Bob I think the issue with AV and SYSVOL has largely gone away. Most of the major AV vendors now provide software that does not update the security descriptor. Previously, this was an issue because the modification of the security descriptor triggered replication.
For the reasons you mention below, it is a good thing for the AV software to scan SYSVOL. I had a situation around 18 months ago in which a virus had found it's way into SYSVOL. I discovered that SYSVOL replication propagates a virus *really* well, which is fun if you have around 75 DCs. At that time I was a little stuck because the AV software we had updated the security descriptor. The best thing is to press your AV vendor for a formal response to the question, "Will your software scan (both manual and on-access) trigger SYSVOL replication?". You should/could also test it yourself using FRS debug logging. If your AV vendor doesn't provide you with an exclusion list for AD, here's one I came up with a while back.See FAQ #12 at http://www.activedir.org/FAQ.htm Looks like I need to update it regarding SYSVOL. Tony ---------- Original Message ---------------------------------- Wrom: OKSTTZRCLBDXRQBGJSNBOHMKHJ Reply-To: [EMAIL PROTECTED] Date: Thu, 10 Jul 2003 17:28:16 -0700 So I'm reading Part 2 of Best Practice Guide for Securing Active Directory Installations and Day-to-Day Operations, and I see: "Part 1 of this guide recommends that the SYSVOL folder be excluded from virus scanning. However, excluding SYSVOL increases the risk of a virus attack on a domain controller because viruses tend to attach to files that are executed such as binaries or scripts. The SYSVOL folder contains important executables such as logon and startup scripts.As a counter-measure, implement script signing to protect the integrity of scripts running on domain controllers and administrative workstations. For information on implementing script signing see "Running Antivirus Software on Domain Controllers and Administrative Workstations.," in Best Practice Guide for Securing Active Directory Installations and Day-to-Day Operations: Part I" I also come across Q284947 - Antivirus Programs May Modify Security Descriptors and Cause Excessive Replication of FRS Data in Sysvol and DFS. Of course our AV vendor says 'they' never had that problem and don't modify descriptors. Then they later told our AV Product Manager that they recommend excluding "the database files" So I poke around a little more and see a newsgroup post that Tony made a while back saying, "Also, if you're running AV software on your DCs be sure to exclude the SYSVOL. This is a strong recommendation from Microsoft." I don't know if that just had to do with the Q284947 issue or was a more general recommendation... On Trend's site I find- i) Things to Exclude From scanning on Windows 2000 Domain Controllers (1) Do not Scan the Active Directory folders and Exclude the following (a) NTDS.DIT (b) The NTDS folder (c) The SYSVOL Folder "Active Directory is a text based database and cannot store executable code, therefore it does not need to be scanned. The risk in scanning the Active Directory database is a false positive that will quarantine or worse delete or corrupt the database. This is why these are excluded." I also come across a posting by one of the MS guys in the DFS newsgroup that says: "Make sure AV doesn't run against the FRS set and if it does you are using one that is smart enough to not trigger a full replication. Some AV software busts stuff in FRS pretty bad and forces you to rereplicate the files every time the AV touches them. Ouch. The AV software vendor can tell you what their recommendations are in touch of FRS (they will probably talk about SYSVOL, not FRS generally, but same diff)." So I'm wondering what you folks do in your environments and if there is a general best practice that isn't vendor specific. Thanks Bob Free Sr. Network Specialist ISTS/ITUSS/DC/System Server Support PG&E Auburn, Ca List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
