1 2 3 Previous Next 48 Replies Latest reply: Aug 14, 2012 7:20 AM by greatscott RSS

    Virus Scan Policy Best Practices

      I think we should have a sticky here with policy best practices. I know myself and others often find themselves looking for policies for virus scanning, etc...

      Topics we could have:

      1. Virus scan exclusions - too often this information is scattered to the four winds

      2. Virus scan settings - personally I use the DISA guides, but it may be helpful to have detailed setting recommendations here.

      3. EPO Policy settings - Again, having policy setting best practices posted would be helpful. It would be really nice if EPO had a policy import feature based on best practices as well.

      Microsoft has had group policy templates for years, c'mon McAfee, let's get with the program and make EPO a little more friendly on the policy side!
        • 1. RE: Virus Scan Policy Best Practices
          JeffGerard
          /me raises his hand high....damned good idear!!!
          • 2. RE: Virus Scan Policy Best Practices
            tonyb99
            Fine its now sticky. ( MOD hat on)

            fill em in then.........

            As a start I would check out the MS recommended exclusions for DC and PDC and exchange
            also there are recommeded citrix exclusions
            • 3. RE: Virus Scan Policy Best Practices
              SergeM
              Hi,

              Excellent idea. I know we've had a few threads about this already... will look for them later (EOD)



              For a starter, here are a few links from Microsoft sites :

              Virus scanning recommendations for computers that are running Windows Server 2008, Windows Server 2003, Windows 2000, Windows XP, or Windows Vista

              I'd also be looking for best/worst practices on logging information. I presently am having more and more DB size issues because we log a lot of information... and I'm afraid if I purge or log less I won't find the necessary information when needed :(

              Serge
              • 4. RE: Virus Scan Policy Best Practices
                Gazz300

                Virus scanning recommendations for computers that are running Windows Server 2008, Windows Server 2003, Windows 2000, Windows XP, or Windows Vista

                In summary of the above:

                wsusscn2.cab
                package*.cab
                %windir%\SoftwareDistribution\Datastore\
                %windir%\SoftwareDistribution\Datastore\Datastore.edb
                %windir%\SoftwareDistribution\Datastore\Logs\Edb*.log
                %windir%\SoftwareDistribution\Datastore\Logs\Edb.chk
                %windir%\SoftwareDistribution\Datastore\Logs\tmp.edb
                %windir%\SoftwareDistribution\Datastore\Logs\Edbres00001.jrs
                %windir%\SoftwareDistribution\Datastore\Logs\Edbres00002.jrs
                %windir%\security\*.edb
                %windir%\security\*.sdb
                %windir%\security\*.log
                %windir%\security\*.chk
                %windir%\softwaredistribution\*.cab
                %windir%\system32\ccm\cache\*.cab
                %windir%\SoftwareDistribution\Datastore\Logs\res1.log
                %windir%\SoftwareDistribution\Datastore\Logs\res2.log
                %windir%\security\database\*.sdb

                I just wish you could feed multiple exclusions into multiple policies in ePO. Maybe 4.5 eh McAfee?
                • 5. RE: Virus Scan Policy Best Practices
                  Gazz300
                  Oh I just found this as well,

                  General exclusions Windows Server 2003, Windows 2000, Windows XP, or Windows Vista:

                  %windir%\ntfrs
                  %windir%\SoftwareDistribution\Datastore\Datastore.edb
                  %windir%\SoftwareDistribution\Datastore\Logs\Edb*.log
                  %windir%\SoftwareDistribution\Datastore\Logs\Res1.log
                  %windir%\SoftwareDistribution\Datastore\Logs\Res2.log
                  %windir%\SoftwareDistribution\Datastore\Logs\Edb.chk
                  %windir%\SoftwareDistribution\Datastore\Logs\Tmp.edb
                  For Windows 2000 & 2003 DC’s
                  %windir%\ntds\Ntds.dit
                  %windir%\ntds\Ntds.pat
                  %windir%\ntds\EDB*.log
                  %windir%\ntds\Res1.log
                  %windir%\ntds\Res2.log
                  %windir%\ntds\Temp.edb
                  %windir%\ntds\Edb.chk
                  %systemroot%\sysvol (only this folder, not all subfolders!!!)
                  %systemroot%\sysvol\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory
                  %systemroot%\sysvol\staging
                  %systemroot%\sysvol\staging areas
                  %systemroot%\sysvol\sysvol

                  Clusters:
                  %windir%\Cluster
                  Q:\ (quorum)
                  DHCP: %windir%\system32\dhcp
                  DNS: %windir%\system32\dns
                  WINS: %windir%\system32\wins

                  Exchange Server:

                  Cdb.exe
                  Cidaemon.exe
                  Store.exe
                  Emsmta.exe
                  Mad.exe
                  Mssearch.exe
                  Inetinfo.exe
                  W3wp.exe
                  Exchsrvr\Conndata
                  Exchsrvr\Mailroot
                  Exchsrvr\Mdbdata
                  Exchsrvr\Mtadata
                  Exchsrvr\server_name.log
                  Exchsrvr\Srsdata
                  %systemroot%\IIS Temporary Compressed Files
                  %SystemRoot%\System32\Inetsrv
                  All .edb; .stm (on Exchange 2000 Server); .log Exchange files
                  M: drive (on Exchange 2000 Server)
                  SBS:
                  C:\Program Files\Microsoft Windows Small Business Server\Networking\POP3\Failed Mail
                  C:\Program Files\Microsoft Windows Small Business Server\Networking\POP3\Incoming Mail

                  SQL Server: SQL Server data files that have the .mdf extension, the .ldf extension, and the .ndf extension

                  WSUS: MSSQL$WSUS and WSUS content directory

                  References:

                  Virus scanning recommendations for computers that are running Windows Server 2003, Windows 2000, Windows XP, or Windows Vista
                  http://support.microsoft.com/kb/822158

                  Overview of Exchange Server 2003 and antivirus software
                  http://support.microsoft.com/kb/823166

                  Guidelines for choosing antivirus software to run on the computers that are running SQL Server
                  http://support.microsoft.com/kb/309422

                  Recommended Forefront Client Security file and folder exclusions for Microsoft products
                  http://support.microsoft.com/kb/943556

                  Multiple symptoms occur if an antivirus scan occurs while the Wsusscan.cab file or the Wsusscn2.cab file is copied
                  http://support.microsoft.com/kb/900638

                  Not sure who to credit for this list though sorry. I saved it in a document a while back and don't recall the source but sharing is good. :D

                  Gazz.
                  • 6. ePO exclusion entries
                    Ok. So we have this nice list of things to not scan, but how do we go about getting things into the policies? According to the cursory documentation that McAfee provides, are the nice hints that we can put multiple items on the same line separated by spaces.

                    What do you do if you have paths that have spaces?
                    %systemroot%\IIS Temporary Compressed Files

                    So by all assumptions (based of course on the cursory documentation provided) then this would exclude the following items from being scanned:
                    %systemroot%\IIS Temporary
                    %systemroot%\IIS Compressed
                    %systemroot%\IIS Files

                    Which is not what I want.

                    FMI...is there anyone who knows where more detailed documentation is for ePO and VSE? McAfee does not seem to have anything and i don't want to have to call tech support for every little thing like this.

                    Thanks PCS
                    • 7. AhHa!
                      Finally, I found a little tiny piece of info on how to correctly use wild cards and create paths.

                      This is what I so enjoy about McAfee. The hunt for the simple answers....

                      https://kc.mcafee.com/corporate/index?page=content&id=KB50998&pmv=print
                      • 8. RE: AhHa!
                        JeffGerard
                        I have found that a lot of trial and error on a local installation is the best way to test wildcards. You never know what results you're going to get without playing around with a stand-alone installation and chnaging the policies on the fly.
                        • 9. More references
                          SergeM
                          There have already been several threads on similar issues (VSE exclusions) so I'll mention them here for additional reference

                          VSE and MS SQL : thread 223368

                          Server Exclusions : thread 223361

                          Exclusions for servers : thread 225146

                          enjoy
                          Serge
                          1 2 3 Previous Next