Anti-Virus exclusions

I can't give any recommendation regarding the products you mentioned, but as this thread has such an awesome generic title we could start giving recommendations of what [b]generally[/b] should be excluded from AV scanning. I'm not sure if Sophos has these exclusions already hardcoded into SAV or not.

I can start with an official MS recommendation.

For computers that are running Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000, Windows XP, Windows Vista, or Windows 7: http://support.microsoft.com/kb/822158

• Turn off scanning of the Windows Update or Automatic Update database file (Datastore.edb). This file is located in the following folder:
  %windir%\SoftwareDistribution\Datastore
• Turn off scanning of the log files that are located in the following folder:
  %windir%\SoftwareDistribution\Datastore\Logs
  Specifically, exclude the following files:

1. Res*.log
2. Res*.jrs
3. Edb.chk
4. Tmp.edb

• Turn off scanning of Windows Security files by adding the following files in the %windir%\Security\Database path of the exclusions list:

1. *.edb
2. *.sdb
3. *.log
4. *.chk
5. *.jrs

• Turn off scanning of Group Policy related files:
  
  1. Group Policy user registry information. These files are located in the following folder:
     %allusersprofile%
     Specifically, exclude the following file: NTUser.pol
  2. Group Policy client settings file. This file is located in the following folder:
     %Systemroot%\System32\GroupPolicy
     Specifically, exclude the following file: Registry.pol

Note If these files are not excluded, antivirus software may prevent proper access to these files, and security databases can become corrupted. Scanning these files can prevent the files from being used or may prevent a security policy from being applied to the files. These files should not be scanned because antivirus software may not correctly treat them as proprietary database files.

Thanks I have found that article tool but still can not find any offical exclusions for NetBackup,SecondCopy.

I have found the following for double-take:

Double-Take:http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007102607321648

I can't resist, I - just - can't - resist

Now what is this exclusion all about? I think that several categories should be distinguished:

1. "unnecessary" (duplicate) scanning
2. performance or access issues
3. false positives

1. is of rather general nature.

2. is often product specific and not necessarily the scanner's fault.  Software should be written bearing AV software (and security products in general) in mind - there are some not-so-good examples (like software which puts data into unaccessible folders for "recovery" purposes - which is fun when you scan for rootkits).

3. well - how likely is this, seriously?

If vendors think that some vital files should be exempted from scanning then they shouldn't scatter them all over the place, refrain from putting executable code in places they don't want to be scanned and so on. Excuse, I had to rant after collecting samples (got about a dozen of new detections) for two weeks - with all the so-called security (OS and applications) in place you wonder how this crap sneaks in. And now I'm told that I perhaps should only do occasional scans and restrict them to areas or files where no harm could be done by a (and it's not even explicitly stated) false positive? :robotmad:  

Christian

First thank you for not resisting as I appreciate your feedback.

I agree with on some of your points but I'm just looking for support here not saying that the products we use are perfectly written. 

I'm using Sophos and need to know how best to configure it for the software in my environment.  Microsoft has done a great job with their recommended exclusion list but other vendors seem to be lacking.

Please understand I am not picking on Sophos as this issue applies to all AV products.  What I am trying to accomplish here is to avoid any issues where Sophos is just doing it's job and scanning something that the could produce an issue.  An example is if we did not exclude the files and folders on cluster servers.

:robothappy:

Sorry, I got carried away.

Are you asking about settings on the server or the clients? Our backup product makes use of VSS and AFAIK there are no issues. Guess the real challenge would be SureSync. But I can't even guess what's needed so I better shu... refrain from further comments.

Christian