Antivirus Exclusions for Windows

To ensure stable, optimal performance for your Commvault access nodes, you must exclude certain folders and files from antivirus read, write, and scan processes.

Improperly configured antivirus exclusions can cause outages of applications and services due to contention or file locking. For example, antivirus software might lock the collect files that are generated during a backup. Also, most virus-scanning applications use real-time scanning, which can degrade performance or cause failures during Commvault backups and other operations.

Test Commvault features and and functions. During normal operations, monitor Commvault processes and how those processes interact with antivirus software. Coordinate with your antivirus software vendor to achieve proper configuration and tuning of the antivirus software. The goal is for the antivirus software's rules and schedules to allow Commvault operations to run normally and complete successfully.

The information provided is not a complete list of exclusions because the Commvault software might change with updates and new releases.

Important

Make sure that no scheduled or on-demand antivirus scans run during Commvault backups.
Degraded backup performance and unknown backup failures might be caused by host intrusion prevention systems (HIPS).
If you experience performance and consistency problems with SQL Server when certain modules are loaded into the server, see Microsoft KB 2033238.

Exclusions to Implement

CommServe, Client, and MediaAgent Installation Paths

Paths to exclude	File extensions to exclude
software_installation_path\Commvault	None
C:\ProgramData\Commvault Systems	None
Updates Cache (SoftwareCache) folder with CVPackages and CVUpdates subfolders on the CommServe server	None
DR backup set (CS_DR) folders on the CommServe server	None
Job Results folder	None
Index Cache folder	For the Index Cache folder, exclude the following: .al .bmp.7z.cfg .cmt .conf .csv .cvf .cvf.7z .cvf.rfczip .dat .dbinfo .dblog .dbviewprops .dirty .dbs .fcs .fct .idx .info .lic .livelogprops .txt .xml locks

Additional MediaAgent Paths

Paths to exclude	File extensions to exclude
Disk libraries (CV_MAGNETIC folder) Note If you use a UNC path to access the magnetic libraries, exclude the UNC path as well.	For disk libraries (CV_MAGNETIC folder), exclude the following: .bak CHUNK* .compact2 .csivolume .dat .fcs.* .fct .idx .lck MEDIA* .prunable SFILE* *.xml
Deduplication engines (CV_SIDB folder)	For deduplication engines (CV_SIDB folder), exclude the following: .cfg .csv .dbinfo .dbLog .dbViewProps .lic
Deduplication databases	None

Paths to exclude

File extensions to exclude

Disk libraries (CV_MAGNETIC folder)

Note

If you use a UNC path to access the magnetic libraries, exclude the UNC path as well.

For disk libraries (CV_MAGNETIC folder), exclude the following:

*.bak

*CHUNK*

*.compact2

*.csivolume

*.dat

*.fcs.*

*.fct

*.idx

*.lck

*MEDIA*

*.prunable

*SFILE*

*.xml

Deduplication engines (CV_SIDB folder)

For deduplication engines (CV_SIDB folder), exclude the following:

*.cfg

*.csv

*.dbinfo

*.dbLog

*.dbViewProps

*.lic

Deduplication databases

None

Virtual Server Agent

VMware VDDK (vmware-SYSTEM folder)

SharePoint Agent

Temp folder (for example, C:\Users\Commvault Services account\AppData\Local\Temp)

Content Indexing and Search

The entire CI Engine install folders (CIServer and CVCIEngine folders)
Solr folder
CI Index folder
Web Server Cache folder (HKEY_LOCAL_MACHINE\SOFTWARE\Commvault\Galaxy\Instance001\DM2WebSearchServer\sZCACHEDATAFILESPATH)

Outlook Add-In with ContentStore Email Viewer

On computers where the Outlook Add-In with ContentStore is installed, exclude the following folders:

C:\ProgramData\SoftwareCache\
C:\Program Files\CVArchiverAddin or C:\Program Files (x86)\CVArchiverAddin
%appdata%\CVProvider
If the LITE mode cache location is a shared location, exclude the UNC path of the cache

ContinuousDataReplicator

CDR Replication Logs folder

CommCell Consoles

The following executables and folders are used by the stand-alone CommCell console, the web-browser CommCell Console, and any workstations that access either version of the CommCell Console. If the executables and folders are scanned by the antivirus software, it might cause some problems with the CommCell Console.

java.exe: Verify that the antivirus software does not lock this file.
javaw.exe: Verify that the antivirus software does not lock this file.
unzip.exe
zip.exe

Commvault Processes

Commvault processes must be excluded from antivirus read, write, and scan processes. Legacy operating systems and antivirus software might require the names of processes to be truncated. For information, contact the vendor.

Topic	External reference
Microsoft recommendations on antivirus exclusion for current operating systems	Microsoft KB article 822158
Standard Microsoft recommendations for servers running SQL Server	Microsoft KB article 309422
Issues caused by antivirus software on Cluster Services that are not cluster aware	Microsoft KB article 250355
Configuring and viewing Forefront Endpoint Protection (FEP) group policy settings	Configuring and Viewing FEP Group Policy Settings
Symantec standard recommendations for servers to create exceptions	Creating Centralized Exceptions in Symantec Endpoint Protection Manager 11 Creating Exceptions Policies in the Endpoint Protection Manager
McAfee standard recommendations for servers to create exceptions	Virus Scan Enterprise exclusions (Master Article)
Sophos standard recommendations for servers to create exceptions	Recommended vendor exclusions for use with Sophos products Sophos Endpoint Security and Control: Exclude Windows items from scanning Sophos Endpoint: File and folder exclusions do not work
Windows Defender scanning options Windows Defender UNC paths are not scanned by default. If you configured Windows Defender to scan UNC paths, run the Microsoft Powershell script to exclude the paths from being scanned.	Configure Microsoft Defender Antivirus scanning options

Disclaimer

Implementing the antivirus exclusions described in this document may increase the attack vulnerability risk to computers or network by malicious users or by malware or viruses. Before making these changes, it is recommended that the attack vulnerability risks that are associated with implementing these settings be evaluated. It is up to the discretion of the reader's and their company's policies whether to implement the guidelines recommended within this document. Minor revisions and/or service packs that are released by application and operating system vendors are supported by our software. We will provide information on any known caveat for the revisions and/or service packs. In some cases, these revisions and/or service packs affect the working of our software. Changes to the behavior of our software resulting from an application or operating system revision/service pack may be beyond our control. The older releases of our software may not support the platforms supported in the current release. However, we will make every effort to correct the behavior in the current or future releases when necessary. Please contact your Software Provider for any problem with a specific application or operating system. Additional considerations regarding minimum requirements and End of Life policies from application and operating system vendors are also applicable.