Recommended Antivirus Exclusions for Windows
It is important to achieve a balance between ensuring a secure and virus-free server environment, while not interfering with the reliability and performance of each server or application. Virus scanning is often a cause of performance issues because lack of properly configured antivirus exclusions may cause outages of applications and services due to contention or file locking. For example, the antivirus software may lock the collect files generated during a backup job.
Additionally, most virus scanning engines include real-time scanning of some type, enabled as a default profile. This might introduce performance issues or possible job failures during normal backup, restore and other Commvault actions.
This document covers the required directories to be excluded from antivirus scanning.
- CommCell performance on backup jobs and unknown backup failures may be due to Host-based Intrusion Prevention Systems (HIPS).
- If you experience performance and consistency issues with SQL server when certain modules are loaded into the server, see Microsoft KB 2033238.
List of Exclusions
To avoid issues introduced by the antivirus software, we recommend you to implement exclusions for the directory structures from read, write and scan options depending on the company policies.
The information provided is not a complete list of exclusions as the product may change with updates, versions, and innovation to existing or new software modules. It is recommended to test the functions of the software's features and monitor the processes and how they interact with the antivirus software during normal operations and work with the antivirus software vendor to achieve proper configuration and tuning of the antivirus software. The goal is to allow normal backup and restore operations so that the rules and schedules for the antivirus software operations do not interfere, impede or prevent successful backup.
- Make sure that the antivirus scans are not scheduled during backup operations.
- Make sure that the on-demand antivirus scans are not run during backup operations.
Exclude the following installation paths. Some of these folders may be moved outside the default installation directory.
Note: If you have upgraded your software from the previous version, then the ContentStore directory appears as Simpana.
|CommServe, client, and MediaAgent Installation Paths||
|Additional MediaAgent Paths||
|Content Indexing and Search||
Note: 7z.exe, zip.exe, unzip.exe, javaw.exe, java.exe and the Java Program Files folders are used by CommCell Console on the CommServe, CommCell Console Web GUI, CommCell Chat, Content Indexing and Search and any workstations accessing the Stand Alone Console or the Web GUI. If these executables and folders are scanned by the antivirus software, it may cause some issues with the Console GUI.
For all the processes listed, the names may be truncated to 15 characters for legacy operating systems and antivirus applications to work properly. Contact the operating system or antivirus vendor to understand about their software limitations.
You can view the services installed by the software using the following links:
- For Microsoft recommendations on antivirus exclusion for current operating systems, refer to Microsoft KB article 822158.
- For standard Microsoft recommendations for Servers running SQL Server, see Microsoft KB article 309422.
- For more information on issues caused by antivirus software on Cluster Services that are not cluster aware, refer to Microsoft KB article 250355.
- For more information on configuring and viewing FEP Group Policy settings, see Configuring and Viewing FEP Group Policy Settings.
- For more information on Symantec standard recommendations for Servers to create exceptions, see Creating Centralized Exceptions in Symantec Endpoint Protection Manager 11", Creating Centralized Exceptions in Symantec Endpoint Protection Manager 12.x, and How to add a Security Risk Exception in the Symantec Endpoint Protection Manager.
- For McAfee standard recommendations for Servers to create exceptions, see Virus Scan Enterprise exclusions (Master Article).
- For Sophos standard recommendations for Servers to create exceptions, see Recommended vendor exclusions for use with Sophos products, How to: Exclude items from scanning, Files and folder exclusions do not work.
Implementing the anti-virus exclusions described in this document may increase the attack vulnerability risk to computers or network by malicious users or by malware or viruses. Before making these changes, it is recommended that the attack vulnerability risks that are associated with implementing these settings be evaluated. It is up to the discretion of the reader's and their company's policies whether to implement the guidelines recommended within this document.
Minor revisions and/or service packs that are released by application and operating system vendors are supported by our software. We will provide information on any known caveat for the revisions and/or service packs. In some cases, these revisions and/or service packs affect the working of our software. Changes to the behavior of our software resulting from an application or operating system revision/service pack may be beyond our control. The older releases of our software may not support the platforms supported in the current release. However, we will make every effort to correct the behavior in the current or future releases when necessary. Please contact your Software Provider for any problem with a specific application or operating system.
Additional considerations regarding minimum requirements and End of Life policies from application and operating system vendors are also applicable.