The gist of it should be: Sysvol\Domain\ - Scan Sysvol\Domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory\ - Don't Scan Sysvol\Staging\ - Don't Scan Sysvol\Staging Areas\ - Don't Scan Sysvol\Sysvol\<domain name> - Don't Scan
So, effectively, you only need to set the 4 folder exclusions. The reasoning for the Staging* folders and the PreInstall folder is because the files created/deleted there are of a transactional nature. The Sysvol\Sysvol\<domain name>\ folder is a junction point of Sysvol\Domain\, so there's no point in scanning it. You'll just end up scanning the same files twice. For the junction point, I don't believe there's anything inherently wrong with scanning files twice; it's just unnecessary. So if you're limited to how many folder exclusions you can set I would say that's one you could skip, if necessary. > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray > Sent: Wednesday, September 14, 2005 5:01 PM > To: [email protected] > Subject: RE: [ActiveDir] Sysvol and AV exclusions > > Hi Brett > > Thanks for your detailed response. I see you've also managed > to sort out the formatting of the table in the article. Oh, > what power you wield! :-) > > The main issue I have is that the article introduces some "new" > exclusions. I don't think I'm alone in thinking that the > general approach before this article came out was, "If your > AV product is FRS-compliant then include SYSVOL in scans.". > I am fully aware of the effects of a virus being replicated > by SYSVOL, having seen it first-hand. SYSVOL does a great > job of moving a virus around a network very quickly. :-) So > it's important to scan SYSVOL (or at least parts thereof). > > Going back to the issue, the 822158 article sets out > exclusions, but doesn't indicate why they should be exlcuded. > In other words, what is the risk of including them? This is > relevant for at least one major AV product vendor, which has > a (somewhat stupid) low limit on the number of files and > folders that can be excluded on any one server. I'm also not > convinced that the AV product I'm thinking of can perform the > level of granularity of inclusion/exclusion suggested in the table. > > I can sort of understand why the staging areas would be > excluded (compressed files, possibility of locking), but why > exclude %systemroot%\sysvol and %systemroot%\sysvol\sysvol? > I can't see anything in my test environment that would pose > any problems by scanning these folders. > > Call me a control freak, but I just don't like seeing a > statement such as, "Do not scan the following files and > folders." with no additional explanation. > > Tony > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley > Sent: Tuesday, 13 September 2005 10:47 p.m. > To: [email protected] > Subject: Re: [ActiveDir] Sysvol and AV exclusions > > > The articles should not be inconsistent. > The 822158 does mention 814263 (see bullet 2). > > 284947 - is how to detect and diagnose excessive FRS replication. > Noting it might be caused by Anti-Virus software. And > mentioning how to recover. > It is not SYSVOL specific, it is FRS specific. But sincej > SYSVOL is an FRS share, so it applies to SYSVOL, if this > should happen to your SYSVOL. > > 814263 - is about Anti-Virus programs that are compatible > with FRS from a generic sense. Againt not SYSVOL specific, > FRS specific. You will want one of these programs to > continue on with your configuration of your DC's Anti-Virus > program with 822158. > > 822158 - Is the penultimate article for DCs and anti-virus > software. You need to scroll over the very poorly formatted > table, near the end. > You'll note some part of the sysvol folder, are to be scanned > and other parts are excluded. I believe the parts with the > actual files (that people can execute during logon due to > policy) are to be scanned. > > Let me know if you have any issues, or find my statements > inaccurate ... > > FYI, it is important to get a good anti-virus program (per > 814263) and configure it correctly (per 822158) to scan your > SYSVOL shares, because I've know a major company to get a > virus in it's SYSVOL, such that everyone who logged on would > get the virus. This is very nasty. The first thing the > admin does to check out such an issue is ... log on to a DC, > which may not have actually been infected with a running copy > of the virus. If you can get ahold of a virus'd exe, I'd > drop it on your SYSVOL just to check it works. > > Cheers, > BrettSh [msft] > > This posting is provided "AS IS" with no warranties, and > confers no rights. > > On Tue, 13 Sep 2005, Tony Murray wrote: > > > Hi all > > > > For a while now, I've been including/excluding Sysvol from AV scans > > based on the recommendations in these articles. > > > > Antivirus programs may modify security descriptors and > cause excessive > > > replication of FRS data in SYSVOL and DFS > > > > http://support.microsoft.com/?kbid=284947 > > <http://support.microsoft.com/?kbid=284947> > > > > Antivirus, backup, and disk optimization programs that are > compatible > > with the File Replication Service > > > > > > http://support.microsoft.com/kb/815263/ > > > > In other words, if the AV software is not FRS-compliant > then I exlude > > Sysvol from scans. > > > > However, I recently came across the following article: > > > > Virus scanning recommendations on a Windows 2000 or on a Windows > > Server > > 2003 domain controller > > > > http://support.microsoft.com/kb/822158 > > <http://support.microsoft.com/kb/822158> > > > > This includes a recommendation to exclude Sysvol, but > doesn't really > > say why. The article doesn't make any reference to the KB284947 and > > KB815263 articles, so I don't know whether the recommendations are > > based on that information or new information. > > > > Can anyone clarify the situation for me? > > > > Tony > > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > ############################################################## > ########## > #### > This e-mail message has been scanned for Viruses and Content > and cleared by NetIQ MailMarshal at Gen-i > ############################################################## > ########## > #### > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
