Virus scanning recommendations for Windows from Microsoft

Microsoft has published a Knowledge Base article that lists down recommendations to improve performance in Windows in an Enterprise environment, when running antivirus scanners. Microsoft recommends that you not scan the following files and folders with your antivirus scanner. These files are not at risk of infection. If you scan these files, serious performance problems may occur because of file locking.

viruspix Virus scanning recommendations for Windows from Microsoft

Where a specific set of files is identified by name, exclude only those files instead of the whole folder. Sometimes, the whole folder must be excluded. Do not exclude any one of these based on the file name extension.

Files you may exclude from Antivirus scans

Microsoft Windows Update or Automatic Update related files:

1) The Windows Update or Automatic Update database file. This file is located in the following folder:

 %windir%\SoftwareDistribution\Datastore

Exclude the Datastore.edb file.

2) The transaction log files. These files are located in the following folder:

%windir%\SoftwareDistribution\Datastore\Logs

Exclude the following files:

a) Edb*.log

b) Res1.log. The file is named Edbres00001.jrs for Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2.

c) Res2.log. The file is named Edbres00002.jrs for Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2.

d) Edb.chk

e) Tmp.edb

f) The following files in the %windir%\security path should be added to the exclusions list:

  •  *.edb
  • *.sdb
  • *.log
  • *.chk

Note: If these files are not excluded, security databases are typically corrupted, and Group Policy cannot be applied when you scan the folder.

Group Policy related files:

1) Group Policy user registry information. These files are located in the following folder:

%allusersprofile%\

Exclude the following file: NTUser.pol

2) Group Policy client settings file. These files are located in the following folder:

%Systemroot%\system32\GroupPolicy\

Exclude the following file: registry.pol

To know about such files for Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000, Windows XP too, visit KB822158.

However TrendMicro does not agree with it completely:

Following the recommendations does not pose a significant threat as of now but it has a very big potential of being one. Cybercriminals may strategically drop or download a malicious file into one of the folders that are recommended to be excluded from scanning or use a file name extension that is also in the excluded list. We find it sensible for users to aim for better system performance. However, we also think that excluding certain file types or folders from anti virus scanning is not something novice users should tinker with. Doing so may expose the system to risks that can lead to an inconvenience far more severe than a slightly slower system. In line with this, we advise users to educate themselves fully about these recommendations before taking any action. We recommend users not to exclude any file unless there is a critical reason to do so and be aware of the risks entailed by such an action.

Hope you find this post useful!

Posted by on , in Category Security with Tags
Anand Khanse aka HappyAndyK is an end-user Windows enthusiast, a Microsoft MVP in Windows, since 2006, and the Admin of TheWindowsClub.com. Please create a System Restore Point before trying out any software & be careful about any third-party offers while installing freeware. Add me on Google+.
  • Kai

    Great article, thanks!

  • http://www.greggdeselms.com/ Gregg L. DesElms

    TREND MICRO WROTE: …we … think that excluding certain file types or folders from anti virus scanning is not something novice users should tinker with. Doing so may expose the system to risks that can lead to an inconvenience far more severe than a slightly slower system.

    MY RESPONSE: Amen.

    Gregg L. DesElms
    Napa, California USA
    gregg at greggdeselms dot com

  • http://www.facebook.com/xAndrewH1993x Andrew Howe

    Fuck Trend Micro, THANK YOU WINDOWS CLUB, This is a Windows Forum not a Trend Micro Forum, last time i checked, Trend Micro sucks anyway, even with there stupid metro browser they made smh

  • http://www.facebook.com/xAndrewH1993x Andrew Howe

    I Think this is the problem with today’s society, when does companies make our decision when it comes to what we do with what we buy??? Also same when it comes to congress but thats a different story. But seriously i think everything should be unlocked so that a user can have full access with what they got and learn how to work technology and understand the way it runs and how to better protect themselves, its honestly at this point about keeping your nose clean on the internet…… seriously fuck all these companies that limits our ability to access the root level of technology

  • Recent Comments