cancel
Showing results for 
Search instead for 
Did you mean: 

Virus Scan Policy Best Practices

I think we should have a sticky here with policy best practices. I know myself and others often find themselves looking for policies for virus scanning, etc...

Topics we could have:

1. Virus scan exclusions - too often this information is scattered to the four winds

2. Virus scan settings - personally I use the DISA guides, but it may be helpful to have detailed setting recommendations here.

3. EPO Policy settings - Again, having policy setting best practices posted would be helpful. It would be really nice if EPO had a policy import feature based on best practices as well.

Microsoft has had group policy templates for years, c'mon McAfee, let's get with the program and make EPO a little more friendly on the policy side!
48 Replies

RE: Virus Scan Policy Best Practices

/me raises his hand high....damned good idear!!!
tonyb99
Level 13
Report Inappropriate Content
Message 3 of 49

RE: Virus Scan Policy Best Practices

Fine its now sticky. ( MOD hat on)

fill em in then.........

As a start I would check out the MS recommended exclusions for DC and PDC and exchange
also there are recommeded citrix exclusions
SergeM
Level 9
Report Inappropriate Content
Message 4 of 49

RE: Virus Scan Policy Best Practices

Hi,

Excellent idea. I know we've had a few threads about this already... will look for them later (EOD)



For a starter, here are a few links from Microsoft sites :

Virus scanning recommendations for computers that are running Windows Server 2008, Windows Server 20...

I'd also be looking for best/worst practices on logging information. I presently am having more and more DB size issues because we log a lot of information... and I'm afraid if I purge or log less I won't find the necessary information when needed 😞

Serge
Gazz300
Level 7
Report Inappropriate Content
Message 5 of 49

RE: Virus Scan Policy Best Practices


Virus scanning recommendations for computers that are running Windows Server 2008, Windows Server 20...

In summary of the above:

wsusscn2.cab
package*.cab
%windir%\SoftwareDistribution\Datastore\
%windir%\SoftwareDistribution\Datastore\Datastore.edb
%windir%\SoftwareDistribution\Datastore\Logs\Edb*.log
%windir%\SoftwareDistribution\Datastore\Logs\Edb.chk
%windir%\SoftwareDistribution\Datastore\Logs\tmp.edb
%windir%\SoftwareDistribution\Datastore\Logs\Edbres00001.jrs
%windir%\SoftwareDistribution\Datastore\Logs\Edbres00002.jrs
%windir%\security\*.edb
%windir%\security\*.sdb
%windir%\security\*.log
%windir%\security\*.chk
%windir%\softwaredistribution\*.cab
%windir%\system32\ccm\cache\*.cab
%windir%\SoftwareDistribution\Datastore\Logs\res1.log
%windir%\SoftwareDistribution\Datastore\Logs\res2.log
%windir%\security\database\*.sdb

I just wish you could feed multiple exclusions into multiple policies in ePO. Maybe 4.5 eh McAfee?
Gazz300
Level 7
Report Inappropriate Content
Message 6 of 49

RE: Virus Scan Policy Best Practices

Oh I just found this as well,

General exclusions Windows Server 2003, Windows 2000, Windows XP, or Windows Vista:

%windir%\ntfrs
%windir%\SoftwareDistribution\Datastore\Datastore.edb
%windir%\SoftwareDistribution\Datastore\Logs\Edb*.log
%windir%\SoftwareDistribution\Datastore\Logs\Res1.log
%windir%\SoftwareDistribution\Datastore\Logs\Res2.log
%windir%\SoftwareDistribution\Datastore\Logs\Edb.chk
%windir%\SoftwareDistribution\Datastore\Logs\Tmp.edb
For Windows 2000 & 2003 DC’s
%windir%\ntds\Ntds.dit
%windir%\ntds\Ntds.pat
%windir%\ntds\EDB*.log
%windir%\ntds\Res1.log
%windir%\ntds\Res2.log
%windir%\ntds\Temp.edb
%windir%\ntds\Edb.chk
%systemroot%\sysvol (only this folder, not all subfolders!!!)
%systemroot%\sysvol\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory
%systemroot%\sysvol\staging
%systemroot%\sysvol\staging areas
%systemroot%\sysvol\sysvol

Clusters:
%windir%\Cluster
Q:\ (quorum)
DHCP: %windir%\system32\dhcp
DNS: %windir%\system32\dns
WINS: %windir%\system32\wins

Exchange Server:

Cdb.exe
Cidaemon.exe
Store.exe
Emsmta.exe
Mad.exe
Mssearch.exe
Inetinfo.exe
W3wp.exe
Exchsrvr\Conndata
Exchsrvr\Mailroot
Exchsrvr\Mdbdata
Exchsrvr\Mtadata
Exchsrvr\server_name.log
Exchsrvr\Srsdata
%systemroot%\IIS Temporary Compressed Files
%SystemRoot%\System32\Inetsrv
All .edb; .stm (on Exchange 2000 Server); .log Exchange files
M: drive (on Exchange 2000 Server)
SBS:
C:\Program Files\Microsoft Windows Small Business Server\Networking\POP3\Failed Mail
C:\Program Files\Microsoft Windows Small Business Server\Networking\POP3\Incoming Mail

SQL Server: SQL Server data files that have the .mdf extension, the .ldf extension, and the .ndf extension

WSUS: MSSQL$WSUS and WSUS content directory

References:

Virus scanning recommendations for computers that are running Windows Server 2003, Windows 2000, Windows XP, or Windows Vista
http://support.microsoft.com/kb/822158

Overview of Exchange Server 2003 and antivirus software
http://support.microsoft.com/kb/823166

Guidelines for choosing antivirus software to run on the computers that are running SQL Server
http://support.microsoft.com/kb/309422

Recommended Forefront Client Security file and folder exclusions for Microsoft products
http://support.microsoft.com/kb/943556

Multiple symptoms occur if an antivirus scan occurs while the Wsusscan.cab file or the Wsusscn2.cab file is copied
http://support.microsoft.com/kb/900638

Not sure who to credit for this list though sorry. I saved it in a document a while back and don't recall the source but sharing is good. 😄

Gazz.

Re: RE: Virus Scan Policy Best Practices

Just to comment on the logging part of your post....

Whenever I do a new install for a customer, I intentionally get them started by logging everything. Literally, set the Event filtering off. Then use the sudden and painful tidal wave of data to demonstrate how to write queries to purge event data and why or why not filtering certain events out completely would be a bad idea.

Most customers ultimately decide that they can write a few queries to handle the chatty informational events like 'service started' and 'scan completed'. It is generally much better to let customers determine what their comfort level is regarding purging/filtering data. There is no blanket rule for this.

In general, low severity events wind up being purged at an interval long enough to allow troubleshooting. sometimes just a few days or a week. Then from there it's a question of what the database server can handle. If you do incremental backup daily, and do a weekly full backup\rebuild\reindex then you should be in fairly good shape.

Oh yeah! And of course, please consider all company policies and govermnent-mandated logging requirements for the retention of data regarding security incidents.

ePO exclusion entries

Ok. So we have this nice list of things to not scan, but how do we go about getting things into the policies? According to the cursory documentation that McAfee provides, are the nice hints that we can put multiple items on the same line separated by spaces.

What do you do if you have paths that have spaces?
%systemroot%\IIS Temporary Compressed Files

So by all assumptions (based of course on the cursory documentation provided) then this would exclude the following items from being scanned:
%systemroot%\IIS Temporary
%systemroot%\IIS Compressed
%systemroot%\IIS Files

Which is not what I want.

FMI...is there anyone who knows where more detailed documentation is for ePO and VSE? McAfee does not seem to have anything and i don't want to have to call tech support for every little thing like this.

Thanks PCS

AhHa!

Finally, I found a little tiny piece of info on how to correctly use wild cards and create paths.

This is what I so enjoy about McAfee. The hunt for the simple answers....

https://kc.mcafee.com/corporate/index?page=content&id=KB50998&pmv=print

RE: AhHa!

I have found that a lot of trial and error on a local installation is the best way to test wildcards. You never know what results you're going to get without playing around with a stand-alone installation and chnaging the policies on the fly.
More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support
  • The McAfee ePO Support Center Plug-in is now available in the Software Manager. Follow the instructions in the Product Guide for more.