Antivirus Exclusion List for SQL Server

After struggling a lot and working with vendor, identified list of exclusions for SQL Server related to Anti Virus Software (McAfee, Symantec, etc.), the details can be found in this link, last one is important as it impacts performance.

 

https://support.microsoft.com/en-us/help/309422/how-to-choose-antivirus-software-to-run-on-computers-that-are-running-sql-server

 

Directories and file-name extensions to exclude from virus scanning

When you configure your antivirus software settings, make sure that you exclude the following files or directories (as applicable) from virus scanning. Doing this improves the performance of the files and helps make sure that the files are not locked when the SQL Server service must use them. However, if these files become infected, your antivirus software cannot detect the infection.

 

The official exceptions in the KB are:
– SQL Server data files (*.mdf, *.ldf, *.ndf)
– Backup files (*.trn, *.tuf, *.bak usually)
– Full text catalog files. This is the FTData folder in SQL Server
– The directory that holds Analysis Services data
– Trace files (*.trc. *.xel)

– Audit Files (These files have the .sqlaudit file-name extension)

– TSQL Files (.sql file extension)

Processes to exclude from virus scanning

• %ProgramFiles%\Microsoft SQL Server\MSSQL11.<Instance Name>\MSSQL\Binn\SQLServr.exe
• %ProgramFiles%\Microsoft SQL Server\MSRS11.<Instance Name>\Reporting Services\ReportServer\Bin\ReportingServicesService.exe
• %ProgramFiles%\Microsoft SQL Server\MSAS11.<Instance Name>\OLAP\Bin\MSMDSrv.exe

 

If you are running antivirus software on a cluster, make sure that you also exclude these locations from virus scanning:

• Q:\ (Quorum drive)
• C:\Windows\Cluster

If you back up the database to a disk or if you back up the transaction log to a disk, you can exclude the backup files from the virus scanning.

 

Especially for MSDTC (if used extensively): https://msdn.microsoft.com/en-us/library/cc615012(v=bts.10).aspx

 

MOST IMPORTANT: Detours or similar techniques may cause unexpected behaviors with SQL Server

 

Refer to https://support.microsoft.com/en-us/help/920925/detours-or-similar-techniques-may-cause-unexpected-behaviors-with-sql-server

 

Antivirus programs that track SQL injection attacks can detour SQL Server code. In this scenario, the output of the !for_each_module “!chkimg -v @#Base -d” extension may show that the SQL Server functions yyparse and ex_raise2 are modified:

 

It is recommended to contact the provider of the detours or similar techniques for detailed information about how it uses the detours in SQL Server. Microsoft does not warrant or certify these third-party products or how the third-party products interact with Microsoft products and services. Instead, third-party vendors are responsible for the identification and trustworthiness of their products and services.

 

To identify is any third party module is loading its DLL’s in the SQL Server address space, please use (sys.dm_os_loaded_modules) to see if DLL is loaded in the process of SQL Server.exe and verify with the vendor.

 

select product_version,
language, description, name from
sys.dm_os_loaded_modules

where company not
like
‘Microsoft Corporation’

 

 

Hope this helps!

 

References:

https://blogs.technet.microsoft.com/jeff_stokes/2010/05/28/anti-virus-exclusions-and-you/

https://social.technet.microsoft.com/wiki/contents/articles/953.microsoft-anti-virus-exclusion-list.aspx

https://community.mcafee.com/thread/4438?start=40&tstart=0

 

Only for SQL Server:

https://support.microsoft.com/en-us/help/309422/how-to-choose-antivirus-software-to-run-on-computers-that-are-running-sql-server

 

Biz talk and MSDTC AV exclusion:

https://msdn.microsoft.com/en-us/library/cc615012(v=bts.10).aspx