A Trend Micro TrendEdge Solution Advanced Technologies and Techniques to Enhance Your Product Implementing Microsoft File Exclusions in Trend Micro OfficeScan 8.0 Mike Canavan Senior Solutions Architect Solution Architecture and Validation Program Trend Micro, Inc. Steven Spadaccini Director, Senior Solutions Strategist Solution Architecture and Validation Program Trend Micro, Inc. March 2008 Trend Micro, Inc. 10101 N. De Anza Blvd. Cupertino, CA 95014 T 800.288.5651 / 408.257.1500 F 408.257.2003 www.trendmicro.com
Implementing Microsoft File Exclusions intrend Micro OfficeScan 8.0 Trend Micro, the Trend Micro t-ball logo, and OfficeScan are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or registered trademarks of their owners. Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice, and the information contained in this document is provided as-is. This document is for informational purposes only, and is not supported by Trend Micro or its partners. TREND MICRO MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. Copyright 2008 Trend Micro Incorporated. All rights reserved. Document Part No. TE01OSCE80_080324US A Trend Micro TrendEdge Solution i
Contents Introduction... 1 Using the OfficeScan 8.0 Administrative Console to Exclude Files from Scanning in OfficeScan 8.0... 1 Entering Microsoft Windows General Exclusions... 2 Excluding Windows XP, Windows 2000, and Windows 2003 Update or Automatic Update Files... 2 Entering Exclusions for Microsoft Windows Server 2000/2003 Domain Controllers... 2 Windows 2000 Active Directory and Related Files... 3 Windows Server 2003 Active Directory and Related Files... 3 Defining Exclusions for Microsoft Internet Information Services... 4 Entering Exclusions for Microsoft SQL Server... 4 Directories to be Excluded... 5 File Extensions to be Excluded... 5 Setting Exclusions for Microsoft Exchange Server 2000/2003... 5 Entering Exclusions for Microsoft Exchange Server 2007... 6 Setting Up Exclusions for a Microsoft Exchange 2007 Mailbox Server... 6 Setting Up Exclusions for a Microsoft Exchange 2007 Clustered Mailbox Server... 7 Setting Up Exclusions for a Microsoft Exchange 2007 Hub Transport Server... 7 Setting Up Exclusions for a Microsoft Exchange 2007 Edge Transport Server... 8 Setting Up Exclusions for a Microsoft Exchange 2007 Client Access Server... 10 Setting Up Exclusions for a Microsoft Exchange 2007 Unified Messaging Server... 10 Entering Microsoft Exchange-specific File Name Extension Exclusions... 10 Defining Exchange-specific Application-related Extensions... 10 Defining Exchange-specific Database-related Extensions... 10 Entering Exchange Content Index-related Extensions... 11 Entering Exchange Unified Messaging-related Extensions... 11 Defining Exclusions for a Microsoft Windows Cluster (All Applications)... 11 Entering Exclusions for Microsoft Internet Security and Acceleration (ISA) Server... 11 Defining Exclusions for Microsoft SharePoint Server... 11 Entering Exclusions for Microsoft Systems Management Server (SMS)... 12 Resources... 13 Web Sites... 13 About the Authors... 14 Mike Canavan... 14 Steven Spadaccini... 14 About Trend Micro... 15 A Trend Micro TrendEdge Solution ii
Introduction Trend Micro OfficeScan Client/Server Edition 8.0 (OfficeScan) protects Microsoft Windows servers and clients from viruses and other malware. As we have learned over the years of working with Microsoft products, there are Microsoft files and folders that OfficeScan should not scan. These files and folders should not be scanned because: Removing or quarantining these files or folders renders the operating system non-functional and prevents the system from performing its intended task. Excluding these files and folders from scanning enhances application and operating system performance. This document: Identifies those files and folders you must exclude from scanning by OfficeScan. Organizes these file and folder exclusions by application for ease of exclusion processing. We recommend that you configure these exclusions by scan type for only the servers hosting each specified application. We do not recommend applying these exclusions to all OfficeScan clients. Note: Trend Micro provides this document as-is as a courtesy to interested parties. The accuracy of the information is solely the author s responsibility. This document is neither supported by Trend Micro nor its partners. This document consists of the following sections: Using the OfficeScan 8.0 Administrative Console to Exclude Files from Scanning in OfficeScan 8.0 Entering Microsoft Windows General Exclusions Entering Exclusions for Microsoft Windows Server 2000/2003 Domain Controllers Defining Exclusions for Microsoft Internet Information Services Entering Exclusions for Microsoft SQL Server Setting Exclusions for Microsoft Exchange Server 2000/2003 Entering Exclusions for Microsoft Exchange Server 2007 Defining Exclusions for a Microsoft Windows Cluster (All Applications) Entering Exclusions for Microsoft Internet Security and Acceleration (ISA) Server Defining Exclusions for Microsoft SharePoint Server Entering Exclusions for Microsoft Systems Management Server (SMS) Using the OfficeScan 8.0 Administrative Console to Exclude Files from Scanning in OfficeScan 8.0 The Trend Micro OfficeScan 8.0 Administrator s Guide describes the process required to exclude files and directories from scanning. For more information about this process, see: http://www.trendmicro.com/download/product.asp?productid=5.) A Trend Micro TrendEdge Solution 1
Entering Microsoft Windows General Exclusions When using OfficeScan to scan a Microsoft Windows server, you must exclude the following files from scanning: TABLE 1. Microsoft Windows General File Exclusions Windows General Operating System File Microsoft Outlook Personal STore (PST) file ITEM(S) NAME pagefile.sys *.pst Excluding Windows XP, Windows 2000, and Windows 2003 Update or Automatic Update Files If you use OfficeScan to scan a Windows XP, Windows 2000, or Windows Server 2003 running Windows Update or Windows Automatic Update, exclude: TABLE 2. Microsoft Windows XP, Windows 2000, and Windows 2003 Update or Automatic Update File Exclusions Windows Update or Automatic Update data store Automatic Update log files DEFAULT LOCATION %windir%\software Distribution\Datastore %windir%\software Distribution\Datastore\Logs ITEM(S) NAME DataStore.edb Edb*.log (multiple files) Res1.log Res2.log Edb.chk tmp.edb hiberfil.sys pagefile.sys Entering Exclusions for Microsoft Windows Server 2000/2003 Domain Controllers If you use OfficeScan to scan a Microsoft Windows 2000 or Microsoft Windows Server 2003 domain controller, exclude the following Windows components from scanning: A Trend Micro TrendEdge Solution 2
Windows 2000 Active Directory and Related Files This OfficeScan exclusion only applies to systems running Windows 2000 with Active Directory enabled. TABLE 3. Windows 2000 with Active Directory File Exclusion Main Active Directory (NTDS) database files REGISTRY ENTRY DEFAULT LOCATION ITEM NAME HKLM\System\Services\NTDS\ Parameters\DSA Database File %windir%\ntds NTDS.dit Windows Server 2003 Active Directory and Related Files These OfficeScan exclusions only apply to systems running Windows Server 2003 with Active Directory enabled. TABLE 4. Windows Server 2003 with Active Directory Folder and File Exclusions Active Directory transaction log files REGISTRY ENTRY DEFAULT LOCATION ITEM NAME HKLM\System\Services\NTDS\ Parameters\Database Log Files Path %windir%\ntds Main Active Directory (NTDS) database folder HKLM\System\Services\NTDS\ Parameters\DSA WorkingDirectory SYSVOL files %windir%\sysvol %windir%\sysvol\ domain\do_not_ REMOVE_NtFrs_ PreInstall_ Directory EDB*.log (can be multiple files) RES1.log RES2.log TEMP.edb EDB.chk All files in the indicated directories. %windir%\sysvol\ staging FRS Working Directory FRS Working Directory FRS Database Log files (if registry key is not set) HKEY_LOCAL_MACHINE\System\ CurrentControlSet\Services \NtFrs\Parameters\ Working Directory HKEY_LOCAL_MACHINE\System\ CurrentControlSet\Services \NtFrs\Parameters\ Working Directory HKEY_LOCAL_MACHINE\system\ currentcontrolset\services \NtFrs\Parameters\DB Log File Directory %windir%\sysvol\ staging areas FRS Working Dir\jet\sys\ FRS Working Dir\jet\ %windir%\ntds\frs Working Dir\jet\ log EDB.chk - NTFRS.jdb - *.log *.log A Trend Micro TrendEdge Solution 3
TABLE 4. Windows Server 2003 with Active Directory Folder and File Exclusions FRS Database Log files (if registry key is set) FRS Replica_root files FRS Replica staging directory FRS Preinstall directory REGISTRY ENTRY DEFAULT LOCATION ITEM NAME HKEY_LOCAL_MACHINE\system\ currentcontrolset\services \NtFrs\Parameters\DB Log File Directory HKEY_LOCAL_MACHINE\system\ currentcontrolset\services \NtFrs\Parameters\ Replica Sets\GUID\Replica Set Root HKEY_LOCAL_MACHINE\system\ currentcontrolset\services \NtFrs\Parameters\ Replica Sets\GUID\Replica Set Stage <Replica_root>\DO_NOT_ REMOVE_NtFrs_PreInstall_ Directory %windir%\ntds\db Log File Directory\log\ *.log All files The entire directory The entire directory (Note: The Preinstall directory is always open exclusively when FRS is running.) Defining Exclusions for Microsoft Internet Information Services If you use OfficeScan to scan a host running Internet Information Services (IIS), exclude all files in the following directories: %System Root%\system32\logfiles\w3svc# C:\inetpub Also, exclude all temporary compressed IIS files from scanning. The default path to the directory where these files are located is: %systemroot%\iis Temporary Compressed Files This directory may have been changed to another location. To verify the compression directory: 1. Click Start > Programs > Administrative Tools > Internet Information Services (IIS) Manager. 2. In IIS Manager, right-click the Web Sites folder, and then click Properties. 3. Click the Service tab. 4. Under HTTP Compression, make sure that Compress static files is selected, and then locate the path to the temporary directory. Entering Exclusions for Microsoft SQL Server If you use OfficeScan to scan a host running Microsoft SQL Server, exclude the following directories and file extensions from scanning: A Trend Micro TrendEdge Solution 4
Directories to be Excluded...\Microsoft SQL Server\MSSQL\Data...\Microsoft SQL Server\MSSQL\Log...\Microsoft SQL Server\MSSQL\Backup File Extensions to be Excluded.mdf.ldf.ndf Setting Exclusions for Microsoft Exchange Server 2000/2003 If you use OfficeScan to scan a host running Microsoft Exchange Server 2000 or Microsoft Exchange Server 2003, exclude the following directories and files from scanning: TABLE 5. Microsoft Exchange Server 2000 and 2003 Folder and File Exclusions DEFAULT FOLDER LOCATION Exchange Server Exchsrvr\Mdbdata drive Ms Exchange databases and log files Exchsrvr\Mdbdata Exchange Mail Exchsrvr\Mtadata Transfer Agent (MTA) files All additional log files Exchange Virtual Exchsrvr\Mailroot Server folder The working folder \Exchsrvr\MDBData used to store temporary streaming message conversion files. The temporary Depends on the utility. folder used by offline maintenance utilities. Site Replication Service (SRS) files Microsoft Internet Information Services (IIS) system files All Internet Mail Connector Files Exchsrvr\Srsdata %SystemRoot%\System32\ Inetsrv \Exchsrvr\IMCData ADDITIONAL INFORMATION Exclude the entire drive. Exclude all databases and files. Exclude all files. For example, the Exchsrvr\ server_name.log file. Exclude the entire folder. Exclude the actual location. (You configure the location when you set up the application.) For example, the Eseutil.exe file. However, the actual location depends on the utility. Generally, this is the directory from where you launch the executable, but you configure the actual location. Exclude all files. Exclude all files. Exclude all files. A Trend Micro TrendEdge Solution 5
TABLE 5. Microsoft Exchange Server 2000 and 2003 Folder and File Exclusions Exchange Server folder DEFAULT FOLDER LOCATION Exchsrvr ADDITIONAL INFORMATION Exclude the entire folder. This is optional, but suggested. Checkpoint folder The folder that contains the.chk files. Miscellaneous files *.edb *.stm (Exchange 2000 Server) *.log files Note: We strongly recommends that you temporarily disable OfficeScan during operating system and Exchange upgrades. This includes both when upgrading to new versions of Exchange or the operating system, and when applying any Exchange or operating system fixes or service packs. Entering Exclusions for Microsoft Exchange Server 2007 If you use OfficeScan to scan a host running Microsoft Exchange Server 2007, exclude the following directories and files from scanning: Note: Information is provided for each server role. Setting Up Exclusions for a Microsoft Exchange 2007 Mailbox Server If you use OfficeScan to scan a Microsoft Exchange Server 2007 host operating as a mailbox server, exclude the following files and folders from scanning: TABLE 6. Microsoft Exchange Server 2007 Folder and File Exclusions for Mailbox Servers Exchange databases, checkpoint files, and log files across all storage groups Database content indexes DEFAULT FOLDER LOCATION %Program Files%\ Server\Mailbox Server\Mailbox ADDITIONAL INFORMATION You can obtain the directory location of the following files by running the these commands in the Exchange Management Shell: Transaction log and Checkpoint file Get-StorageGroup server <servername> fl *path* Mailbox database Get-MailboxDatabase server <servername> fl *path* Public folder database Get-PublicFolderDatabase server <servername> fl *path* These are located in the storage group sub-folders under the Mailbox directory. A Trend Micro TrendEdge Solution 6
TABLE 6. Microsoft Exchange Server 2007 Folder and File Exclusions for Mailbox Servers DEFAULT FOLDER LOCATION ADDITIONAL INFORMATION General log files, such as message tracking log files %Program Files% \ Server\TransportRoles\Logs To determine the log paths being used, run the following command in the Exchange Management Shell: Get-MailboxServer <servername> fl *path* AND Exchange Offline Address Book files Internet Information Services (IIS) system files Temporary folders used for offline maintenance utilities (for example, Eseutil.exe). Temporary OLE conversion folders Mailbox database temporary folder Exchange-aware antivirus program folders, such as those for Trend Micro ScanMail for Exchange Microsoft\ Exchange Server\ Logging Server\ExchangeOAB %SystemRoot%\System32\ Inetsrv By default, this folder is the location where you run the.exe file. Microsoft\ Exchange Server\ Working\OleConvertor Server\Mailbox\ MDBTEMP See the subfolders under the ExchangeOAB folder. You must exclude all IIS system files from scanning. You can configure the location from where you run the executable when you run the utility. These are the temporary folders that Exchange uses to perform OLE conversions These are the temporary folders that Exchange uses to perform mailbox database conversions. See the application help for assistance in determining the correct folders. Setting Up Exclusions for a Microsoft Exchange 2007 Clustered Mailbox Server If you use OfficeScan to scan a Microsoft Exchange Server 2007 host operating as a clustered mailbox server, exclude the following files and folders from scanning: All the items listed in the mailbox server role list. The quorum disk. The %Winnt%\Cluster folder. The file share witness. This is located on another server in the environment, typically a Hub transport server. Setting Up Exclusions for a Microsoft Exchange 2007 Hub Transport Server If you use OfficeScan to scan a Microsoft Exchange Server 2007 host operating as a hub transport server, exclude the following files and folders from scanning: A Trend Micro TrendEdge Solution 7
TABLE 7. Microsoft Exchange Server 2007 Folder and File Exclusions for Hub Transport Servers DEFAULT FOLDER LOCATION ADDITIONAL INFORMATION General log files (for example, message tracking logs) Exchange message folders Transport server: role queue database, checkpoint, and log files Transport server role Sender Reputation database, checkpoint, and log files Transport server role IP filter database, checkpoint, and log files Temporary content conversion folders Temporary OLE conversion folders Exchange-aware antivirus program folders, such as those for Trend Micro ScanMail for Exchange Server\TransportRoles\ Logs Server\TransportRoles Server\TransportRoles\ Data\Queue Server\TransportRoles\ Data\SenderReputation Server\TransportRoles\ Data\IpFilter The server s TMP file Microsoft\ Exchange Server\ Working\OleConvertor These files are located in subfolders under the Logs folder. To determine the log paths you are using, run the following command in the Exchange Management Shell: Get-TransportServer <servername> fl *logpath*,*tracingpath* These files are located in subfolders under the TransportRoles folder. To determine the log paths you are using, run the following command in the Exchange Management Shell: Get-TransportServer <servername> fl *dir*path* Exclude all relevant files. Exclude all relevant files. Exclude all relevant files. These are temporary folders that Exchange uses to perform content conversions. These are temporary folders that Exchange uses to perform OLE conversions. See the application help for assistance in determining the correct folders. The temporary folders that are used to perform conversions: Content conversions performed in the server s TMP folder. OLE conversions performed in Server\Working\OleConvertor folder. Any Exchange-aware antivirus program folders, including Trend Micro ScanMail for Exchange. Setting Up Exclusions for a Microsoft Exchange 2007 Edge Transport Server If you use OfficeScan to scan a Microsoft Exchange Server 2007 host operating as an edge transport server, exclude the following files and folders from scanning: A Trend Micro TrendEdge Solution 8
TABLE 8. Microsoft Exchange Server 2007 Folder and File Exclusions for Edge Transport Servers DEFAULT FOLDER LOCATION ADDITIONAL INFORMATION Active Directory Application Mode (ADAM) database and log files General log files (for example, message tracking logs) Exchange message folders Transport server role queue database, checkpoint, and log files Transport server role Sender Reputation database, checkpoint, and log files Transport server role IP filter database, checkpoint, and log files Temporary content conversion folder Temporary OLE conversion folders Exchange-aware antivirus program folders, such as those for Trend Micro ScanMail for Exchange %ProgramFiles%\ Server\TransportRoles\ Data\Adam Server\TransportRoles\ Logs Server\TransportRoles Server\TransportRoles\ Data\Queue Server\TransportRoles\ Data\SenderReputation Server\TransportRoles\ Data\IpFilter The server s TMP file Microsoft\ Exchange Server\ Working\OleConvertor Exclude all relevant files. These files are located in subfolders under the Logs folder. To determine the log paths you are using, run the following command in the Exchange Management Shell: Get-TransportServer <servername> fl *logpath*,*tracingpath* These files are located in subfolders under the TransportRoles folder. To determine the log paths you are using, run the following command in the Exchange Management Shell: Get-TransportServer <servername> fl *dir*path* Exclude all relevant files. Exclude all relevant files. Exclude all relevant files. These are temporary folders that Exchange uses to perform content conversions. These are temporary folders that Exchange uses to perform OLE conversions. See the application help for assistance in determining the correct folders. A Trend Micro TrendEdge Solution 9
Setting Up Exclusions for a Microsoft Exchange 2007 Client Access Server If you use OfficeScan to scan a Microsoft Exchange Server 2007 host operating as a client access server, exclude the following files and folders from scanning: The Internet Information Services (IIS) 6.0 compression folder that is used with Microsoft Outlook Web Access. By default, the compression folder in IIS 6.0 is located at %systemroot%\iis Temporary Compressed Files. IIS system files in the %SystemRoot%\System32\Inetsrv folder. The Internet-related files that are stored in the sub-folders of the %Program Files%\ Server\ClientAccess folder The temporary folder that is used to perform content conversion. By default, this is the server s TMP folder. Setting Up Exclusions for a Microsoft Exchange 2007 Unified Messaging Server If you use OfficeScan to scan a Microsoft Exchange Server 2007 host operating as a unified messaging server, exclude the following files and folders from scanning: The grammar files that are stored in the subfolders in the Server\UnifiedMessaging\grammars folder The voice prompts that are stored in the subfolders in the Server\UnifiedMessaging\Prompts folder The voicemail files that are stored in the Server\UnifiedMessaging\voicemail folder The bad voicemail files that are stored in the Server\UnifiedMessaging\badvoicemail folder Entering Microsoft Exchange-specific File Name Extension Exclusions In addition to excluding specific directories and processes, as a secondary measure, in case directory exclusions fail or files are moved, you should exclude the following Exchange-specific file extensions. Defining Exchange-specific Application-related Extensions.config.dia.wsb Defining Exchange-specific Database-related Extensions.chk.log.edb.jrs A Trend Micro TrendEdge Solution 10
.que Offline Address Book-related extensions:.lzx Entering Exchange Content Index-related Extensions.ci.dir.wid.000.001.002 Entering Exchange Unified Messaging-related Extensions.cfg.grxml Defining Exclusions for a Microsoft Windows Cluster (All Applications) If you use OfficeScan to scan a Microsoft cluster, exclude the following from scanning: Q:\(Quorum Drive) \Windows\Cluster Entering Exclusions for Microsoft Internet Security and Acceleration (ISA) Server If you use OfficeScan to scan a Microsoft ISA server, exclude the following folders from scanning: In Proxy Mode, exclude the Default Cache folder. \Microsoft ISA Server\ISALogs folder. Defining Exclusions for Microsoft SharePoint Server If you use OfficeScan to scan a Microsoft SharePoint server, exclude the following files from scanning: \SharePoint Portal Server\ \Program Files\Common Files\Microsoft Shared\Web Storage System\ If you use Microsoft SharePoint Portal Server 2003 and you apply Service Pack 1 (SP1), you must exclude the following folder from antivirus scans: \Windows\Temp\Frontpagetempdir\ A Trend Micro TrendEdge Solution 11
Entering Exclusions for Microsoft Systems Management Server (SMS) If you use OfficeScan to scan a Microsoft SMS, exclude the following folders from scanning: \SMS\Inboxes\SMS_Executive Thread Name\ \SMS_CCM\ServiceData A Trend Micro TrendEdge Solution 12
Resources Web Sites http: //www.trendmicro. com/us http://technet.microsoft.com/ http://support.microsoft.com/ A Trend Micro TrendEdge Solution 13
About the Authors Mike Canavan Mike has been with Trend Micro for over 3 years and is currently a Senior Solutions Architect. Prior to this current role, Mike served as a Senior Presales Engineer and has over 5 years of experience in network security and system administration. Prior to working for Trend Micro, Mike worked for CDW Presales Engineering with a focus in security. Steven Spadaccini Steven Spadaccini has been with Trend Micro for over 5 years and is currently the Director and Senior Solutions Strategist for the Solution Architecture and Validation Program. Prior to these roles, Steven worked as a Senior Security Engineer at Trend Micro and has over 12 years experience in network security. Before working for Trend Micro, Steven worked for Sun Microsystems Enterprise Server Products. A Trend Micro TrendEdge Solution 14
A Trend Micro TrendEdge Solution 15
About Trend Micro Trend Micro Incorporated is a pioneer in secure content and threat management. Founded in 1988, Trend Micro provides individuals and organizations of all sizes with award-winning security software, hardware, and services. With headquarters in Tokyo and operations in more than 30 countries, Trend Micro solutions are sold through corporate and value-added resellers and service providers worldwide. For additional information and evaluation copies of Trend Micro products and services, visit our Web site at www.trendmicro.com. A Trend Micro TrendEdge Solution 16