Showing results for 
Show  only  | Search instead for 
Did you mean: 

Virus Scan Policy Best Practices

I think we should have a sticky here with policy best practices. I know myself and others often find themselves looking for policies for virus scanning, etc...

Topics we could have:

1. Virus scan exclusions - too often this information is scattered to the four winds

2. Virus scan settings - personally I use the DISA guides, but it may be helpful to have detailed setting recommendations here.

3. EPO Policy settings - Again, having policy setting best practices posted would be helpful. It would be really nice if EPO had a policy import feature based on best practices as well.

Microsoft has had group policy templates for years, c'mon McAfee, let's get with the program and make EPO a little more friendly on the policy side!
48 Replies

RE: Virus Scan Policy Best Practices

/me raises his hand high....damned good idear!!!
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 3 of 49

RE: Virus Scan Policy Best Practices

Fine its now sticky. ( MOD hat on)

fill em in then.........

As a start I would check out the MS recommended exclusions for DC and PDC and exchange
also there are recommeded citrix exclusions
Level 10
Report Inappropriate Content
Message 4 of 49

RE: Virus Scan Policy Best Practices


Excellent idea. I know we've had a few threads about this already... will look for them later (EOD)

For a starter, here are a few links from Microsoft sites :

Virus scanning recommendations for computers that are running Windows Server 2008, Windows Server 20...

I'd also be looking for best/worst practices on logging information. I presently am having more and more DB size issues because we log a lot of information... and I'm afraid if I purge or log less I won't find the necessary information when needed 😞

Level 7
Report Inappropriate Content
Message 5 of 49

RE: Virus Scan Policy Best Practices

Virus scanning recommendations for computers that are running Windows Server 2008, Windows Server 20...

In summary of the above:

I just wish you could feed multiple exclusions into multiple policies in ePO. Maybe 4.5 eh McAfee?
Level 7
Report Inappropriate Content
Message 6 of 49

RE: Virus Scan Policy Best Practices

Oh I just found this as well,

General exclusions Windows Server 2003, Windows 2000, Windows XP, or Windows Vista:

For Windows 2000 & 2003 DC’s
%systemroot%\sysvol (only this folder, not all subfolders!!!)
%systemroot%\sysvol\staging areas

Q:\ (quorum)
DHCP: %windir%\system32\dhcp
DNS: %windir%\system32\dns
WINS: %windir%\system32\wins

Exchange Server:

%systemroot%\IIS Temporary Compressed Files
All .edb; .stm (on Exchange 2000 Server); .log Exchange files
M: drive (on Exchange 2000 Server)
C:\Program Files\Microsoft Windows Small Business Server\Networking\POP3\Failed Mail
C:\Program Files\Microsoft Windows Small Business Server\Networking\POP3\Incoming Mail

SQL Server: SQL Server data files that have the .mdf extension, the .ldf extension, and the .ndf extension

WSUS: MSSQL$WSUS and WSUS content directory


Virus scanning recommendations for computers that are running Windows Server 2003, Windows 2000, Windows XP, or Windows Vista

Overview of Exchange Server 2003 and antivirus software

Guidelines for choosing antivirus software to run on the computers that are running SQL Server

Recommended Forefront Client Security file and folder exclusions for Microsoft products

Multiple symptoms occur if an antivirus scan occurs while the file or the file is copied

Not sure who to credit for this list though sorry. I saved it in a document a while back and don't recall the source but sharing is good. 😄


Re: RE: Virus Scan Policy Best Practices

Just to comment on the logging part of your post....

Whenever I do a new install for a customer, I intentionally get them started by logging everything. Literally, set the Event filtering off. Then use the sudden and painful tidal wave of data to demonstrate how to write queries to purge event data and why or why not filtering certain events out completely would be a bad idea.

Most customers ultimately decide that they can write a few queries to handle the chatty informational events like 'service started' and 'scan completed'. It is generally much better to let customers determine what their comfort level is regarding purging/filtering data. There is no blanket rule for this.

In general, low severity events wind up being purged at an interval long enough to allow troubleshooting. sometimes just a few days or a week. Then from there it's a question of what the database server can handle. If you do incremental backup daily, and do a weekly full backup\rebuild\reindex then you should be in fairly good shape.

Oh yeah! And of course, please consider all company policies and govermnent-mandated logging requirements for the retention of data regarding security incidents.

ePO exclusion entries

Ok. So we have this nice list of things to not scan, but how do we go about getting things into the policies? According to the cursory documentation that McAfee provides, are the nice hints that we can put multiple items on the same line separated by spaces.

What do you do if you have paths that have spaces?
%systemroot%\IIS Temporary Compressed Files

So by all assumptions (based of course on the cursory documentation provided) then this would exclude the following items from being scanned:
%systemroot%\IIS Temporary
%systemroot%\IIS Compressed
%systemroot%\IIS Files

Which is not what I want. there anyone who knows where more detailed documentation is for ePO and VSE? McAfee does not seem to have anything and i don't want to have to call tech support for every little thing like this.

Thanks PCS


Finally, I found a little tiny piece of info on how to correctly use wild cards and create paths.

This is what I so enjoy about McAfee. The hunt for the simple answers....

RE: AhHa!

I have found that a lot of trial and error on a local installation is the best way to test wildcards. You never know what results you're going to get without playing around with a stand-alone installation and chnaging the policies on the fly.
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community