Recommended exclusions for virusscanner on a Windows Domain Controller with Active Directory or File Replication Service.

The following list is files and folders that do not need to be scanned. These files are not at risk of infection and might cause serious performance issues due to file locking, if included. Where a specific set of files is identified by name, exclude only those files instead of the whole folder. Sometimes the whole folder must be excluded. Do not exclude any of these based on the filename extension.

Active Directory and Active Directory-Related Files

Main NTDS Database Files
The location of these files is specified in the following registry key:
[HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNTDSParametersDSA Database File]
The default location is %windir%ntds.
Exclude the following files:
Ntds.ditNtds.pat

Active Directory Transaction Log Files
The location of these files is specified in the following registry key:
[HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNTDSParametersDatabase Log Files Path]
The default location is %windir%ntds.
Exclude the following files:
EDB*.log (the wildcard character indicates that there may be several files)
Res1.log
Res2.log
Ntds.pat

NTDS Working Folder
The location of these files is specified in the following registry key:
[HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNTDSParametersDSA Working Directory]
Exclude the following files:
Temp.edb Edb.chk

File Replication Service (FRS)
The location of these files is specified in the following registry key:
[HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNtFrsParametersWorking Directory]
Exclude the following files:
FRS Working Dirjetsysedb.chk
FRS Working Dirjetntfrs.jdb
FRS Working Dirjetlog*.log

FRS Database Log files
The location of these files is specified in the following registry key:
[HKEY_LOCAL_MACHINEsystemcurrentcontrolsetservicesNtFrsParametersDB Log File Directory]
The default location is %windir%ntfrs. Exclude the following files:
FRS Working Dirjetlog*.log (if registry key is not set)
DB Log File Directorylog*.log (if registry key is set)

Staging folder
The location of these files is specified in the following registry key and all of the Staging folder’s sub-folders:
[HKEY_LOCAL_MACHINEsystemcurrentcontrolsetservicesNtFrsParametersReplica SetsGUIDReplica Set Stage]
The current location of the Staging folder and all of its sub-folders is the file system reparse target of the replica set staging folders. The location for staging defaults to %systemroot%sysvolstaging areas.
The current location of the SYSVOLSYSVOL folder and all of its sub-folders is the file system reparse target of the replica set root.The location for SYSVOLSYSVOL defaults to %systemroot%sysvolsysvol.

FRS Pre-Install Folder
The location of these files is specified in Replica_rootDO_NOT_REMOVE_NtFrs_PreInstall_Directory
The Preinstall folder is always open when FRS is running. In summary, the targeted and excluded list of folders for a SYSVOL tree that is placed in its default location would look similar to the following:
%systemroot%sysvol Exclude
%systemroot%sysvoldomain Scan
%systemroot%sysvoldomainDO_NOT_REMOVE_NtFrs_PreInstall_Directory Exclude
%systemroot%sysvoldomainPolicies Scan
%systemroot%sysvoldomainScripts Scan
%systemroot%sysvolstaging Exclude
%systemroot%sysvolstaging areas Exclude
%systemroot%sysvolsysvol Exclude

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.