Hi Brett Thanks for your detailed response. I see you've also managed to sort out the formatting of the table in the article. Oh, what power you wield! :-)
The main issue I have is that the article introduces some "new" exclusions. I don't think I'm alone in thinking that the general approach before this article came out was, "If your AV product is FRS-compliant then include SYSVOL in scans.". I am fully aware of the effects of a virus being replicated by SYSVOL, having seen it first-hand. SYSVOL does a great job of moving a virus around a network very quickly. :-) So it's important to scan SYSVOL (or at least parts thereof). Going back to the issue, the 822158 article sets out exclusions, but doesn't indicate why they should be exlcuded. In other words, what is the risk of including them? This is relevant for at least one major AV product vendor, which has a (somewhat stupid) low limit on the number of files and folders that can be excluded on any one server. I'm also not convinced that the AV product I'm thinking of can perform the level of granularity of inclusion/exclusion suggested in the table. I can sort of understand why the staging areas would be excluded (compressed files, possibility of locking), but why exclude %systemroot%\sysvol and %systemroot%\sysvol\sysvol? I can't see anything in my test environment that would pose any problems by scanning these folders. Call me a control freak, but I just don't like seeing a statement such as, "Do not scan the following files and folders." with no additional explanation. Tony -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Tuesday, 13 September 2005 10:47 p.m. To: [email protected] Subject: Re: [ActiveDir] Sysvol and AV exclusions The articles should not be inconsistent. The 822158 does mention 814263 (see bullet 2). 284947 - is how to detect and diagnose excessive FRS replication. Noting it might be caused by Anti-Virus software. And mentioning how to recover. It is not SYSVOL specific, it is FRS specific. But sincej SYSVOL is an FRS share, so it applies to SYSVOL, if this should happen to your SYSVOL. 814263 - is about Anti-Virus programs that are compatible with FRS from a generic sense. Againt not SYSVOL specific, FRS specific. You will want one of these programs to continue on with your configuration of your DC's Anti-Virus program with 822158. 822158 - Is the penultimate article for DCs and anti-virus software. You need to scroll over the very poorly formatted table, near the end. You'll note some part of the sysvol folder, are to be scanned and other parts are excluded. I believe the parts with the actual files (that people can execute during logon due to policy) are to be scanned. Let me know if you have any issues, or find my statements inaccurate ... FYI, it is important to get a good anti-virus program (per 814263) and configure it correctly (per 822158) to scan your SYSVOL shares, because I've know a major company to get a virus in it's SYSVOL, such that everyone who logged on would get the virus. This is very nasty. The first thing the admin does to check out such an issue is ... log on to a DC, which may not have actually been infected with a running copy of the virus. If you can get ahold of a virus'd exe, I'd drop it on your SYSVOL just to check it works. Cheers, BrettSh [msft] This posting is provided "AS IS" with no warranties, and confers no rights. On Tue, 13 Sep 2005, Tony Murray wrote: > Hi all > > For a while now, I've been including/excluding Sysvol from AV scans > based on the recommendations in these articles. > > Antivirus programs may modify security descriptors and cause excessive > replication of FRS data in SYSVOL and DFS > > http://support.microsoft.com/?kbid=284947 > <http://support.microsoft.com/?kbid=284947> > > Antivirus, backup, and disk optimization programs that are compatible > with the File Replication Service > > > http://support.microsoft.com/kb/815263/ > > In other words, if the AV software is not FRS-compliant then I exlude > Sysvol from scans. > > However, I recently came across the following article: > > Virus scanning recommendations on a Windows 2000 or on a Windows > Server > 2003 domain controller > > http://support.microsoft.com/kb/822158 > <http://support.microsoft.com/kb/822158> > > This includes a recommendation to exclude Sysvol, but doesn't really > say why. The article doesn't make any reference to the KB284947 and > KB815263 articles, so I don't know whether the recommendations are > based on that information or new information. > > Can anyone clarify the situation for me? > > Tony > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ######################################################################## #### This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i ######################################################################## #### List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
