Configuration Manager Current Branch Antivirus Exclusions


Hey everybody!  My name is Brandon McMillan and I am a System Center Configuration Manager (ConfigMgr) PFE at Microsoft. ConfigMgr Current Branch has been the standard service based model since December 2015 with the release of version 1511.  You may have noticed that with the continuous improvements, your antivirus exclusions also need to be kept up to date.  I hope this will provide you with important antivirus exclusions you could implement within a Current Branch environment.

This blog will provide a comprehensive list of the following referenced KB articles we have released along with other recommendations you could consider for your environment.  Please reference the following articles for further guidance.

  • KB822158: Virus scanning recommendations for Enterprise computers that are running currently supported versions of Windows - Last Review: May 17, 2017 - Revision: 14
  • KB327453: Recommended antivirus exclusions for Configuration Manager 2012 and Current Branch Site Servers, Site Systems, and Clients - Last Review: Jun 29, 2017 - Revision: 34
  • KB309422: How to choose antivirus software to run on computers that are running SQL Server - Last Review: Jun 21, 2017 - Revision: 2
  • KB250355: Antivirus software that is not cluster-aware may cause problems with Cluster Services - Last Review: Dec 15, 2011 - Revision: 1
  • KB817442: A 0-byte file may be returned when compression is enabled on a server that is running IIS - Last Review: May 23, 2014 - Revision: 1
  • KB900638: Multiple symptoms occur if an antivirus scan occurs while the Wsusscan.cab file or the Wsusscn2.cab file is copied - Last Review: Jul 1, 2010 - Revision: 1

Last Updated: July 7th, 2017

KB327453 and KB309422 were recently updated.  The recommended changes have been added.

Important: We recommend to always test before implementing any of these changes in a production environment.  We strongly encourage you to evaluate the risks that are associated with implementing these changes.  If you choose to implement these changes in your environment, ensure you take any additional precautions necessary.  Please refer to your antivirus vendor’s documentation for further guidance and recommendations.

The recommendations for each section are separated between "Operational" and "Performance" levels.  Operational recommendations are highly encouraged to be added to your exclusions list.  Performance recommendations should only be considered if you are experiencing such issues that may be a result of your antivirus product.

The following information will cover what could be recommended for your environment.

Details on the variables referenced:

  1. <InstallDrive> can be multiple drives in some environments, so it is best to use a wildcard if possible for the antivirus solution you have deployed throughout your environment.  Please refer to your vendor’s documentation for further instructions.
  2.  <InstanceName> is the name of the SQL instance you are using in your environment.  Please be aware if you use any named SQL instances or the default, "MSSQLServer".
  3.  <SQL Version> is the version of SQL you are using in your environment.  This may also differ between each SQL service referenced between versions SQL Server 2005-2008 R2 and SQL Server 2012-2016.  Please be aware of what version you have installed.  KB309422 and the article below can provide you with more details.

How to determine the version, edition and update level of SQL Server and its components

Core Exclusions for Supported Versions of Windows

  • Operational
    • %allusersprofile%\NTUser.pol
    • %windir%\Security\Database\*.chk
    • %windir%\Security\Database\*.edb
    • %windir%\Security\Database\*.jrs
    • %windir%\Security\Database\*.log
    • %windir%\Security\Database\*.sdb
    • %windir%\SoftwareDistribution\Datastore\Datastore.edb
    • %windir%\SoftwareDistribution\Datastore\Logs\edb.chk
    • %windir%\SoftwareDistribution\Datastore\Logs\edb*.jrs
    • %windir%\SoftwareDistribution\Datastore\Logs\edb*.log
    • %windir%\SoftwareDistribution\Datastore\Logs\tmp.edb
    • %windir%\System32\GroupPolicy\Machine\Registry.pol
    • %windir%\System32\GroupPolicy\User\Registry.pol

Reference: KB822158

ConfigMgr Core Installation Exclusions (All Versions)

  • Operational
    • <InstallDrive>\Program Files\Microsoft Configuration Manager\Inboxes\*.*
    • <InstallDrive>\Program Files\Microsoft Configuration Manager\Install.map
    • <InstallDrive>\Program Files\Microsoft Configuration Manager\Logs
    • <InstallDrive>\Program Files\SMS_CCM\Logs
    • <InstallDrive>\Program Files\SMS_CCM\ServiceData

Reference: KB327453, SCCM 2012 Antivirus Exclusions

ConfigMgr Core Installation Exclusions (Current Branch Versions)

  • Applicable to 1511+
    • Operational
      • <InstallDrive>\Program Files\Microsoft Configuration Manager\cd.latest
      • <InstallDrive>\Program Files\Microsoft Configuration Manager\EasySetupPayload
    • Performance
      • <InstallDrive>\Program Files\Microsoft Configuration Manager\AdminUIContentPayload
      • <InstallDrive>\Program Files\Microsoft Configuration Manager\AdminUIContentStaging
      • <InstallDrive>\Program Files\Microsoft Configuration Manager\CMUStaging
  • Applicable to 1602+
    • Performance
      • <InstallDrive>\Program Files\Microsoft Configuration Manager\CMUClient
  • Applicable to 1610+
    • Performance
      • <InstallDrive>\Program Files\Microsoft Configuration Manager\PilotingUpgrade
      • <InstallDrive>\Program Files\Microsoft Configuration Manager\RLAStaging
  • Applicable to 1702+
    • Performance
      • <InstallDrive>\Program Files\Microsoft Configuration Manager\CMProviderLog

Reference: KB327453

ConfigMgr Content Library Exclusions

  • Operational
    • <InstallDrive>\SMS_DP$
    • <InstallDrive>\SMSPKG<DriveLetter>$
    • <InstallDrive>\SMSPKG
    • <InstallDrive>\SMSPKGC$
    • <InstallDrive>\SMSPKGSIG
    • <InstallDrive>\SMSSIG$
  • Performance
    • <InstallDrive>\SCCMContentLib
    • <InstallDrive>\<ConfigMgr Backup Directory>
      • Ex. D:\SCCMBackup
    • <InstallDrive>\<ConfigMgr Package Source Files>
      • Ex. D:\SCCMSource

Reference: KB327453

ConfigMgr Imaging Exclusions

  • Operational
    • <InstallDrive>\ConfigMgr_OfflineImageServicing
    • %windir%\TEMP\BootImages
  • Performance
    • %SystemDrive%\_SMSTaskSequence

Reference: SCCM 2012 Antivirus Exclusions

ConfigMgr Process Exclusions

  • Operational
    • Client Side
      • %windir%\CCM\Ccmexec.exe
      • %windir%\CCM\CmRcService.exe
      •  %windir%\CCM\Ccmrepair.exe
      • %windir%\CCM\Ccmsetup.exe
    • Server Side
      • %windir%\CCM\Ccmexec.exe
      • %windir%\SMS_CCM\Ccmexec.exe
      • <InstallDrive>\Program Files\Microsoft Configuration Manager\bin\x64\Cmupdate.exe
      • <InstallDrive>\Program Files\Microsoft Configuration Manager\bin\x64\Sitecomp.exe
      • <InstallDrive>\Program Files\Microsoft Configuration Manager\bin\x64\Smsexec.exe
      • <InstallDrive>\Program Files\Microsoft Configuration Manager\bin\x64\Smssqlbbkup.exe
      • <InstallDrive>\Program Files\Microsoft Configuration Manager\bin\x64\Smswriter.exe
      • <InstallDrive>\SMS_<SQLFQDN>\bin\x64\Smssqlbbkup.exe

Reference: KB327453

ConfigMgr Client Exclusions

  • Operational
    • %windir%\CCM\*.sdf
    • %windir%\CCM\Logs
    • %windir%\CCM\ServiceData
    • %windir%\CCMCache
    • %windir%\CCMSetup

Reference: KB327453

SQL Server Exclusions

  • Operational
    • SQL Server Process Exclusions
      • SQLServr.exe
        • <InstallDrive>\Program Files\Microsoft SQL Server\<SQL Version><InstanceName>\MSSQL\Binn\SQLServr.exe
      • ReportingServicesService.exe
        • <InstallDrive>\Program Files\Microsoft SQL Server\<SQL Version>.<InstanceName>\Reporting Services\ReportServer\Bin\ReportingServicesService.exe
      • MSMDSrv.exe
        • <InstallDrive>\Program Files\Microsoft SQL Server\<SQL Version>.<InstanceName>\OLAP\Bin\MSMDSrv.exe
    • SQL Server data files
      • *.mdf
      • *.ldf
      • *.ndf
    • SQL Server backup files
      • *.bak
      • *.trn
    • SQL Audit files
      • *.sqlaudit
      • *.sql
    • Analysis Services data files
      • <InstallDrive>\Program Files\Microsoft SQL Server\<SQL Version>.<InstanceName>\OLAP\Backup
      • <InstallDrive>\Program Files\Microsoft SQL Server\<SQL Version>.<InstanceName>\OLAP\Log
    • Full-Text catalog files
      • <InstallDrive>\Program Files\Microsoft SQL Server\<SQL Version>.<InstanceName>\MSSQL\FTData
    • Windows Failover Clustering (If applicable)
      • <Quorum Drive> (Ex. Q:\)
      • %windir%\Cluster

References: KB309422, KB250355

IIS Exclusions

  • Operational
    • IIS Compressed Files
      • IIS 6.0:
        • %SystemRoot%\IIS Temporary Compressed Files
      • IIS 7.0+:
        • %SystemDrive%\inetpub\temp\IIS Temporary Compressed Files
    • IIS Worker Process
      • %windir%\System32\inetsrv\w3wp.exe
      • %windir%\SysWOW64\inetsrv\w3wp.exe

Reference: KB817442

WSUS Exclusions

  • Operational
    • %SystemRoot%\SoftwareDistribution\Datastore
    • %SystemRoot%\SoftwareDistribution\Download
    • %ProgramFiles%\Update Services\LogFiles\WSUSTemp
    • <InstallDrive>\WSUS\UpdateServiceDBFiles
    • <InstallDrive>\WSUS\WSUSContent

Reference: Designed for Optimized Performance, Windows Exclusions for Windows Defender

WSUS Offline Scanning Exclusions - Microsoft Baseline Security Analyzer (MBSA)

NOTE: There are four distinctive methods to choose when using MBSA and WSUS offline scanning.  Method 1 has the least amount of risk. If this method does not work for you, we recommend you use Method 2.  Methods 3 and 4 may increase your security risk.  We recommend that you use Methods 3 or only if required and ensure you please take necessary precautions.

  • Method 1:
    • Exclude the following files from scanning:
      • Wsusscan.cab
      • Wsusscn2.cab
  • Method 2:
    • Exclude all *.cab files from scanning
  • Method 3:
    • Exclude all archived files from antivirus scanning
      • %windir%\SoftwareDistribution\ScanFile
  • Method 4:
    • Exclude the folder where the Wsusscan.cab file or the Wsusscn2.cab file is located
    • Exclude the path of the Wsusscan.cab file or the Wsusscn2.cab file on the local computer

References: KB900638MBSAWsusscn2.cab

I received numerous feedback on this post and I wanted to highlight the contributions from the following individuals: Max Baldt, David Coulter, Aaron Ellison, and Julie Andreacola.

Special thanks to Kevin Kasalonis, Cameron CoxClifton Hughes, Rushi Faldu, and Santos Martinez.

Thank you!

Brandon McMillan, Premier Field Engineer

Additional References:

  1. Microsoft All Inclusive Exclusion List: http://social.technet.microsoft.com/wiki/contents/articles/953.microsoft-anti-virus-exclusion-list.aspx
  2. Configuration Manager 2012 Antivirus Exclusions: https://blogs.technet.microsoft.com/systemcenterpfe/2013/01/11/updated-system-center-2012-configuration-manager-antivirus-exclusions-with-more-details-on-osd-and-boot-images-etc/
  3. Configuration Manager 2007 Antivirus Exclusions: https://blogs.technet.microsoft.com/configurationmgr/2010/11/30/configmgr-2007-antivirus-scan-and-exclusion-recommendations/
  4. What Has Changed in Configuration Manager 2012: https://docs.microsoft.com/en-us/sccm/core/plan-design/changes/what-has-changed-from-configuration-manager-2012
  5. Windows Exclusions for Windows Defender: https://docs.microsoft.com/en-us/windows-server/security/windows-defender/automatic-exclusions-for-windows-defender

Disclaimer: The information on this site is provided “AS IS” with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of any included script samples are subject to the terms specified in the Terms of Use.

Comments (2)

  1. Scott Metzel says:

    Thank you for the concise list and for breaking down the exclusions by version; it's great to have this in one spot. Could this be published on docs.microsoft.com as part of the standard ConfigMgr documentation and kept up to date as new versions are released / as things change?

    1. BK McMillan says:

      Hey Scott! Thank you for the feedback. I really appreciate it. That is the end state goal. In the mean time, I did add this to the Microsoft Antivirus Exclusion Wiki page. http://social.technet.microsoft.com/wiki/contents/articles/953.microsoft-anti-virus-exclusion-list.aspx

Skip to main content