Bobby Habib SharePoint & MOSS Blogging Space

I find that a lot of companies implementing MOSS into their organisations are not really thinking about Antivirus software that is running at the Operating System level. There are a number of products out there talking about MOSS Antivirus plug in etc, but these plug in are checking for documents that are being pushed into MOSS for viruses.

MS Fore Front Security for SharePoint:

http://www.microsoft.com/forefront/sharepoint/en/us/product-overview.aspx

McAfee:

http://us.trendmicro.com/us/products/enterprise/portalprotect/index.html

But there seems to be a big area that companies are forgetting about, that can effect the stability of MOSS servers and cause a lot of issues that really confuse IT professionals. The OPERATING SYSTEM ANTIVIRUS.

To rule out any interference that the operating system antivirus software might bring to SharePoint's stability, the following exclusions from the antivirus real-time scan are recommended:

Windows 2003 Server

 

ú    The %systemroot% is normally the C:WINDOWS or C:WINNT directory depending on your OSú    %systemroot%System32Spool (and all the sub-folders and files)ú    %systemroot%SoftwareDistributionDatastoreú    Any Network Drives that are mapped Refer to the following article for information:

KB822158 – Virus scanning recommendations for computers that are running Windows
Server 2003, Windows 2000, or Windows XP http://support.microsoft.com/kb/822158 

Internet Information Server

 The IIS compression directory (default compression directory is %systemroot%IIS Temporary Compressed Files)
 %systemroot%system32inetsrv folder
 Files that have the .log extension
Refer to the following knowledge base articles for reference:
KB817442 – IIS 6.0: Antivirus Scanning of IIS Compression Directory May Result in 0-Byte File
http://support.microsoft.com/kb/817442
KB821749 – Antivirus software may cause IIS to stop unexpectedly http://support.microsoft.com/kb/821749

SQL Server

 Exclude .MDF, .LDF, .NDF, .TRN, .BAK and .SLS
 Exclude sqlmangr.exe and sqlservr.exe
 SQL folder and databases files (or database file types) from scanning for performance reasons:
KB309422 – Guidelines for choosing antivirus software to run on the computers that are running SQL Server http://support.microsoft.com/kb/309422

WSS 3,0 / MOSS 2007 

 Drive:Program FilesMicrosoft Office Servers12.0
 Drive:Program FilesCommon FilesMicrosoft Sharedweb server extensions12
 Drive:DOCUME~1ALLUSE~1APPLICATION DATAMICROSOFTFIREWALL CLIENT*
 Drive:WINDOWSTempWebTempDir*
 Drive:DOCUMENTS AND SETTINGS<SPSServiceAccount>LOCAL SETTINGSAPPLICATION DATA*
 Drive:Documents and Settings\<SPSServiceAccount>Local SettingsTemp*
 Drive:WINDOWSsystem32LogFiles
 W3wp.exe, cbd.exe, cidaemon.exe, owstimer.exe (WSS)
(where Drive: is the drive letter where you installed SharePoint Portal Server)

 

MOM

ú    Drive:Documents and SettingsAll UsersApplication DataMicrosoftMicrosoft Operations Manager

ú    Drive:Program FilesMicrosoft Operations Manager 2005

 

If you are using Trend Micro the follow these guide lines:

 Temp folder:  C:Program FilesTrend MicroPortalProtect emp
 Quarantine folder, whose default location is:
Drive:Program FilesTrend MicroPortalProtectQuarantine
 Backup folder, whose default location is:
Drive:Program FilesTrend MicroPortalProtectBackup

The following link will provide you how you can configure MOSS anti-virus, not Operating System Anti-Virus.

http://technet2.microsoft.com/Office/f/?en-us/library/1289e6e2-03e0-4f10-8921-e516187891c61033.mspx

One of my recomendation before logging Microsoft PSS calls is to make sure you have these guidelines applied in your environment, this could save a lot of  time & money with regard to support issues. I hope this helps.

I thought I would add this to the post; the offical KB article associated to "Folders may have to be excluded from antivirus scanning when you use a file-level antivirus program in Windows SharePoint Services 3.0 or in SharePoint Server 2007": http://support.microsoft.com/kb/952167

This entry was posted on Tuesday, April 22nd, 2008 at 4:45 am and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.