Fine its now sticky. ( MOD hat on)

fill em in then.........

As a start I would check out the MS recommended exclusions for DC and PDC and exchange
also there are recommeded citrix exclusions

Virus scanning recommendations for computers that are running Windows Server 2008, Windows Server 20...

In summary of the above:

wsusscn2.cab
package*.cab
%windir%\SoftwareDistribution\Datastore\
%windir%\SoftwareDistribution\Datastore\Datastore.edb
%windir%\SoftwareDistribution\Datastore\Logs\Edb*.log
%windir%\SoftwareDistribution\Datastore\Logs\Edb.chk
%windir%\SoftwareDistribution\Datastore\Logs\tmp.edb
%windir%\SoftwareDistribution\Datastore\Logs\Edbres00001.jrs
%windir%\SoftwareDistribution\Datastore\Logs\Edbres00002.jrs
%windir%\security\*.edb
%windir%\security\*.sdb
%windir%\security\*.log
%windir%\security\*.chk
%windir%\softwaredistribution\*.cab
%windir%\system32\ccm\cache\*.cab
%windir%\SoftwareDistribution\Datastore\Logs\res1.log
%windir%\SoftwareDistribution\Datastore\Logs\res2.log
%windir%\security\database\*.sdb

I just wish you could feed multiple exclusions into multiple policies in ePO. Maybe 4.5 eh McAfee?

Oh I just found this as well,

General exclusions Windows Server 2003, Windows 2000, Windows XP, or Windows Vista:

%windir%\ntfrs
%windir%\SoftwareDistribution\Datastore\Datastore.edb
%windir%\SoftwareDistribution\Datastore\Logs\Edb*.log
%windir%\SoftwareDistribution\Datastore\Logs\Res1.log
%windir%\SoftwareDistribution\Datastore\Logs\Res2.log
%windir%\SoftwareDistribution\Datastore\Logs\Edb.chk
%windir%\SoftwareDistribution\Datastore\Logs\Tmp.edb
For Windows 2000 & 2003 DC’s
%windir%\ntds\Ntds.dit
%windir%\ntds\Ntds.pat
%windir%\ntds\EDB*.log
%windir%\ntds\Res1.log
%windir%\ntds\Res2.log
%windir%\ntds\Temp.edb
%windir%\ntds\Edb.chk
%systemroot%\sysvol (only this folder, not all subfolders!!!)
%systemroot%\sysvol\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory
%systemroot%\sysvol\staging
%systemroot%\sysvol\staging areas
%systemroot%\sysvol\sysvol

Clusters:
%windir%\Cluster
Q:\ (quorum)
DHCP: %windir%\system32\dhcp
DNS: %windir%\system32\dns
WINS: %windir%\system32\wins

Exchange Server:

Cdb.exe
Cidaemon.exe
Store.exe
Emsmta.exe
Mad.exe
Mssearch.exe
Inetinfo.exe
W3wp.exe
Exchsrvr\Conndata
Exchsrvr\Mailroot
Exchsrvr\Mdbdata
Exchsrvr\Mtadata
Exchsrvr\server_name.log
Exchsrvr\Srsdata
%systemroot%\IIS Temporary Compressed Files
%SystemRoot%\System32\Inetsrv
All .edb; .stm (on Exchange 2000 Server); .log Exchange files
M: drive (on Exchange 2000 Server)
SBS:
C:\Program Files\Microsoft Windows Small Business Server\Networking\POP3\Failed Mail
C:\Program Files\Microsoft Windows Small Business Server\Networking\POP3\Incoming Mail

SQL Server: SQL Server data files that have the .mdf extension, the .ldf extension, and the .ndf extension

WSUS: MSSQL$WSUS and WSUS content directory

References:

Virus scanning recommendations for computers that are running Windows Server 2003, Windows 2000, Windows XP, or Windows Vista
http://support.microsoft.com/kb/822158

Overview of Exchange Server 2003 and antivirus software
http://support.microsoft.com/kb/823166

Guidelines for choosing antivirus software to run on the computers that are running SQL Server
http://support.microsoft.com/kb/309422

Recommended Forefront Client Security file and folder exclusions for Microsoft products
http://support.microsoft.com/kb/943556

Multiple symptoms occur if an antivirus scan occurs while the Wsusscan.cab file or the Wsusscn2.cab file is copied
http://support.microsoft.com/kb/900638

Not sure who to credit for this list though sorry. I saved it in a document a while back and don't recall the source but sharing is good. 😄

Gazz.

Just to comment on the logging part of your post....

Whenever I do a new install for a customer, I intentionally get them started by logging everything. Literally, set the Event filtering off. Then use the sudden and painful tidal wave of data to demonstrate how to write queries to purge event data and why or why not filtering certain events out completely would be a bad idea.

Most customers ultimately decide that they can write a few queries to handle the chatty informational events like 'service started' and 'scan completed'. It is generally much better to let customers determine what their comfort level is regarding purging/filtering data. There is no blanket rule for this.

In general, low severity events wind up being purged at an interval long enough to allow troubleshooting. sometimes just a few days or a week. Then from there it's a question of what the database server can handle. If you do incremental backup daily, and do a weekly full backup\rebuild\reindex then you should be in fairly good shape.

Oh yeah! And of course, please consider all company policies and govermnent-mandated logging requirements for the retention of data regarding security incidents.

Finally, I found a little tiny piece of info on how to correctly use wild cards and create paths.

This is what I so enjoy about McAfee. The hunt for the simple answers....

https://kc.mcafee.com/corporate/index?page=content&id=KB50998&pmv=print

I have found that a lot of trial and error on a local installation is the best way to test wildcards. You never know what results you're going to get without playing around with a stand-alone installation and chnaging the policies on the fly.