Applies to:
Windows Server 2012, all editions
Windows Server 2012 R2, all editions
Windows Server 2016, all editions
Windows Server 2019, all editions
Windows 7, all editions
Windows 8.1, all editions
Windows 10, all editions
Introduction
Note We recommend that you temporarily apply these settings to evaluate system behavior. If your system performance or stability is improved by the recommendations that are made in this article, contact your antivirus software vendor for instructions or for an updated version or settings of the antivirus software.
Important This article contains information that shows how to help lower security settings or how to temporarily turn off security features on a computer. You can make these changes to understand the nature of a specific problem. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this workaround in your particular environment. If you implement this workaround, take any appropriate additional steps to help protect the computer.
More information
For computers that are running Windows 7 and later versions of Windows
Warning This workaround may make a computer or a network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk.
Note Windows Defender automatically performs virus scanning for you, beginning in Windows Server 2016 (and Windows 10). See Configure Windows Defender Antivirus exclusions on Windows Server.
Notes
- We are aware of the risk of excluding the specific files or folders that are mentioned in this article from scans that are made by your antivirus software. Your system will be safer if you do not exclude any files or folders from scans.
- When you scan these files, performance and operating system reliability problems may occur because of file locking.
- Do not exclude any one of these files based on the file name extension. For example, do not exclude all files that have a .dit extension. Microsoft has no control over other files that may use the same extensions as the files that are described in this article.
- This article provides both file names and folders that can be excluded. All the files and folders that are described in this article are protected by default permissions to allow only SYSTEM and administrator access, and they contain only operating system components. Excluding an entire folder may be simpler but may not provide as much protection as excluding specific files based on file names.
Turn off scanning of Windows Update or Automatic Update related files
- Turn off scanning of the Windows Update or Automatic Update database file (Datastore.edb). This file is located in the following folder:%windir%\SoftwareDistribution\Datastore
- Turn off scanning of the log files that are located in the following folder:%windir%\SoftwareDistribution\Datastore\Logs
Specifically, exclude the following files:
- Edb*.jrs
- Edb.chk
- Tmp.edb
- The wildcard character (*) indicates that there may be several files.
Turn off scanning of Windows Security files
- Add the following files in the %windir%\Security\Database path of the exclusions list:
- *.edb
- *.sdb
- *.log
- *.chk
- *.jrs
- *.xml
- *.csv
- *.cmtx
Note If these files are not excluded, antivirus software may prevent proper access to these files, and security databases can become corrupted. Scanning these files can prevent the files from being used or may prevent a security policy from being applied to the files. These files should not be scanned because antivirus software may not correctly treat them as proprietary database files.
These are the recommended exclusions. There may be other file types that are not included in this article that should be excluded.
Turn off scanning of Group Policy-related files
- Group Policy user registry information. These files are located in the following folder:%allusersprofile%\
Specifically, exclude the following file:
NTUser.pol - Group Policy client settings files. These files are located in the following folder:%SystemRoot%\System32\GroupPolicy\Machine\
%SystemRoot%\System32\GroupPolicy\User\Specifically, exclude the following files:
Registry.pol
Registry.tmp
Turn off scanning of user profile files
- User registry information and supporting files. The files are located in the following folder:userprofile%\
Specifically, exclude the following files:
NTUser.dat*
Running antivirus software on domain controllers
Because domain controllers provide an important service to clients, the risk of disruption of their activities from malicious code, from malware, or from a virus must be minimized. Antivirus software is the generally accepted way to reduce the risk of infection. Install and configure antivirus software so that the risk to the domain controller is reduced as much as possible and performance is affected as little as possible. The following list contains recommendations to help you configure and install antivirus software on a Windows Server domain controller.
Warning We recommend that you apply the following specified configuration to a test system to make sure that in your specific environment it does not introduce unexpected factors or compromise the stability of the system. The risk from too much scanning is that files are inappropriately flagged as changed. This causes too much replication in Active Directory. If testing verifies that replication is not affected by the following recommendations, you can apply the antivirus software to the production environment.
Note Specific recommendations from antivirus software vendors may supersede the recommendations in this article.
- Antivirus software must be installed on all domain controllers in the enterprise. Ideally, try to install such software on all other server and client systems that have to interact with the domain controllers. It is optimal to catch the malware at the earliest point, such as at the firewall or at the client system where the malware is introduced. This prevents the malware from ever reaching the infrastructure systems that the clients depend on.
- Use a version of antivirus software that is designed to work with Active Directory domain controllers and that uses the correct Application Programming Interfaces (APIs) to access files on the server. Older versions of most vendor software inappropriately change a file's metadata as the file is scanned. This causes the File Replication Service engine to recognize a file change and therefore schedule the file for replication. Newer versions prevent this problem.
For more information, see the following article in the Microsoft Knowledge Base:815263 Antivirus, backup, and disk optimization programs that are compatible with the File Replication Service - Do not use a domain controller to browse the Internet or to perform other activities that may introduce malicious code.
- We recommend that you minimize the workloads on domain controllers. When possible, avoid using domain controllers in a file server role. This lowers virus-scanning activity on file shares and minimizes performance overhead.
- Do not put Active Directory or FRS database and log files on NTFS file system compressed volumes.
Turn off scanning of Active Directory and Active Directory-related files
- Exclude the Main NTDS database files. The location of these files is specified in the following registr subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\DSA Database File
The default location is %windir%\Ntds. Specifically, exclude the following files:
Ntds.dit
Ntds.pat - Exclude the Active Directory transaction log files. The location of these files is specified in the following registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Database Log Files Path
The default location is %windir%\Ntds. Specifically, exclude the following files:
- EDB*.log
- Res*.log
- Edb*.jrs
- Ntds.pat
- Exclude the files in the NTDS Working folder that is specified in the following registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory
Specifically, exclude the following files:
- Temp.edb
- Edb.chk
Turn off scanning of SYSVOL files
- Turn off scanning of files in the File Replication Service (FRS) Working folder that is specified in the following registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Working Directory
The default location is %windir%\Ntfrs. Exclude the following files that exist in the folder:
- edb.chk in the %windir%\Ntfrs\jet\sys folder
- Ntfrs.jdb in the %windir%\Ntfrs\jet folder
- *.log in the %windir%\Ntfrs\jet\log folder
- Turn off scanning of files in the FRS Database Log files that are specified in the following registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\Currentcontrolset\Services\Ntfrs\Parameters\DB Log File Directory
The default location is %windir%\Ntfrs. Exclude the following files.
Note Settings for specific file exclusions is documented here for completeness. By default, these folders allow access only to System and Administrators. Please verify that the correct protections are in place. These folders contain only component working files for FRS and DFSR.
- Edb*.log (if the registry key is not set)
- FRS Working Dir\Jet\Log\Edb*.jrs
- Turn off scanning of the NTFRS Staging folder as specified in the following registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\Currentcontrolset\Services\NtFrs\Parameters\Replica Sets\GUID\Replica Set Stage
By default, staging uses the following location:
%systemroot%\Sysvol\Staging areas - Turn off scanning of the DFSR Staging folder as specified in the msDFSR-StagingPath attribute of the object CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=DomainControllerName,OU=Domain Controllers,DC=DomainName in AD DS. This attribute contains the path to the actual location that DFS replication uses to stage files. Specifically, exclude the following files:
- Ntfrs_cmp*.*
- *.frx
- Turn off scanning of files in the Sysvol\Sysvol folder or the SYSVOL_DFSR\Sysvol folder.
The current location of the Sysvol\Sysvol or SYSVOL_DFSR\Sysvol folder and all the subfolders is the file system reparse target of the replica set root. The Sysvol\Sysvol and SYSVOL_DFSR\Sysvol folders use the following locations by default:
%systemroot%\Sysvol\Domain
%systemroot%\Sysvol_DFSR\DomainThe path to the currently active SYSVOL is referenced by the NETLOGON share and can be determined by the SysVol value name in the following subkey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Netlogon\Parameters
- Exclude the following files from this folder and all its subfolders:
- *.adm
- *.admx
- *.adml
- Registry.pol
- Registry.tmp
- *.aas
- *.inf
- Scripts.ini
- *.ins
- Oscfilter.ini
- Turn off scanning of files in the FRS Preinstall folder that is in the following location:Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_Directory
The Preinstall folder is always open when FRS is running.
Exclude the following files from this folder and all its subfolders:
- Ntfrs*.*
- Turn off scanning of files in the DFSR database and working folders. The location is specified by the following registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\Currentcontrolset\Services\DFSR\Parameters\Replication Groups\GUID\Replica Set Configuration File=Path
In this registry subkey, "Path" is the path of an XML file that states the name of the Replication Group. In this example, the path would contain "Domain System Volume."
The default location is the following hidden folder:
%systemdrive%\System Volume Information\DFSRExclude the following files from this folder and all its subfolders:
If any one of these folders or files is moved or is put in a different location, scan or exclude the equivalent element.
- $db_normal$
- FileIDTable_*
- SimilarityTable_*
- *.xml
- $db_dirty$
- $db_clean$
- $db_lost$
- Dfsr.db
- Fsr.chk
- *.frx
- *.log
- Fsr*.jrs
- Tmp.edb
Turn off scanning of DFS files
The same resources that are excluded for a SYSVOL replica set must also be excluded when FRS or DFSR is used to replicate shares that are mapped to the DFS root and link targets on Windows Server 2008 R2-based or Windows Server 2008-based member computers or domain controllers.
Turn off scanning of DHCP files
By default, DHCP files that should be excluded are present in the following folder on the server:
Exclude the following files from this folder and all its subfolders:
- *.mdb
- *.pat
- *.log
- *.chk
- *.edb
The location of DHCP files can be changed. To determine the current location of the DHCP files on the server, check the DatabasePath, DhcpLogFilePath, and BackupDatabasePath parameters that are specified in the following registry subkey:
Turn off scanning of DNS files
By default, DNS uses the following folder:
Exclude the following files from this folder and all its subfolders:
- *.log
- *.dns
- BOOT
Turn off scanning of WINS files
By default, WINS uses the following folder:
Exclude the following files from this folder and all its subfolders:
- *.chk
- *.log
- *.mdb
For computers that are running Hyper-V based versions of Windows
In some scenarios, on a Windows Server 2008-based computer that has the Hyper-V role installed or on a Microsoft Hyper-V Server 2008 or on a Microsoft Hyper-V Server 2008 R2-based computer, it may be necessary to configure the real-time scanning component within the antivirus software to exclude files and entire folders. For more information, see the following article in the Microsoft Knowledge Base: