramFiles%\Microsoft ISA Server
• %ProgramFiles%\Microsoft SQL Server
• ISA Server Web cache
• %ProgramFiles%\Microsoft ISA Server\dailysum.exe
• %ProgramFiles%\Microsoft ISA Server\isastg.exe
• %ProgramFiles%\Microsoft ISA Server\mspadmin.exe
• %ProgramFiles%\Microsoft ISA Server\w3prefch.exe
• %ProgramFiles%\Microsoft ISA Server\wspsrv.exe
• %ProgramFiles%\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
• %ProgramFiles%\Microsoft SQL Server\MSSQL$MSFW\sqlservr.exe
• %WinDir%\System32\dsamain.exe (Enterprise version only)
13
KASPERSKY LAB SCAN EXCLUSIONS
IAG 2007
Exclude:
• The same files which were excluded for IIS.
• The same files which were excluded for ISA 2006.
• c:\whale-com\e-gap\
• %WinDir%\System32\inetsrv\inetinfo.exe
• %WinDir%\System32\inetsrv\w3wp.exe
• %SystemDrive%\Whale-Com\e-Gap\common\bin\MonitorMgrCom.exe
• %SystemDrive%\Whale-Com\e-Gap\common\bin\SessionMgrCom.exe
• %SystemDrive%\Whale-Com\e-Gap\von\FileAccess\ShareAccess.exe
• %SystemDrive%\Whale-Com\e-Gap\common\bin\UserMgrCom.exe
• %SystemDrive%\Whale-Com\e-Gap\common\bin\whlerrsrvd.exe
• %SystemDrive%\Whale-Com\e-Gap\common\bin\whlios.exe
TMG MBE
Exclude:
• %ProgramFiles%\Microsoft ISA Server
• %ProgramFiles(x86)%\Microsoft SQL Server
• %SystemRoot%\Temp\ScanStorage
• %ProgramFiles(x86)%\Microsoft ISA Server\Logs
• TMG Web cache
• %SystemDrive%\InetPub
• %ProgramFiles(x86)%\Microsoft ISA Server\dailysum.exe
• %ProgramFiles(x86)%\Microsoft ISA Server\isarepgen.exe
• %ProgramFiles(x86)%\Microsoft ISA Server\isadlviewer.exe
• %ProgramFiles(x86)%\Microsoft ISA Server\isastg.exe
• %ProgramFiles(x86)%\Microsoft ISA Server\mspadmin.exe
• %ProgramFiles(x86)%\Microsoft ISA Server\wspsrv.exe
• %ProgramFiles(x86)%\Microsoft ISA Server\w3prefch.exe
• %ProgramFiles(x86)%\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
• %ProgramFiles(x86)%\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
• %ProgramFiles(x86)%\Microsoft SQL Server\90\Shared\sqlwriter.exe
• %WinDir%\System32\dsamain.exe
• %WinDir%\System32\inetsrv\inetinfo.exe
• %WinDir%\System32\inetsrv\w3wp.exe
TMG 2010.
Exclude:
• %ProgramFiles%\Microsoft Forefront Threat Management Gateway
• %ProgramFiles%\Microsoft SQL Server\MSSQL10.ISARS
• %ProgramFiles%\Microsoft SQL Server\MSSQL10.MSFW
• %SystemRoot%\Temp\ScanStorage
• %ProgramFiles%\Microsoft Forefront Threat Management Gateway\Logs\Web cache
• TMG Web cache
• %ProgramFiles%\Microsoft Forefront Threat Management Gateway\dailysum.exe
• %ProgramFiles%\Microsoft Forefront Threat Management Gateway\isarepgen.exe
• %ProgramFiles%\Microsoft Forefront Threat Management Gateway\isadlviewer.exe
• %ProgramFiles%\Microsoft Forefront Threat Management Gateway\IsaManagedCtrl.exe
• %ProgramFiles%\Microsoft Forefront Threat Management Gateway\isastg.exe
• %ProgramFiles%\Microsoft Forefront Threat Management Gateway\mspadmin.exe
14
KASPERSKY LAB SCAN EXCLUSIONS
• %ProgramFiles%\Microsoft Forefront Threat Management Gateway\wspsrv.exe
• %ProgramFiles%\Microsoft Forefront Threat Management Gateway\w3prefch.exe
• %ProgramFiles%\Microsoft SQL Server\MSSQL10.ISARS\MSSQL\Binn\sqlservr.exe
• %ProgramFiles%\Microsoft SQL Server\MSSQL10.ISARS\MSSQL\Binn\
ReportingServicesService.exe
• %ProgramFiles%\Microsoft SQL Server\MSSQL10.MSFW\MSSQL\Binn\sqlservr.exe
• %WinDir%\System32\dsamain.exe
UAG 2010.
Exclude:
• The same files which were excluded for IIS.
• The same files which were excluded for TMG 2010.
• %ProgramFiles%\Microsoft Forefront Unified Access Gateway.
• %ProgramFiles%\Microsoft Forefront Unified Access Gateway\DnsAlgSrv.exe
• %ProgramFiles%\Microsoft Forefront Unified Access Gateway\MonitorMgrCom.exe
• %ProgramFiles%\Microsoft Forefront Unified Access Gateway\SessionMgrCom.exe
• %ProgramFiles%\Microsoft Forefront Unified Access Gateway\ShareAccess.exe
• %ProgramFiles%\Microsoft Forefront Unified Access Gateway\uagqessvc.exe
• %ProgramFiles%\Microsoft Forefront Unified Access Gateway\uagrdpsvc.exe
• %ProgramFiles%\Microsoft Forefront Unified Access Gateway\UserMgrCom.exe
• %ProgramFiles%\Microsoft Forefront Unified Access Gateway\WatchDogSrv.exe
• %ProgramFiles%\Microsoft Forefront Unified Access Gateway\whlerrsrv.exe
• %ProgramFiles%\Microsoft Forefront Unified Access Gateway\whlios.exe
Please use this link for more detailed information.
SYSTEM CENTER PRODUCTS AND
THEIR PREDECESSORS
This section contains information about:
• Systems Management Server (SMS) 2003 and Configuration Manager (SCCM) 2007.
• System Center Data Protection Manager (SCDPM) 2007.
• System Center Operations Manager (SCOM) 2007 and Operations Manager (MOM) 2005.
SMS 2003.
Exclude:
• SMS\Inboxes directory on Microsoft Systems Management Server site servers.
• SMS_CCM\ServiceData directory on Microsoft SMS Management Points.
Please use this link for more detailed information.
Logs.
Exclude:
• %ProgramFiles%\Microsoft Configuration Manager\Logs\*.log
15
KASPERSKY LAB SCAN EXCLUSIONS
SCCM 2012
Exclude:
• C:\Windows\TEMP\BootImages\{GUID}
• \Windows\TEMP\BootImages\*
• \ConfigMgr_OfflineImageServicing
• %allusersprofile%\NTUser.pol
• %systemroot%\system32\GroupPolicy\registry.pol
• %windir%\Security\database\*.chk
• %windir%\Security\database\*.edb
• %windir%\Security\database\*.jrs
• %windir%\Security\database\*.log
• %windir%\Security\database\*.sdb
• %windir%\SoftwareDistribution\Datastore\Datastore.edb
• %windir%\SoftwareDistribution\Datastore\Logs\edb.chk
• %windir%\SoftwareDistribution\Datastore\Logs\edb*.log
• %windir%\SoftwareDistribution\Datastore\Logs\Edbres00001.jrs
• %windir%\SoftwareDistribution\Datastore\Logs\Edbres00002.jrs
• %windir%\SoftwareDistribution\Datastore\Logs\Res1.log
• %windir%\SoftwareDistribution\Datastore\Logs\Res2.log
• %windir%\SoftwareDistribution\Datastore\Logs\tmp.edb
• %programfiles%\Microsoft Configuration Manager\Inboxes\*.*
• %programfiles(x86)%\Microsoft Configuration Manager\Inboxes\*.*
Please use this link for more detailed information.
SCCM 2007.
Exclude:
• %ProgramFiles%\Microsoft Configuration Manager\Inboxes
Please use this link for more detailed information.
SCDPM 2007.
Exclude:
• %ProgramFiles%\Microsoft Data Protection Manager\DPM\XSD
• %ProgramFiles%\Microsoft Data Protection Manager\DPM\Temp\MTA
• %ProgramFiles%\Microsoft Data Protection Manager\DPM\bin\dpmra.exe
• %WinDir%\Microsoft.net\Framework\v2.0.50727\csc.exe
Please use this link for more detailed information.
SCOM 2007/2012 and MOM 2005.
Exclude:
• Momhost.exe (MOM 2005)
• Monitoringhost.exe (SCOM 2007 & SCOM 2012)
• %allusersprofile%\Application Data\Microsoft\Microsoft Operations Manager\ (MOM 2005)
• %ProgramFiles%\System Center Operations Manager 2007\Health Service State\Health
Service Store (SCOM 2007)
• %ProgramFiles%\System Center 2012\Operations Manager\<Component>\Health Service
State\Health Service Store (SCOM 2012)
• %Program Files%\Microsoft SQL Server\MSSQL.1\MSSQL\Data
16
KASPERSKY LAB SCAN EXCLUSIONS
• %ProgramFiles%\Microsoft SQL Server\MSSQL.1\MSSQL\Log
• Extensions: WKF, PQF, PQF0, PQF1, EDB, CHK, LOG, MDF, LDF
Please use this link for more detailed information.
SMS_CCM\ServiceData
• %ProgramFiles%\SMS_CCM\ServiceData\*.msg
• %ProgramFiles%\SMS_CCM\ServiceData\*.que
• %ProgramFiles%\SMS_CCM\ServiceData\*.xml
The transaction log files
• %windir%\SoftwareDistribution\Datastore\Logs\Edb*.log
• %windir%\SoftwareDistribution\Datastore\Logs\Res?.log
• %windir%\SoftwareDistribution\Datastore\Logs\Edb.chk
• %windir%\SoftwareDistribution\Datastore\Logs\Tmp.edb
• %allusersprofile%\NTUser.pol
• %systemroot%\system32\GroupPolicy\Machine\registry.pol
• ?:\SMSPKG\*.*
• ?:\SMSPKG?$\*.*
• ?:\SMSPKGSIG\*.*
• ?:\SMSSIG$\*.*
• ?:\SCCMContentLib\*.*
SMS – inboxes directory.
Exclude:
• %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.adc
• %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.box
• %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.ccr
• %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.cfg
• %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.cmn
• %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.ct0
• %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.ct1
• %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.ct2
• %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.dat
• %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.dc
• %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.ddr
• %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.i*
• %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.ins
• %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.ist
• %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.job
• %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.lkp
• %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.lo_
• %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.log
• %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.mif
• %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.mof
• %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.nal
• %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.ncf
• %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.nhm
• %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.ofn
• %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.ofr
17
KASPERSKY LAB SCAN EXCLUSIONS
• %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.p*
• %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.pcf
• %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.pck
• %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.pdf
• %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.pkg
• %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.pkn
• %ProgramFiles%\Microsoft Configuration Manager\Inboxes\*.rpl
SHAREPOINT SERVERS & SERVICES
SharePoint Service 3.0.
Exclude:
• %ProgramFiles%\Common Files\Microsoft Shared\Web Server Extensions\12\Logs
• %ProgramFiles%\Common Files\Microsoft Shared\Web Server Extensions\12\Data\
Applications (if the computer is running the Windows SharePoint Services Search service)
• %WinDir%\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files
• %WinDir%\Microsoft.NET\Framework64\v2.0.50727\Temporary ASP.NET Files (on 64bit
systems)
• %allusersprofile%\Application Data\Microsoft\SharePoint\Config
• %WinDir%\Temp\WebTempDir
• %SystemDrive%\Documents and Settings\service_account\Local Settings\Temp\
Please use this link for more detailed information.
SharePoint Portal Server 2001/2003.
Exclude:
• %ProgramFiles%\SharePoint Portal Server
• %ProgramFiles%\Common Files\Microsoft Shared\Web Storage System
• %WinDir%\Temp\Frontpagetempdir (If use are using SPS 2003 SP1)
Please use this link for more detailed information.
SharePoint Server 2007.
Exclude:
• %ProgramFiles%\Microsoft Office Servers\12.0\Data
• %ProgramFiles%\Microsoft Office Servers\12.0\Logs
• %ProgramFiles%\Microsoft Office Servers\12.0\Bin
Please use this link for more detailed information.
SharePoint Foundation 2010
Exclude:
• Drive:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\Logs
• Drive:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\Data\
Applications
• Drive:\Windows\Microsoft.NET\Framework64\v2.0.50727\Temporary ASP.NET Files
• Drive: \Users\ServiceAccount\AppData\Local\Temp\WebTempDir
• Drive:\ProgramData\Microsoft\SharePoint
18
KASPERSKY LAB SCAN EXCLUSIONS
• Drive:\Users\account that the search service is running as\AppData\Local\Temp
• Drive:\WINDOWS\system32\LogFiles
• Drive:\Windows\Syswow64\LogFiles
• Drive:\Users\ServiceAccount\AppData\Local\Temp
• Drive:\Users\Default\AppData\Local\Temp
Please use this link for more detailed information.
SharePoint Foundation 2013
Exclude:
• %ProgramFiles%\Common Files\Microsoft Shared\Web Server Extensions\15\Logs
• %ProgramFiles%\Common Files\Microsoft Shared\Web Server Extensions\15\Data\
Applications
SharePoint Server 2010
Exclude:
• %ProgramFiles%\Microsoft Office Servers\14.0\Data
• %ProgramFiles%\Microsoft Office Servers\14.0\Logs
• %ProgramFiles%\Microsoft Office Servers\14.0\Bin
• %ProgramFiles%\Microsoft Office Servers\14.0\Synchronization Service
• Any location in which you decided to store the disk-based binary large object (BLOB)
cache (for example, C:\Blobcache)
Please use this link for more detailed information.
SharePoint Foundation 2013
Exclude:
• Drive:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\Logs
• Drive:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\Data\
Applications
• Drive:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files
• Drive: \Users\ServiceAccount\AppData\Local\Temp\WebTempDir
• Drive:\ProgramData\Microsoft\SharePoint
• Drive:\Users\account that the search service is running as\AppData\Local\Temp
• Drive:\WINDOWS\System32\LogFiles
• Drive:\Windows\Syswow64\LogFiles
• Drive:\Users\ServiceAccount\AppData\Local\Temp
• Drive:\Users\Default\AppData\Local\Temp
Please use this link for more detailed information.
SharePoint Server 2013
Exclude:
• %ProgramFiles%\Microsoft Office Servers\15.0\Data
• %ProgramFiles%\Microsoft Office Servers\15.0\Logs
• %ProgramFiles%\Microsoft Office Servers\15.0\Bin
• %ProgramFiles%\Microsoft Office Servers\15.0\Synchronization Service
• Any location in which you decided to store the disk-based binary large object (BLOB)
cache (for example, C:\Blobcache).
Please use this link for more detailed information.
19
KASPERSKY LAB SCAN EXCLUSIONS
VIRTUALIZATION SOLUTIONS
Hyper-V Servers
Exclude:
• Vmms.exe
• Vmwp.exe
• C:\ProgramData\Microsoft\Windows\Hyper-V
• C:\Users\Public\Documents\Hyper-V\Virtual Hard Disks
• %systemdrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots
• %systemdrive%\ClusterStorage
Please use this link for more detailed information.
MED-V
Exclude:
• *.VHD - These represent the Virtual Hard Disk Image files. These will appear on test
workstations when test images are being used to finalize workspace policies.
• *.VUD - These represent Virtual PC Undo Disk Files. These will appear on test workstations
when test images are being used to finalize workspace policies.
• *.VSV - These represent Virtual PC Saved State files. These will be on all MED-V clients
running Workspaces.
• *.CKM - This is the packed image format used by MED-V (Kidaro Compressed Machine.)
These will be present on MED-V Servers, Image Distribution Servers, locally packed images
on MED-V Administration workstations, and as pre-staged images on clients.
• *.VMC - These represent the Base Virtual Machine Settings File. Will be found on all MED-V
Clients and Test Workstations.
• *.INDEX - These are index files used by the TrimTransfer Feature. These will be found on
both clients and servers.
• *.EVHD - These are the encrypted virtual hard disk files used on MED-V Clients running
workspaces.
Please use this link for more detailed information.
App-V
Windows Vista, Windows Server 2008 or later
• %USERPROFILE%\AppData\Local\SoftGrid Client
• %USERPROFILE%\AppData\Roaming\SoftGrid Client
• %PROGRAMDATA%\Microsoft\Application Virtualization Client\SoftGrid Client
Windows XP or Windows Server 2003
• %USERPROFILE%\Application Data\SoftGrid Client
• %ALLUSERSPROFILE%\Application Data\Microsoft\Application Virtualization Client\
• %ALLUSERSPROFILE%\Documents\SoftGrid Client
Please use this link for more detailed information.
20
KASPERSKY LAB SCAN EXCLUSIONS
MICROSOFT SBS 2003
• %PROGRAMFILES%\Exchsrvr\Mailroot\vsi 1\PickUp
• %PROGRAMFILES%\Exchsrvr\Mailroot\
• %PROGRAMFILES%\Microsoft Windows Small Business Server\\Networking\POP3\Failed
Mail
Please use this link for more detailed information.
MICROSOFT EXCHANGE SERVERS
Exchange 2003 Servers
Exclude:
• Databases and log files across all storage groups are located in Exchsrvr\Mdbdata.
• MTA files are located in Exchsrvr\Mtadata.
• Additional log files such as Exchsrvr\server_name.log directory.
• Exchsrvr\Mailroot virtual server folder.Working folder used to store streaming .tmp files
that are used for message conversion is located in
• Exchsrvr\Mdbdata.
• Temporary folder used in conjunction with offline maintenance utilities such as Eseutil.exe
is located in folder where the .exe file is run from.
• Site Replication Service files are located in Exchsrvr\Srsdata.
• IIS system files are located in %SystemRoot%\System32\Inetsrv.
• IIS 6.0 compression folder used with Outlook Web Access 2003 is located in
%systemroot%\IIS Temporary
• Compressed Files.
• Quorum disk and %Winnt%\Cluster (for clusters).
• Exchsrvr\Conndata.
• Exchange-aware antivirus program folders.
• Cdb.exe
• Cidaemon.exe
• Store.exe
• Emsmta.exe
• Mad.exe
• Mssearch.exe
• Inetinfo.exe
• W3wp.exe
Please use this link for more detailed information.
Exchange 2007 Servers
Mailbox server role including clustered mailbox server
Exclude:
• Databases, checkpoint files, log files and database content indexes located in subfolders
under %Program Files%\Microsoft\Exchange Server\Mailbox.
• General log files like message tracking log files are located in subfolders under %Program
Files%\Microsoft\Exchange Server\TransportRoles\Logs and %Program Files%\Microsoft\
Exchange Server\Logging.
21
KASPERSKY LAB SCAN EXCLUSIONS
• Offline Address Book files are located in subfolders under %Program Files%\Microsoft\
Exchange Server\ExchangeOAB.
• IIS system files located in %SystemRoot%\System32\Inetsrv.
• Temporary folder used in conjunction with offline maintenance utilities such as Eseutil.exe
is located in the folder where the .exe file is run from.
• Temporary folders used for conversions are located in server’s TMP folder, %Program
Files%\Microsoft\Exchange Server\Working\OleConvertor and %Program Files%\Microsoft\
Exchange Server\Mailbox\MDBTEMP.
• The quorum disk and the %Winnt%\Cluster.
• Exchange-aware antivirus program folders.
Hub Transport server role
Exclude:
• General log files are located in subfolders under %Program Files%\Microsoft\Exchange
Server\TransportRoles\Logs.
• Message folders are located in subfolders under %Program Files%\Microsoft\Exchange
Server\TransportRoles.
• Queue database, checkpoint and log files are located in %Program Files%\Microsoft\
Exchange Server\TransportRoles\Data\Queue.
• Sender Reputation database, checkpoint and log files are located in %Program Files%\
Microsoft\Exchange Server\TransportRoles\Data\SenderReputation.
• IP filter database, checkpoint and log files are located in %Program Files%\Microsoft\
Exchange Server\TransportRoles\Data\IpFilter.
• Temporary folders used for conversions are located in server’s TMP folder and %Program
Files%\Microsoft\Exchange Server\Working\OleConvertor.
• Exchange-aware antivirus program folders.
Edge Transport server role.
Exclude:
• Active Directory Application Mode (ADAM) database and log files are located in %Program
Files%\Microsoft\Exchange Server\TransportRoles\Data\Adam.
• General log files are located in subfolders under %Program Files%\Microsoft\Exchange
Server\TransportRoles\Log
• Message folders are located in %Program Files%\Microsoft\Exchange Server\
TransportRoles.
• Queue database, checkpoint and log files are located in %Program Files%\Microsoft\
Exchange Server\TransportRoles\Data\Queue.
• Sender Reputation database, checkpoint and log files are located in %Program Files%\
Microsoft\Exchange Server\TransportRoles\Data\SenderReputation.
• IP filter database, checkpoint and log files are located in %Program Files%\Microsoft\
Exchange Server\TransportRoles\Data\IpFilter.
• Temporary folders used for conversions are located in server’s TMP folder and %Program
Files%\Microsoft\Exchange Server\Working\OleConvertor.Exchange-aware antivirus
program folders.
Client Access server role
Exclude:
• Internet Information Services (IIS) 6.0 compression folder used with Microsoft Outlook
Web Access is located in %systemroot%\IIS Temporary Compressed Files.
• IIS system files are located in %SystemRoot%\System32\Inetsrv.
22
KASPERSKY LAB SCAN EXCLUSIONS
• Internet-related files are located in subfolders under %Program Files%\Microsoft\Exchange
Server\ClientAccess.
• Temporary folder used for conversions is located in server’s TMP folder.
Unified Messaging server role
Exclude:
• Grammar files are located in subfolders under %Program Files%\Microsoft\Exchange Server\UnifiedMessaging\grammars.
• Voice prompts located in subfolders under %Program Files%\Microsoft\Exchange Server\
UnifiedMessaging\Prompts.
• Voicemail files are located in %Program Files%\Microsoft\Exchange Server\UnifiedMessaging\voicemail.
• Bad voicemail files are located in %Program Files%\Microsoft\Exchange Server\UnifiedMessaging\badvoicemail.
• Cdb.exe
• Cidaemon.exe
• Cluster.exe
• Dsamain.exe
• Edgecredentialsvc.exe
• Edgetransport.exe
• Galgrammargenerator.exe
• Inetinfo.exe
• Mad.exe
• Microsoft.Exchange.Antispamupdatesvc.exe
• Microsoft.Exchange.Contentfilter.Wrapper.exe
• Microsoft.Exchange.Cluster.Replayservice.exe
• Microsoft.Exchange.Edgesyncsvc.exe
• Microsoft.Exchange.Imap4.exe
• Microsoft.Exchange.Imap4service.exe
• Microsoft.Exchange.Infoworker.Assistants.exe
• Microsoft.Exchange.Monitoring.exe
• Microsoft.Exchange.Pop3.exe
• Microsoft.Exchange.Pop3service.exe
• Microsoft.Exchange.Search.Exsearch.exe
• Microsoft.Exchange.Servicehost.exe
• Msexchangeadtopologyservice.exe
• Msexchangefds.exe
• Msexchangemailboxassistants.exeMsexchangemailsubmission.exe
• Msexchangetransport.exe
• Msexchangetransportlogsearch.exe
• Msftefd.exe
• Msftesql.exe
• Oleconverter.exe
• Powershell.exe
• Sesworker.exe
• Speechservice.exe
• Store.exe
• Transcodingservice.exe
• Umservice.exe
• Umworkerprocess.exe
• W3wp.exe
23
KASPERSKY LAB SCAN EXCLUSIONS
Extension exclusions
In addition to excluding specific directories and processes, you should exclude the following
Exchange specific file name extensions in case directory exclusions fail or files are moved
from their default locations.
Application-related extensions:
• .config
• .dia
• .wsb
Database-related extensions:
• .chk
• .log
• .edb
• .jrs
• .que
Offline address book-related extensions:
• .lzx
Content Index-related extensions:
• .ci
• .dir
• .wid
• .000
• .001
• .002
Unified Messaging-related extensions:
• .cfg
• .grxml
GroupMetrics:
• .dsc
• .bin
• .xml
Please use this link for more detailed information.
Exchange 2010 Servers
Mailbox server role including clustered mailbox server
Exclude:
• Databases, checkpoint files, log files and database content indexes located in subfolders
under %ExchangeInstallPath%\Mailbox.
• Group Metrics files are located in %ExchangeInstallPath%\GroupMetrics.
• General log files like message tracking log files are located in subfolders under %ExchangeInstallPath%\TransportRoles\Logs and %ExchangeInstallPath%\Logging.
• Offline Address Book files are located in subfolders under %ExchangeInstallPath%\ExchangeOAB.
• IIS system files located in %SystemRoot%\System32\Inetsrv.
24
KASPERSKY LAB SCAN EXCLUSIONS
• Temporary folder used in conjunction with offline maintenance utilities such as Eseutil.exe
is located in the folder where the .exe file is run from.
• Mailbox database temporary folder is located in %ExchangeInstallPath%\Mailbox\MDBTEMP.
• The quorum disk and the %Winnt%\Cluster.
• Exchange-aware antivirus program folders.
Hub Transport server role
Exclude:
• General log files are located in subfolders under %ExchangeInstallPath%\TransportRoles\
Logs.
• Pickup and Replay message directory folders are located in %ExchangeInstallPath%\TransportRoles.
• Queue database, checkpoint and log files are located in %ExchangeInstallPath%\TransportRoles\Data\Queue.
• Sender Reputation database, checkpoint and log files are located in %ExchangeInstallPath%\TransportRoles\Data\SenderReputation.
• IP filter database, checkpoint and log files are located in %ExchangeInstallPath%\TransportRoles\Data\IpFilter.
• Temporary folders used for conversions are located in server’s TMP folder and %ExchangeInstallPath%\Working\OleConvertor.
• Exchange-aware antivirus program folders.
Edge Transport server role
Exclude:
• Active Directory Application Mode (ADAM) database and log files are located in %ExchangeInstallPath%\TransportRoles\Data\Adam.
• General log files are located in subfolders under %ExchangeInstallPath%\TransportRoles\
Logs.Pickup and Replay message folders are located in %ExchangeInstallPath%\TransportRoles.
• Queue database, checkpoint and log files are located in %ExchangeInstallPath%\TransportRoles\Data\Queue.
• Sender Reputation database, checkpoint and log files are located in %ExchangeInstallPath%\TransportRoles\Data\SenderReputation.
• IP filter database, checkpoint and log files are located in %ExchangeInstallPath%\TransportRoles\Data\IpFilter.
• Temporary folders used for conversions are located in server’s TMP folder and %ExchangeInstallPath%\Working\OleConvertor.
• Exchange-aware antivirus program folders.
Client Access server role
Exclude:
• Internet Information Services (IIS) 7.0 compression folder used with Microsoft Outlook
Web App is located in %SystemDrive%\inetpub\temp\IIS Temporary Compressed Files.
• Internet Information Services (IIS) 7.0 compression folder used with Microsoft Outlook
Web App is located in %systemroot%\IIS Temporary Compressed Files.
• IIS system files are located in %SystemRoot%\System32\Inetsrv.
• Inetpub\logs\logfiles\w3svc.
• Internet-related files are located in subfolders under %ExchangeInstallPath%\ClientAccess.
• For servers that have protocol logging enabled for POP3 or IMAP4: %ExchangeInstall-
25
KASPERSKY LAB SCAN EXCLUSIONS
Path%\Logging\POP3 and %ExchangeInstallPath%\Logging\IMAP4.
• Temporary folder used for conversions is located in server’s TMP folder and %ExchangeInstallPath%\Working\OleConvertor.
Unified Messaging server role
Exclude:
• Grammar files are located in subfolders under %ExchangeInstallPath%\UnifiedMessaging\
grammars.
• Voice prompts, greetings and informational message files are located in subfolders under
%ExchangeInstallPath%\UnifiedMessaging\Prompts.
• Voicemail files are located in %ExchangeInstallPath%\UnifiedMessaging\voicemail.
• Temporary files generated by Unified Messaging are located in %ExchangeInstallPath%\
UnifiedMessaging\temp.
• Cdb.exe
• Cidaemon.exe
• Cluster.exeDsamain.exe
• EdgeCredentialSvc.exe
• EdgeTransport.exe
• ExFBA.exe
• GalGrammarGenerator.exe
• Inetinfo.exe
• Mad.exe
• Microsoft.Exchange.AddressBook.Service.exe
• Microsoft.Exchange.AntispamUpdateSvc.exe
• Microsoft.Exchange.ContentFilter.Wrapper.exe
• Microsoft.Exchange.EdgeSyncSvc.exe
• Microsoft.Exchange.Imap4.exe
• Microsoft.Exchange.Imap4service.exe
• Microsoft.Exchange.Infoworker.Assistants.exe
• Microsoft.Exchange.Monitoring.exe
• Microsoft.Exchange.Pop3.exe
• Microsoft.Exchange.Pop3service.exe
• Microsoft.Exchange.ProtectedServiceHost.exe
• Microsoft.Exchange.RPCClientAccess.Service.exe
• Microsoft.Exchange.Search.Exsearch.exe
• Microsoft.Exchange.Servicehost.exe
• MSExchangeASTopologyService.exe
• MSExchangeFDS.exe
• MSExchangeMailboxAssistants.exe
• MSExchangeMailboxReplication.exe
• MSExchangeMailSubmission.exe
• MSExchangeRepl.exe
• MSExchangeTransport.exe
• MSExchangeTransportLogSearch.exe
• MSExchangeThrottling.exe
• Msftefd.exe
• Msftesql.exe
• OleConverter.exe
• Powershell.exe
• SESWorker.exe
26
KASPERSKY LAB SCAN EXCLUSIONS
• SpeechService.exe
• Store.exe
• TranscodingService.exe
• UmService.exe
• UmWorkerProcess.exe
• W3wp.exe
Extension exclusions
In addition to excluding specific directories and processes, you should exclude the following
Exchange specific file name extensions in case directory exclusions fail or files are moved
from their default locations.
Application-related extensions:
• .config
• .dia
• .wsb
Database-related extensions:
• .chk.log
• .edb
• .jrs
• .que
Offline address book-related extensions:
• .lzx
Content Index-related extensions:
• .ci
• .dir
• .wid
• .000
• .001
• .002
Unified Messaging-related extensions:
• .cfg
• .grxml
GroupMetrics:
• .dsc
• .bin
• .xml
Exchange 2016 Servers
Folder Exclusions
• %SystemRoot%\Cluster
• %SystemDrive%\DAGFileShareWitnesses\<DAGFQDN>
• %ExchangeInstallPath%ClientAccess\OAB
• %ExchangeInstallPath%FIP-FS
• %ExchangeInstallPath%GroupMetrics
27
KASPERSKY LAB SCAN EXCLUSIONS
• %ExchangeInstallPath%Logging
• %ExchangeInstallPath%Mailbox
• %ExchangeInstallPath%TransportRoles\Data\Adam
• %ExchangeInstallPath%TransportRoles\Data\IpFilter
• %ExchangeInstallPath%TransportRoles\Data\Queue
• %ExchangeInstallPath%TransportRoles\Data\SenderReputation
• %ExchangeInstallPath%TransportRoles\Data\Temp
• %ExchangeInstallPath%TransportRoles\Logs
• %ExchangeInstallPath%TransportRoles\Pickup
• %ExchangeInstallPath%TransportRoles\Replay
• %ExchangeInstallPath%UnifiedMessaging\Grammars
• %ExchangeInstallPath%UnifiedMessaging\Prompts
• %ExchangeInstallPath%UnifiedMessaging\Temp
• %ExchangeInstallPath%UnifiedMessaging\Voicemail
• %ExchangeInstallPath%Working\OleConverter
• %SystemDrive%\inetpub\temp\IIS Temporary Compressed Files
• %SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files
• %SystemRoot%\System32\Inetsrv
Process exclusions
• ComplianceAuditService.exe - %ExchangeInstallPath%Bin
• Dsamain.exe - %SystemRoot%\System32
• EdgeTransport.exe - %ExchangeInstallPath%Bin
• fms.exe - %ExchangeInstallPath%FIP-FS\Bin
• hostcontrollerservice.exe - %ExchangeInstallPath%Bin\Search\Ceres\HostController
• inetinfo.exe - %SystemRoot%\System32\inetsrv
• Microsoft.Exchange.AntispamUpdateSvc.exe - %ExchangeInstallPath%Bin
• Microsoft.Exchange.ContentFilter.Wrapper.exe - %ExchangeInstallPath%TransportRoles\
agents\Hygiene
• Microsoft.Exchange.Diagnostics.Service.exe - %ExchangeInstallPath%Bin
• Microsoft.Exchange.Directory.TopologyService.exe - %ExchangeInstallPath%Bin
• Microsoft.Exchange.EdgeCredentialSvc.exe - %ExchangeInstallPath%Bin
• Microsoft.Exchange.EdgeSyncSvc.exe - %ExchangeInstallPath%Bin
• Microsoft.Exchange.Imap4.exe - ExchangeInstallPath%FrontEnd\PopImap
• Microsoft.Exchange.Imap4service.exe - %ExchangeInstallPath%ClientAccess\PopImap
• Microsoft.Exchange.Notifications.Broker.exe - %ExchangeInstallPath%Bin
• Microsoft.Exchange.Pop3.exe - %ExchangeInstallPath%FrontEnd\PopImap
• Microsoft.Exchange.Pop3service.exe - %ExchangeInstallPath%ClientAccess\PopImap
• Microsoft.Exchange.ProtectedServiceHost.exe - %ExchangeInstallPath%Bin
• Microsoft.Exchange.RPCClientAccess.Service.exe - %ExchangeInstallPath%Bin
• Microsoft.Exchange.Search.Service.exe- %ExchangeInstallPath%Bin
• Microsoft.Exchange.Servicehost.exe - %ExchangeInstallPath%Bin
• Microsoft.Exchange.Store.Service.exe - %ExchangeInstallPath%Bin
• Microsoft.Exchange.Store.Worker.exe - %ExchangeInstallPath%Bin
• Microsoft.Exchange.UM.CallRouter.exe - %ExchangeInstallPath%FrontEnd\CallRouter
• MSExchangeCompliance.exe - %ExchangeInstallPath%Bin
• MSExchangeDagMgmt.exe - %ExchangeInstallPath%Bin
• MSExchangeDelivery.exe - %ExchangeInstallPath%Bin
• MSExchangeFrontendTransport.exe - %ExchangeInstallPath%Bin
• MSExchangeHMHost.exe - %ExchangeInstallPath%Bin
28
KASPERSKY LAB SCAN EXCLUSIONS
• MSExchangeHMWorker.exe - %ExchangeInstallPath%Bin
• MSExchangeMailboxAssistants.exe - %ExchangeInstallPath%Bin
• MSExchangeMailboxReplication.exe - %ExchangeInstallPath%Bin
• MSExchangeRepl.exe - %ExchangeInstallPath%Bin
• MSExchangeSubmission.exe - %ExchangeInstallPath%Bin
• MSExchangeTransport.exe - %ExchangeInstallPath%Bin
• MSExchangeTransportLogSearch.exe - %ExchangeInstallPath%Bin
• MSExchangeThrottling.exe - %ExchangeInstallPath%Bin
• Noderunner.exe - %ExchangeInstallPath%Bin\Search\Ceres\Runtime\1.0
• OleConverter.exe - %ExchangeInstallPath%Bin
• ParserServer.exe - %ExchangeInstallPath%Bin\Search\Ceres\ParserServer
• Powershell.exe - C:\Windows\System32\WindowsPowerShell\v1.0
• ScanEngineTest.exe - %ExchangeInstallPath%FIP-FS\Bin
• ScanningProcess.exe - %ExchangeInstallPath%FIP-FS\Bin
• UmService.exe - %ExchangeInstallPath%Bin
• UmWorkerProcess.exe - %ExchangeInstallPath%Bin
• UpdateService.exe - %ExchangeInstallPath%FIP-FS\Bin
• W3wp.exe - %SystemRoot%\System32\inetsrv
• wsbexchange.exe - %ExchangeInstallPath%Bin
Extension exclusions
• .config
• .chk
• .edb
• .jfm
• .jrs
• .log
• .que
• .dsc
• .txt
• .cfg
• .grxml
• .lzx
Please use this link for more detailed information.
Exclusion overview Exchange server 2013 \ 2010 SP3 \ 2010 SP2\ 2007 – SP1 - SP2 - SP3
• %ProgramFiles%\Microsoft\Exchange Server\Mailbox
• %ProgramFiles%\Microsoft\Exchange Server\GroupMetrics
• %ProgramFiles%\Microsoft\Exchange Server\TransportRoles\Logs
• %ProgramFiles%\Microsoft\Exchange Server\TransportRoles\Logging
• %ProgramFiles%\Microsoft\Exchange Server\ClientAccess\OAB
• %ProgramFiles%\Microsoft\Exchange Server\ExchangeOAB
• %SystemRoot%\System32\Inetsrv
• %ProgramFiles%\Microsoft\Exchange Server\Mailbox\MDBTEMP
• %Windir%\Cluster
• %SystemDrive%\DAGFileShareWitnesses\
• %ProgramFiles%\Microsoft\Exchange Server\Logs
• %ProgramFiles%\Microsoft\Exchange Server\Logging
• %ProgramFiles%\Microsoft\Exchange Server\TransportRoles
29
KASPERSKY LAB SCAN EXCLUSIONS
• %ProgramFiles%\Microsoft\Exchange Server\TransportRoles\Data\Queue
• %ProgramFiles%\Microsoft\Exchange Server\TransportRoles\Data\SenderReputation
• %ProgramFiles%\Microsoft\Exchange Server\Working\OleConverter
• %ProgramFiles%\Microsoft\Exchange Server\FIP-FS
• %ProgramFiles%\Microsoft\Exchange Server\TransportRoles\Logs\Mailbox
• %ProgramFiles%\Microsoft\Exchange Server\TransportRoles\Data\Adam
• %ProgramFiles%\Microsoft\Exchange Server\TransportRoles\Data\IpFilter
• %ProgramFiles%\Microsoft\Exchange Server\UnifiedMessaging\grammars
• %ProgramFiles%\Microsoft\Exchange Server\UnifiedMessaging\Prompts
• %ProgramFiles%\Microsoft\Exchange Server\UnifiedMessaging\voicemail
• %ProgramFiles%\Microsoft\Exchange Server\UnifiedMessaging\badvoicemail
• %ProgramFiles%\Microsoft\Exchange Server\UnifiedMessaging\temp
• %SystemDrive%\inetpub\temp\IIS Temporary Compressed Files
• %systemroot%\IIS Temporary Compressed Files
• %SystemRoot%\System32\Inetsrv
• %SystemDrive%\Inetpub\logs\logfiles\w3svc
• %ProgramFiles%\Microsoft\Exchange Server\ClientAccess
• %ProgramFiles%\Microsoft\Exchange Server\Logging\POP3
• %ProgramFiles%\Microsoft\Exchange Server\Logging\IMAP4”
• %ProgramFiles%\Microsoft\Exchange Server\TransportRoles\Logs\FrontEnd
• %ProgramFiles(x86)%\Microsoft Forefront Protection for Exchange Server\
• %ProgramFiles(x86)%\Microsoft Forefront Protection for Exchange Server\Data\Archive
• %ProgramFiles%\Microsoft ForeFront Security\Exchange Server\Data\Archive
• %ProgramFiles(x86)%\Microsoft Forefront Protection for Exchange Server\Data\Quarantine
• %ProgramFiles%\Microsoft Forefront Protection for Exchange Server\Data\Quarantine
• %ProgramFiles(x86)%\Microsoft Forefront Protection for Exchange Server\Data\Engines\
x86
• %ProgramFiles%\Microsoft ForeFront Security\Exchange Server\Data\Engines\x86
• %ProgramFiles(x86)%\Microsoft Forefront Protection for Exchange Server\Data\Engines\
amd64
• %ProgramFiles(x86)%\Microsoft Forefront Protection for Exchange Server\Data
• %ProgramFiles%\Microsoft Forefront Protection for Exchange Server\Data
• %ProgramFiles%\Microsoft\Exchange Server\Mdbdata
• %ProgramFiles%\Microsoft\Exchange Server\Mtadata
• %ProgramFiles%\Microsoft\Exchange Server\Mailroot
• %ProgramFiles%\Microsoft\Exchange Server\Srsdata
• %ProgramFiles%\Microsoft\Exchange Server\Conndata
• %ProgramFiles%\Microsoft\Exchange Server\IMCData
Please use this link for more detailed information.
30
KASPERSKY LAB SCAN EXCLUSIONS
LYNC SERVER 2010
Processes:
• ASMCUSvc.exe
• AVMCUSvc.exe
• DataMCUSvc.exe
• DataProxy.exe
• FileTransferAgent.exe
• IMMCUSvc.exe
• MasterReplicatorAgent.exe
• MediaRelaySvc.exe
• MediationServerSvc.exe
• MeetingMCUSvc.exe
• MRASSvc.exe
• OcsAppServerHost.exe
• QmsSvc.exe
• ReplicaReplicatorAgent.exe
• RTCArch.exe
• RtcCdr.exe
• RTCSrv.exe
IIS processes:
• %systemroot%\system32\inetsrv\w3wp.exe
• %systemroot%\SysWOW64\inetsrv\w3wp.exe
SQL Server processes:
• %ProgramFiles%\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\Binn\SQLServr.
exe
• %ProgramFiles%\Microsoft SQL Server\MSRS10.MSSQLSERVER\Reporting Services\ReportServer\Bin\ReportingServicesService.exe
• %ProgramFiles%\Microsoft SQL Server\MSAS10.MSSQLSERVER\OLAP\Bin\MSMDSrv.exe
Directories and files: Lync 2010
• %systemroot%\System32\LogFiles
• %systemroot%\SysWow64\LogFiles
• %systemroot%\Windows\Assembly\GAC_MSIL
• %programfiles%\Microsoft Lync Server 2010
• %programfiles%\commonfiles\Microsoft Lync Server 2010
• %SystemDrive%\RtcReplicaRoot
• File share store (specified in Topology Builder). File stores are specified in Topology Builder.
• SQL Server data and log files, including those for the back-end database, user store, archiving store, monitoring store, and application store. Database and log files can be specified in Topology Builder.
Directories and files: Lync 2013
• %systemroot%\System32\LogFiles
• %systemroot%\SysWow64\LogFiles
• %systemroot%\Windows\Microsoft.NET\assembly\GAC_MSIL
• %programfiles%\Microsoft Lync Server 2013
31
KASPERSKY LAB SCAN EXCLUSIONS
• %systemroot%\Program Files\Common Files\Microsoft Lync Server 2013\Watcher Node
• %programfiles%\commonfiles\Microsoft Lync Server 2013
• %SystemDrive%\RtcReplicaRoot
Please use this link for more detailed information.
DATA PROTECTION MANAGER
• \XSD
• \Temp\MTA
• Dpmra.exe
• Csc.exe
Please use this link for more detailed information.
DYNAMICS AX 2009
For versions up to AX 2009 exclude:
• All the AOD, AOI, ADD, ADI, KHD & KHI files, or
• alternatively, the whole application folder
Please use this link for more detailed information.
BIZTALK 2004 SERVERS
• Exclude any file receive queue folders.
• EntSSO.exe, MSDTC.exe, BTSNTSvc.exe, BTSNTSvc64.exe, SQLServr.exe, but also others as
IIS, Customer WCF services, MSMQ, Rule Engine, SQL Agent, SSIS, SSNS and other applications used in integration scenarios.
Please use this link for more detailed information.
DYNAMICS CRM
Microsoft Dynamics CRM servers
• %SystemDrive%\inetpub\temp\IIS Temporary Compressed File
• %systemroot%\system32\inetsrv
• %windir%\SecurityDatabase\*.edbo
• %windir%\SecurityDatabase\*.sdbo
• %windir%\SecurityDatabase\*.logo
• %windir%\SecurityDatabase\*.chko
• %windir%\SecurityDatabase\*.jrs
32
KASPERSKY LAB SCAN EXCLUSIONS
Microsoft CRM Email Service
• %Program Files%\Microsoft CRM EmailService\Microsoft.crm.tools.email.management.exe
• %Program Files%\Microsoft CRM EmailService\Microsoft.crm.tools.emailagent.exe
• %Program Files%\Microsoft CRM EmailService\Microsoft.crm.tools.emailproviders.dll
• %Program Files%\Microsoft CRM EmailService\Microsoft.Exchange.WebServices.dll
• %Program Files%\Microsoft CRM EmailService\Microsoft.Crm.Passport.IdCrl.dll
• %Program Files%\Microsoft CRM EmailService\Microsoft.Crm.Tools.EmailAgent.Configuration.bin
• %Program Files%\Microsoft CRM EmailService\Microsoft.Crm.Tools.EmailAgent.xml
• %Program Files%\Microsoft CRM EmailService\Microsoft.Crm.Tools.EmailAgent.SystemState.xml
MICROSOFT OFFICE COMMUNICATIONS SERVER
• %ProgramFiles%\Microsoft Office Communications Server 2007
• %ProgramFiles%\Microsoft Office Communications Server 2007 R2
SKYPE FOR BUSINESS SERVER 2015
Exclude processes:
• ABServer.exe
• AcpMcuSvc.exe
• ASMCUSvc.exe
• AVMCUSvc.exe
• ChannelService.exe
• ClsAgent.exe
• ComplianceService.exe
• DataMCUSvc.exe
• DataProxy.exe
• FileTransferAgent.exe
• HealthAgent.exe
• IMMCUSvc.exe
• LysSvc.exe
• MasterReplicatorAgent.exe
• MediaRelaySvc.exe
• MediationServerSvc.exe
• MRASSvc.exe
• OcsAppServerHost.exe
• ReplicaReplicatorAgent.exe
• ReplicationApp.exe
• RtcHost.exe
• RTCSrv.exe
• XmppProxy.exe
• XmppTGW.exe
• Windows Fabric Host Service processes:
• Fabric.exe
• FabricDCA.exe
• FabricHost.exe
33
KASPERSKY LAB SCAN EXCLUSIONS
IIS processes:
• %systemroot%\system32\inetsrv\w3wp.exe
• %systemroot%\SysWOW64\inetsrv\w3wp.exe
SQL Server Back-End processes:
• %ProgramFiles%\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\Binn\SQLServr.
exe
• %ProgramFiles%\Microsoft SQL Server\MSRS11.MSSQLSERVER\Reporting Services\ReportServer\Bin\ReportingServicesService.exe
• %ProgramFiles%\Microsoft SQL Server\MSAS11.MSSQLSERVER\OLAP\Bin\MSMDSrv.exe
SQL Server Front-End processes:
• %ProgramFiles%\Microsoft SQL Server\MSSQL12.LYNCLOCAL\MSSQL\Binn\SQLServr.exe
• %ProgramFiles%\Microsoft SQL Server\MSSQL12.RTCLOCAL\MSSQL\Binn\SQLServr.exe
• Standard Edition Installation RTC Instance
• %ProgramFiles%\Microsoft SQL Server\MSSQL12.RTC\MSSQL\Binn\SQLServr.exe
Directories and files:
• %systemroot%\System32\LogFiles
• %systemroot%\SysWow64\LogFiles
• %systemroot%\Microsoft.NET\assembly\GAC_MSIL
• %programfiles%\Skype for Business Server 2015
• %programfiles%\Common Files\Skype for Business Server 2015\Watcher Node
• %programfiles%\Common Files\Skype for Business Server 2015
• %programfiles%\Common Files\Skype for Business Online
• %SystemDrive%\RtcReplicaRoot
TEAM FOUNDATION SERVER 2010/2012/2013:
• C:\Windows\System32\inetsrv\w3wp.exe
• %ProgramFiles%\Microsoft Team Foundation Server 12.0\Application Tier\Web Services\
bin
HOW TO ADD EXCLUSIONS IN KES 10 FOR WINDOWS
The first way to create a default exclusion which includes many of the default Windows
Workstation / Server lists list is during policy creation.
34
KASPERSKY LAB SCAN EXCLUSIONS
During creation, the two checkboxes to create default rules will need to be checked.
Examples of auto-generated rules:
35
KASPERSKY LAB SCAN EXCLUSIONS
Alternatively, specific exclusions can be created after the policy has been created in the
General Protection Settings area of the policy.
36
KASPERSKY LAB SCAN EXCLUSIONS
HOW TO ADD EXCLUSIONS IN KAV 8.0
FOR WINDOWS SERVERS EE
Please note that many of the exclusions mentioned above are prepopulated due to this product
being specifically targeted at Server environment. Review these default exclusions will be
necessary if there has been customization in your environment, specifically looking for nondefault installation paths and updating as needed will ensure proper exclusion. The exclusion
rules can be found in the Advanced area of the policy under Trusted Zone -> Settings.
37
KASPERSKY LAB SCAN EXCLUSIONS
AO Kaspersky Lab
500 Unicorn Park, 3rd Floor Woburn, MA 01801 USA
Tel: 866-563-3099 | Email: [email protected]
To learn more visit us at: usa.kaspersky.com
© 2016 AO Kaspersky Lab. All rights reserved. Registered trademarks
and service marks are the property of their respective owners.
Related documents