25
2017
Antivirus Exclusion List for SQL Server
After struggling a lot and working with vendor, identified list of exclusions for SQL Server related to Anti Virus Software (McAfee, Symantec, etc.), the details can be found in this link, last one is important as it impacts performance.
Directories and file-name extensions to exclude from virus scanning
When you configure your antivirus software settings, make sure that you exclude the following files or directories (as applicable) from virus scanning. Doing this improves the performance of the files and helps make sure that the files are not locked when the SQL Server service must use them. However, if these files become infected, your antivirus software cannot detect the infection.
The official exceptions in the KB are:
– SQL Server data files (*.mdf, *.ldf, *.ndf)
– Backup files (*.trn, *.tuf, *.bak usually)
– Full text catalog files. This is the FTData folder in SQL Server
– The directory that holds Analysis Services data
– Trace files (*.trc. *.xel)
– Audit Files (These files have the .sqlaudit file-name extension)
– TSQL Files (.sql file extension)
Processes to exclude from virus scanning
- %ProgramFiles%\Microsoft SQL Server\MSSQL11.<Instance Name>\MSSQL\Binn\SQLServr.exe
- %ProgramFiles%\Microsoft SQL Server\MSRS11.<Instance Name>\Reporting Services\ReportServer\Bin\ReportingServicesService.exe
- %ProgramFiles%\Microsoft SQL Server\MSAS11.<Instance Name>\OLAP\Bin\MSMDSrv.exe
If you are running antivirus software on a cluster, make sure that you also exclude these locations from virus scanning:
- Q:\ (Quorum drive)
- C:\Windows\Cluster
If you back up the database to a disk or if you back up the transaction log to a disk, you can exclude the backup files from the virus scanning.
Especially for MSDTC (if used extensively): https://msdn.microsoft.com/en-us/library/cc615012(v=bts.10).aspx
MOST IMPORTANT: Detours or similar techniques may cause unexpected behaviors with SQL Server
Antivirus programs that track SQL injection attacks can detour SQL Server code. In this scenario, the output of the !for_each_module “!chkimg -v @#Base -d” extension may show that the SQL Server functions yyparse and ex_raise2 are modified:
It is recommended to contact the provider of the detours or similar techniques for detailed information about how it uses the detours in SQL Server. Microsoft does not warrant or certify these third-party products or how the third-party products interact with Microsoft products and services. Instead, third-party vendors are responsible for the identification and trustworthiness of their products and services.
To identify is any third party module is loading its DLL’s in the SQL Server address space, please use (sys.dm_os_loaded_modules) to see if DLL is loaded in the process of SQL Server.exe and verify with the vendor.
select product_version,
language, description, name from
sys.dm_os_loaded_modules
where company not
like
‘Microsoft Corporation’
Hope this helps!
References:
https://blogs.technet.microsoft.com/jeff_stokes/2010/05/28/anti-virus-exclusions-and-you/
https://community.mcafee.com/thread/4438?start=40&tstart=0
Only for SQL Server:
Biz talk and MSDTC AV exclusion:
https://msdn.microsoft.com/en-us/library/cc615012(v=bts.10).aspx

Leave a comment
Subscribe to this blog via Email
Old Posts
- November 2017 (3)
- October 2017 (4)
- September 2017 (2)
- May 2017 (1)
- April 2017 (1)
- July 2016 (3)
- May 2016 (1)
- April 2016 (1)
- February 2016 (2)
- January 2016 (1)
- October 2015 (1)
- September 2015 (1)
- August 2015 (1)
- July 2015 (2)
- June 2015 (3)
- April 2015 (1)
- March 2015 (1)
- December 2014 (1)
- September 2014 (2)
- April 2014 (1)
- January 2014 (3)
- October 2013 (2)
- September 2013 (2)
- August 2013 (4)
- July 2013 (1)
- June 2013 (2)
- May 2013 (5)
- April 2013 (3)
- March 2013 (1)
- February 2013 (9)
- January 2013 (11)
- December 2012 (14)
- November 2012 (3)
- October 2012 (4)
- July 2012 (2)
- June 2012 (3)
- May 2012 (2)
- April 2012 (8)
- March 2012 (6)
- February 2012 (3)
- January 2012 (1)
- December 2011 (5)
- November 2011 (8)
- October 2011 (5)
- September 2011 (3)
- August 2011 (3)
- July 2011 (3)
- May 2011 (1)
- November 2010 (1)
Tags
Calender
M | T | W | T | F | S | S |
---|---|---|---|---|---|---|
« Nov | ||||||
1 | 2 | 3 | ||||
4 | 5 | 6 | 7 | 8 | 9 | 10 |
11 | 12 | 13 | 14 | 15 | 16 | 17 |
18 | 19 | 20 | 21 | 22 | 23 | 24 |
25 | 26 | 27 | 28 | 29 | 30 | 31 |
View Post by Categories
Recent Articles
- Setting up Always ON Availability Group in Multi Subnet Cluster – Recommendations
- Configuring Replication with Always ON Availability Group
- Login failed for user ‘DOMAIN\COMPUTER$’. Reason: Could not find a login matching the name provided. [CLIENT: ]
- Modern Servicing Model (Service Pack and Cumulative Updates) for SQL Server 2017 and onwards
- Fix: SSMS 2012 opening Debug window when pressing F5