For computers that are running Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000, Windows XP, or Windows Vista

Download (0)

Full text

(1)

Microsoft Windows Update or Automatic Update related files

{ The Windows Update or Automatic Update database file. This file is located in the following folde %windir%\SoftwareDistribution\Datastore

Exclude the Datastore.edb file.

{ The transaction log files. These files are located in the following folder: %windir%\SoftwareDistribution\Datastore\Logs

Exclude the following files: „ Edb*.log

Note The wildcard character indicates that there may be several files.

„ Res1.log. The file is named Edbres00001.jrs for Windows Vista and Windows Server 2008 „ Res2.log. The file is named Edbres00002.jrs for Windows Vista and Windows Server 2008 „ Edb.chk

„ Tmp.edb

„ The following files in the %windir%\security path should be added to the exclusions list:

Note If these files are not excluded, security databases are typically corrupted, and Grou Policy cannot be applied when you scan the folder. The wildcard character indicates that t may be several files. Specifically, you must exclude the following files:

„ *.edb „ *.sdb „ *.log „ *.chk

„ Edb.chk „ Edb.log „ *.log

„ Security.sdb in the <drive>:\windows\security\database folder z Group Policy related files

For more information, click the following article numbers to view the articles in the Microsoft Knowledge { Group Policy user registry information. These files are located in the following folder:

%allusersprofile%\ Exclude the following file:

NTUser.pol

{ Group Policy client settings file. These files are located in the following folder: %Systemroot%\system32\GroupPolicy\

Exclude the following file: registry.pol

Article ID: 822158 - Last Review: September 4, 2009 - Revision: 11.0

Virus scanning recommendations for computers that are running Windows Server 2008

Windows Server 2008, Windows Server 2003, Windows 2000, Windows XP, or Windows

Vista

This article contains recommendations that may help you protect a computer that is running Windows Server 2 R2, Windows Server 2008, Windows Server 2003, Microsoft Windows 2000, Windows XP, or Windows Vista fro viruses. This article also contains information to help you minimize the effect of antivirus software on system a network performance.

For computers that are running Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000, Windows XP, or Windows Vista

Do not scan the following files and folders. These files are not at risk of infection. If you scan these files, seriou performance problems may occur because of file locking. Where a specific set of files is identified by name, ex only those files instead of the whole folder. Sometimes, the whole folder must be excluded. Do not exclude an of these based on the file name extension. For example, do not exclude all files that have a .dit extension. Mic has no control over other files that may use the same extensions as the following files:

(2)

Base:

951059 (http://support.microsoft.com/kb/951059/ ) On a Windows Server 2003-based computer, registry based policy settings are unexpectedly removed after a user logs on to the computer

930597 (http://support.microsoft.com/kb/930597/ ) Some registry-based policy settings are lost and erro messages are logged in the Application log on a Windows XP-based computer or on a Windows Vista based computer

z Antivirus software must be installed on all domain controllers in the enterprise. Ideally, try to install suc software on all other server and client systems that have to interact with the domain controllers. It is optimal to catch the virus at the earliest point, such as at the firewall or at the client system where the is first introduced. This prevents the virus from ever reaching the infrastructure systems that the client depend on.

z Use a version of antivirus software that is designed to work with Active Directory domain controllers an that uses the correct Application Programming Interfaces (APIs) to access files on the server. Older ver of most vendor software inappropriately change file metadata as it is scanned. This causes the File Replication Service engine to recognize a file change and therefore schedule the file for replication. New versions prevent this problem. For more information, click the following article number to view the artic the Microsoft Knowledge Base:

815263 (http://support.microsoft.com/kb/815263/ ) Antivirus, backup, and disk optimization programs that are compatible with the File Replication service

z Do not use a domain controller to browse the Web or to perform any other activities that may introduce malicious code.

z When you can, do not use the domain controller as a file sharing server. Virus scanning software must run against all files in those shares, and this can put an unsatisfactory load on the processor and the memory resources of the server

z Do not put Active Directory or FRS database and log files on NTFS file system compressed volumes. For more information, click the following article number to view the article in the Microsoft Knowledge B

318116 (http://support.microsoft.com/kb/318116/ ) Issues with Jet Databases on compressed drives z Do not scan the following files and folders. These files are not at risk of infection, and if you include the

this may cause serious performance problems because of file locking. Where a specific set of files is identified by name, exclude only those files instead of the whole folder. Sometimes, the whole folder m be excluded. Do not exclude any of these based on the file-name extension. For example, do not exclud files that have a .dit extension. Microsoft has no control over other files that may use the same extensi those shown here.

Important This section, method, or task contains steps that tell you how to modify the registry. Howe serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follo these steps carefully. For added protection, back up the registry before you modify it. Then, you can re the registry if a problem occurs. For more information about how to back up and restore the registry, c the following article number to view the article in the Microsoft Knowledge Base:

322756 (http://support.microsoft.com/kb/322756/ ) How to back up and restore the registry in Windows { Active Directory and Active Directory-related files:

„ Main NTDS database files. The location of these files is specified in the following registry HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA For Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, and Wind 2000 domain controllers

Because domain controllers provide an important service to clients, the risk of disruption of their activities from malicious code from a virus must be minimized. Antivirus software is the generally accepted way to lessen the of virus infection. Install and configure antivirus software so that the risk to the domain controller is reduced a much as possible and so that performance is affected as little as possible. The following list contains recommendations to help you configure and install antivirus software on a Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, or on a Windows 2000 domain controller:

Warning We recommend that you apply the following specified configuration to a test configuration to make s that in your specific environment it does not introduce unexpected factors or compromise the stability of the system. The risk from too much scanning is that files are inappropriately flagged as having been changed. This results in too much replication in Active Directory. If testing verifies that replication is not affected by the follo recommendations, you can apply the antivirus software to the production environment.

Note Specific recommendations from antivirus software vendors may supersede the recommendations in the article.

(3)

Database File

The default location is %windir%\ntds. Exclude the following files: Ntds.dit

Ntds.pat

„ Active Directory transaction log files. The location of these files is specified in the followin registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Datab Log Files Path

The default location is %windir%\ntds. Exclude the following files:

EDB*.log (The wildcard character indicates that there may be several files.) Res1.log (The file is named Edbres00001.jrs for Windows Vista, Windows Server 2008 and Windows Server 2008 R2.)

Res2.log (The file is named Edbres00001.jrs for Windows Vista, Windows Server 2008 and Windows Server 2008 R2.)

Ntds.pat

Note Windows Server 2003 no longer uses the Ntds.pat file. „ The NTDS Working folder that is specified in the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory

Exclude the following files: Temp.edb

Edb.chk { SYSVOL files:

„ The File Replication Service (FRS) Working folder that is specified in the following registry HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Work Directory

Exclude the following files: FRS Working Dir\jet\sys\edb.chk FRS Working Dir\jet\ntfrs.jdb FRS Working Dir\jet\log\*.log

„ The FRS Database Log files that are located in the following registry key:

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\NtFrs\Parameters\DB Log File Directory

The default location is %windir%\ntfrs. Exclude the following files: FRS Working Dir\jet\log\*.log (if the registry key is not set)

FRS Working Dir\jet\log\edbres00001.jrs (Windows Vista, Windows Server 2008, and Windows Server 2008 R2)

FRS Working Dir\jet\log\edbres00002.jrs (Windows Vista, Windows Server 2008, and Windows Server 2008 R2)

DB Log File Directory\log\*.log (if the registry key is set)

„ The Staging folder that is specified in the following registry key and all the Staging folder folders:

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\NtFrs\Parameters\Replica Sets\GUID\Replica Set Stage

The current location of the Staging folder and all its sub-folders is the file system reparse of the replica set staging folders. Staging defaults to the following location:

%systemroot%\sysvol\staging areas

The current location of the SYSVOL\SYSVOL folder and all its sub-folders is the file system reparse target of the replica set root. The SYSVOL\SYSVOL folder defaults to the followin location:

%systemroot%\sysvol\sysvol

„ The FRS Preinstall folder that is in the following location: Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_Directory The Preinstall folder is always open when FRS is running.

(4)

In summary, the targeted and excluded list of folders for a SYSVOL tree that is placed in its defa location would look similar to the following:

If any one of these folder or files have been moved or placed in a different location, scan or excl the equivalent element.

1. %systemroot%\sysvol      Exclude 2. %systemroot%\sysvol\domain       Scan 3. %systemroot%\sysvol\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory  Exclude 4. %systemroot%\sysvol\domain\Policies      Scan 5. %systemroot%\sysvol\domain\Scripts       Scan 6. %systemroot%\sysvol\staging      Exclude 7. %systemroot%\sysvol\staging areas      Exclude 8. %systemroot%\sysvol\sysvol       Exclude

{ DFS

The same resources that are excluded for a SYSVOL replica set must also be excluded when FRS used to replicate shares that are mapped to the DFS root and link targets on Windows Server 20 based, Windows Server 2003-based, or Windows 2000-based member computers or domain controllers.

{ DHCP

By default, DHCP files that should be excluded are present in the following folder on the server: %systemroot%\System32\DHCP

Note You should exclude all files and subfolders that exist in this folder.

The location of DHCP files can be changed. To determine the current location of the DHCP files o server, check the DatabasePath, DhcpLogFilePath, and BackupDatabasePath parameters u the following registry subkey:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\DHCPServer\Parameters

z DNS: You should exclude all files and subfolders that exist in the following folder: %systemroot%\system32\dns

z WINS: You should exclude all files and subfolders that exist in the following folder: %systemroot%\system32\wins

z Windows Server 2008 Standard

z Windows Server 2008 Standard without Hyper-V z Windows Server 2008 Enterprise

z Windows Server 2008 Enterprise without Hyper-V z Windows Server 2008 Datacenter

z Windows Server 2008 Datacenter without Hyper-V z Windows Server 2008 for Itanium-Based Systems

z Microsoft Windows Server 2003, Datacenter Edition (32-bit x86) z Microsoft Windows Server 2003, Enterprise Edition (32-bit x86) z Microsoft Windows Server 2003, Standard Edition (32-bit x86) z Microsoft Windows XP Professional

z Microsoft Windows XP Home Edition z Microsoft Windows XP Tablet PC Edition

z Microsoft Windows XP Media Center Edition 2005 Update Rollup 2 z Microsoft Windows 2000 Advanced Server

z Microsoft Windows 2000 Professional Edition z Microsoft Windows 2000 Datacenter Server z Microsoft Windows 2000 Server

For Windows Server 2008, Windows Server 2003, and Windows 2000 domain controlle

(5)

z Windows Vista Business

z Windows Vista Business 64-bit Edition z Windows Vista Enterprise

z Windows Vista Enterprise 64-bit Edition z Windows Vista Home Basic

z Windows Vista Home Basic 64-bit Edition z Windows Vista Home Premium

z Windows Vista Home Premium 64-bit Edition z Windows Vista Ultimate

z Windows Server 2008 Foundation z Windows Server 2008 R2 Datacenter

z Windows Server 2008 R2 Datacenter without Hyper-V z Windows Server 2008 R2 Enterprise

z Windows Server 2008 R2 Enterprise without Hyper-V z Windows Server 2008 R2 Standard

z Windows Server 2008 R2 Standard without Hyper-V z Windows Web Server 2008 R2

Help and Support

©2009 Micro

Keywords: kbinfo kbprb KB822158

Get Help Now

Figure

Updating...

References