Recommended Antivirus Exclusions for Windows


It is important to achieve a balance between ensuring a secure and virus-free server environment, while not interfering with the reliability and performance of each server or application. Virus scanning is often a cause of performance issues because lack of properly configured antivirus exclusions may cause outages of applications and services due to contention or file locking. For example, the antivirus software may lock the collect files generated during a backup job.

Additionally, most virus scanning engines include real-time scanning of some type, enabled as a default profile. This might introduce performance issues or possible job failures during normal backup, restore and other Commvault actions.

This document covers the required directories to be excluded from antivirus scanning.


  • CommCell performance on backup jobs and unknown backup failures may be due to Host-based Intrusion Prevention Systems (HIPS).

  • If you experience performance and consistency issues with SQL server when certain modules are loaded into the server, see Microsoft KB 2033238.

List of Exclusions

To avoid issues introduced by the antivirus software, we recommend you to implement exclusions for the directory structures from read, write and scan options depending on the company policies.

The information provided is not a complete list of exclusions as the product may change with updates, versions, and innovation to existing or new software modules. It is recommended to test the functions of the software's features and monitor the processes and how they interact with the antivirus software during normal operations and work with the antivirus software vendor to achieve proper configuration and tuning of the antivirus software. The goal is to allow normal backup and restore operations so that the rules and schedules for the antivirus software operations do not interfere, impede or prevent successful backup.


  • Make sure that the antivirus scans are not scheduled during backup operations.

  • Make sure that the on-demand antivirus scans are not run during backup operations.

Exclude the following installation paths. Some of these folders might be configured outside the default installation directory.



File Extensions to Exclude

CommServe, Client, and MediaAgent Installation Paths

  • software_installation_path\Commvault

  • C:\ProgramData\Commvault Systems

  • Updates Cache (SoftwareCache) folder with CVPackages and CVUpdates subfolders on the CommServe

  • DR backup set (CS_DR) directories on the CommServe

  • Job Results folder

  • Index Cache folder

For Index Cache folder, exclude the following file extensions from antivirus scan:

.conf; .dbinfo; .dbviewprops; .dblog; .dat; .idx; .dirty; .cfg; .lic; .fcs; .info; .al; .cmt; .csv; .livelogprops; .xml; .bmp.7z; .cvf.7z; .cvf; .txt; .dbs; .fct; .cvf.rfczip; *locks*

Additional MediaAgent Paths

  • Disk libraries (CV_MAGNETIC folder)

    Note: If you use a UNC path to access the magnetic libraries, exclude the UNC path as well.

  • Deduplication engines (CV_SIDB folder)

  • Deduplication databases

    Get the deduplication database location from the CommCell Console, in the MediaAgent's Properties dialog box, on the Deduplication tab.

For disk libraries (CV_MAGNETIC folder), exclude the following file extensions from antivirus scan:

*.lck; *.compact2; *.fcs.*; *.idx; *.dat; *.fct; *.csivolume; *.prunable; *.xml; *.bak; *SFILE*; *CHUNK*; *MEDIA*; *SFILE*; *CHUNK*; *MEDIA*

For deduplication engines (CV_SIDB folder), exclude the following file extensions from antivirus scan:

*.dbinfo; *.dbViewProps; *.csv; *.cfg; *.dbLog; *.lic

Virtual Server Agent

VMware VDDK path (vmware-SYSTEM folder)

SharePoint Agent

Temp folder path

Example: C:\Users\Commvault Services account\AppData\Local\Temp

Content Indexing and Search

  • Exclude the entire CI Engine install folders (CIServer and CVCIEngine folders)

  • Solr folder path

  • CI Index folder path

  • Web Server Cache Directory


Outlook Add-In with ContentStore Email Viewer

On computers where Outlook Add-In with ContentStore is installed, exclude the following folders:

  • C:\ProgramData\SoftwareCache\

  • C:\Program Files\CVArchiverAddin or C:\Program Files (x86)\CVArchiverAddin

  • %appdata%\CVProvider

  • If the LITE mode cache location is a shared location, exclude the UNC path of the cache


CDR Replication Logs path

Note: 7z.exe, zip.exe, unzip.exe, javaw.exe, java.exe and the Java Program Files folders are used by CommCell Console on the CommServe, CommCell Console Web GUI, CommCell Chat, Content Indexing and Search and any workstations accessing the Stand Alone Console or the Web GUI. If these executables and folders are scanned by the antivirus software, it may cause some issues with the Console GUI.


For all the processes listed, the names may be truncated to 15 characters for legacy operating systems and antivirus applications to work properly. Contact the operating system or antivirus vendor to understand about their software limitations.

You can view the services installed by the software using the following links:

External References

  1. For Microsoft recommendations on antivirus exclusion for current operating systems, refer to Microsoft KB article 822158.

  2. For standard Microsoft recommendations for Servers running SQL Server, see Microsoft KB article 309422.

  3. For more information on issues caused by antivirus software on Cluster Services that are not cluster aware, refer to Microsoft KB article 250355.

  4. For more information on configuring and viewing FEP Group Policy settings, see Configuring and Viewing FEP Group Policy Settings.

  5. For more information on Symantec standard recommendations for Servers to create exceptions, see Creating Centralized Exceptions in Symantec Endpoint Protection Manager 11", Creating Centralized Exceptions in Symantec Endpoint Protection Manager 12.x, and How to add a Security Risk Exception in the Symantec Endpoint Protection Manager.

  6. For McAfee standard recommendations for Servers to create exceptions, see Virus Scan Enterprise exclusions (Master Article).

  7. For Sophos standard recommendations for Servers to create exceptions, see Recommended vendor exclusions for use with Sophos products, How to: Exclude items from scanning, Files and folder exclusions do not work.

  8. For Windows Defender, UNC paths are not scanned by default. If you have configured Windows Defender to scan UNC paths, run the Microsoft Powershell script to exclude the paths from being scanned. For more information on Windows Defender scanning options, see Configure Microsoft Defender Antivirus scanning options.


Implementing the anti-virus exclusions described in this document may increase the attack vulnerability risk to computers or network by malicious users or by malware or viruses. Before making these changes, it is recommended that the attack vulnerability risks that are associated with implementing these settings be evaluated. It is up to the discretion of the reader's and their company's policies whether to implement the guidelines recommended within this document.

Minor revisions and/or service packs that are released by application and operating system vendors are supported by our software. We will provide information on any known caveat for the revisions and/or service packs. In some cases, these revisions and/or service packs affect the working of our software. Changes to the behavior of our software resulting from an application or operating system revision/service pack may be beyond our control. The older releases of our software may not support the platforms supported in the current release. However, we will make every effort to correct the behavior in the current or future releases when necessary. Please contact your Software Provider for any problem with a specific application or operating system.

Additional considerations regarding minimum requirements and End of Life policies from application and operating system vendors are also applicable.