Mcafee VirusScan Enterprise on Domain Controllers

(from Mcafee KnowledgeBase)

Recommended exclusions for VirusScan Enterprise on a Windows Domain Controller with Active Directory or File Replication Service.

The following list is files and folders that do not need to be scanned. These files are not at risk of infection and might cause serious performance issues due to file locking, if included. Where a specific set of files is identified by name, exclude only those files instead of the whole folder. Sometimes the whole folder must be excluded. Do not exclude any of these based on the filename extension.

Active Directory and Active Directory-Related Files

Main NTDS Database Files
The location of these files is specified in the following registry key:
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database File]
The default location is %windir%\ntds.
Exclude the following files:
Ntds.ditNtds.pat

Active Directory Transaction Log Files
The location of these files is specified in the following registry key:
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files Path]
The default location is %windir%\ntds.
Exclude the following files:
EDB*.log (the wildcard character indicates that there may be several files)
Res1.log
Res2.log
Ntds.pat

NTDS Working Folder
The location of these files is specified in the following registry key:
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory]
Exclude the following files:
Temp.edb Edb.chk

File Replication Service (FRS)
The location of these files is specified in the following registry key:
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Working Directory]
Exclude the following files:
FRS Working Dir\jet\sys\edb.chk
FRS Working Dir\jet\ntfrs.jdb
FRS Working Dir\jet\log\*.log

FRS Database Log files
The location of these files is specified in the following registry key:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\NtFrs\Parameters\DB Log File Directory]
The default location is %windir%\ntfrs. Exclude the following files:
FRS Working Dir\jet\log\*.log (if registry key is not set)
DB Log File Directory\log\*.log (if registry key is set)

Staging folder
The location of these files is specified in the following registry key and all of the Staging folder's sub-folders:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\NtFrs\Parameters\Replica Sets\GUID\Replica Set Stage]
The current location of the Staging folder and all of its sub-folders is the file system reparse target of the replica set staging folders. The location for staging defaults to %systemroot%\sysvol\staging areas.
The current location of the SYSVOL\SYSVOL folder and all of its sub-folders is the file system reparse target of the replica set root.The location for SYSVOL\SYSVOL defaults to %systemroot%\sysvol\sysvol.

FRS Pre-Install Folder
The location of these files is specified in Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_Directory
The Preinstall folder is always open when FRS is running. In summary, the targeted and excluded list of folders for a SYSVOL tree that is placed in its default location would look similar to the following:
%systemroot%\sysvol Exclude
%systemroot%\sysvol\domain Scan
%systemroot%\sysvol\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory Exclude
%systemroot%\sysvol\domain\Policies Scan
%systemroot%\sysvol\domain\Scripts Scan
%systemroot%\sysvol\staging Exclude
%systemroot%\sysvol\staging areas Exclude
%systemroot%\sysvol\sysvol Exclude

No comments:

Recent Posts