Hobbycode

All too often I run into corporate anti virus solutions without any exclusions configured. Exclusions are critical to ensuring that the real time scanners do not interfere with crucial Windows or application functions.

When the real time scanner of any anti virus application scans a file prior to reading or writing it, it locks the file to ensure it has exclusive access. If Windows attempts to access this file while it is locked by AV, seriously bad things can happen. I’ve had to restore more than one Active Directory and Exchange database because of this. Sadly, each case could have been avoided.

What follows are the virus exclusions recommended by Microsoft. Below each list is a reference KB article discussing the topic in greater detail.

Feel free to add your comments or links to other recommended exclusions. I’ll keep this post updated to maintain a comprehensive listing.

All Servers and Workstations

• %windir%\SoftwareDistribution\Datastore

Reference: KB822158

Domain Controllers

• %windir%\ntds
• %windir%\ntfrs
• %systemroot%\sysvol

Reference: KB822158

Exchange Server

• Drive M (Only Exchange 2000)
• Exchsrvr folder
• %SystemRoot%\System32\Inetsrv

Reference: KB328841

IIS

• %systemroot%\IIS Temporary Compressed Files(IIS 6)
• %SystemDrive%\inetpub\temp\IIS Temporary Compressed Files (IIS 7)

Reference: KB817442

ISA Server

• Program Files\Microsoft ISA Server

Reference: KB887311

Sharepoint

• \Program Files\SharePoint Portal Server
• \Program Files\Common Files\Microsoft Shared\Web Storage System
• \Windows\Temp\Frontpagetempdir

Reference: KB320111

SQL Server

• SQL Server data files: *.mdf, *.ldf, *.ndf
• SQL Server backup files: *.bak, *.trn
• Full text catalog files
• Analysis Services: \Program Files\Microsoft SQL Server\MSSQL.X\OLAP\Data
• Analysis Services Backup: \Program Files\Microsoft SQL Server\MSSQL.X\OLAP\Backup
• Analysis Services Logs: \Program Files\Microsoft SQL Server\MSSQL.X\OLAP\Log.
• SQL Server Cluster
  • Q:\ (Quorum drive)
  • C:\windows\cluster

Reference: KB309422

Virtual Server

• Vssrvc.exe process (Virtual Server 2005
• Virtual PC.exe process (Virtual Server 2004)
• File type exclusions: *.vhd, *.vmc, *.vsv, *.vud, *.vfd, *.iso

Reference: KB840193

MSMQ

• %WinDir%\system32\MSMQ

References:

• KB943556
• http://www.sbsfaq.com
• http://myitforum.com
• http://seer.entsupport.symantec.com/docs/284807.htm

I recently discovered something about Windows Server 2003 I had never seen before.  It’s called Terminal Services Web Connection. 

As a network consultant, I routinely connect remotely to servers inside my clients’ networks.  The most frustrating part however, is when a client has more than one server. 

If there is just one server you can simply NAT port 3389 through the firewall to that server, and RDP as you please.  If the client has more than one, then I have to remote to the first server, then remote again to the other server. 

This can be alleviated with Terminal Services Web Connection.  It can be installed from the Add/Remove Windows Components control panel applet.  You’ll find it under:

Application Server –> Internet Information Services (IIS) –> World Wide Web Service –> Remote Desktop Web Connection. 

Once installed, maneuver to http://<servername>/tsweb

This page has but one field.  Enter the server name you wish to connect to.  Voila!  Instant RDP connection to any server on the network!

Hope that helps

–cheers

Servers from HP, Dell, IBM and many other big name manufacturers, come with at least two or more Network Interface Cards built-in.  Lately though, I have come to realize most network administrators do not know how to benefit from duel NIC’s.  Frequently, one of the NIC’s are simply disabled or not cabled up.  Occasionally, I will see a good effort made to make the most of it, but that’s pretty rare.

Read more…