NOD32v4 Server Exclusion List

We have just reasonly bought into NOD32 V4 AntiVirus Business Edition

Installed in on 2 Windows XP Clients all seemed OK - When we installed it on our Windows 2003 Servers it ground them to a halt! - Not Good!

After a short phonecall to the ESET Helpdesk they told me I had to add exclusions. He sent me a document a few links to check out; I have done this -

If I add these will this cure it; Can anyone confirm?

D:\System Files*.* (This contains off our AD Data)
C:\Windows\System32*.* (For DNS, DHCP etc)
C:\Program Files\Microsoft SQL Server (For SQL Server)
C:\Windows\SoftwareDistribution*.*
C:\Windows\Security*.*

Is there any others that I should be aware off and that I should add....?

 

Hello towen,

Adding exclusions should solve the problem you described. However, there are many factors that can cause the same type of issue. You should add the exclusions and then if it still does the same thing, you can either let us know here or call the ESET support line again.

 

Thanks Wayne;

I will give it a go tommorrow; hopefully these exclusions will do the trick...

If not I will be back on the phone to ESET Tech Support UK!

Not a very good start for a new customer to NOD32 I might add!

 

Tried to install this first thing this morning added all the exclusions and made some changes in advanced mode - low and behold the same thing happens - the server came to a grinding halt

Righty after another call to ESET Support Helpdesk;

Apprently I need to use the /* to include all sub folders and files...

So this would be:

D:\System Files/* (This contains off our AD Data)
C:\Windows\System32/* (For DNS, DHCP etc)
C:\Program Files\Microsoft SQL Server/* (For SQL Server)
C:\Windows\SoftwareDistribution/*
C:\Windows\Security/*

Can anyone confirm that I have the correct syntax? As I dont want another morning like I had this morning server lockup

Why can't ESET just create a general exceptions for standard Microsoft Components! - Surely this is not to much to ask is it?

 

If you need the /* then that's the first I've heard about it....and I don't have that on any of my servers. That said, I do have two servers which crash and burn with V4 installed so they have V3 on them.

Jim

 

Forgetting a few important ones...
Active Directory database files = C:\WINDOWS\NTDS
SYSVOL C:\WINDOWS\SYSVOL
NTFRS Database Files = C:\WINDOWS\ntfrs

The following is a list for Microsoft Small Business Server....but you can easily figure out which ones are related to Windows Server, and Microsoft Exchange
http://www.sbsfaq.com/Lists/FAQs/DispForm.aspx?ID=137

 

In my opinion this is not just a good question, it is absolutely ridiculous that it even needs to be asked.

The fact is, these exclusions should be HARD-CODED into the program, both so that it never scans these files/folders from the very first time it runs after installation, but also so that it doesn't rely on someone finding out the hard way that they are necessary, and then hoping you don't miss one or rely on bad information from someone/where else.

ESET - HARD-CODE these exclusions NOW.

 

I don't agree that they should be hardcoded, as that's removing control from the user, but I do think it should be a tickbox on the installation screen.

During installation we get asked if we want to enable advanced heuristics and warning of potential nasty apps, so why not ask if we want to exclude everything that should be excluded? Especially on a server...

 

why not install with default settings. Verify that all is well and move slowly from there.

 

This includes AD, Exchange and Windows Update for Vista and 2008

I have gleaned this from technet and interpolated it to my install. It includes Exchange, do not use the <guid> - correct it for yours. Use your locations
I can find no referecne in the doco about /* doing Subdirectories, and you DO not want to do that, it provides an exploit, Ideally you dont want any wildcards, but who can do that..

A clever user can add these lines to the XML settings file and load them in that way (create a single exclusion, export settings, find it and use the XML as a template but be carefull how you go)

These links will help you find other OS information.

http://support.microsoft.com/kb/822158
http://technet.microsoft.com/en-us/library/bb332342.aspx

C:\Program Files\Microsoft\Exchange Server\ExchangeOAB\*.*
C:\Program Files\Microsoft\Exchange Server\ExchangeOAB\<your guid>\*.*
C:\Program Files\Microsoft\Exchange Server\Logging\*.*
C:\Program Files\Microsoft\Exchange Server\Logging\TraceLogs\*.*
C:\Program Files\Microsoft\Exchange Server\Logging\lodctr_backups\*.*
C:\Program Files\Microsoft\Exchange Server\Mailbox\*.*
C:\Program Files\Microsoft\Exchange Server\Mailbox\First Storage Group\
C:\Program Files\Microsoft\Exchange Server\Mailbox\First Storage Group\CatalogData-<guid>\*.*
C:\Program Files\Microsoft\Exchange Server\Mailbox\MDBTEMP\*.*
C:\Program Files\Microsoft\Exchange Server\Mailbox\Second Storage Group\*.*
C:\Program Files\Microsoft\Exchange Server\Mailbox\schema\*.*
C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\*.*
C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\MessageTracking\*.*
C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\ProtocolLog\*.*
C:\Program Files\Microsoft\Exchange Server\Working\*.*
C:\Program Files\Microsoft\Exchange Server\Working\OleConverter\*.*
C:\ProgramData\ntuser.pol
C:\Windows\NTDS\*.*
C:\Windows\SYSVOL\*.*
C:\Windows\SYSVOL\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory\*.*
C:\Windows\SYSVOL\staging areas\*.*
C:\Windows\SYSVOL\staging\*.*
C:\Windows\SYSVOL\staging\domain\*.*
C:\Windows\SYSVOL\sysvol\*.*
C:\Windows\Security\Database\*.sdb
C:\Windows\Security\Database\edb*.jrs
C:\Windows\Security\Database\edb*.log
C:\Windows\Security\Database\edb.chk
C:\Windows\Security\Logs\*.log
C:\Windows\Security\edb.log
C:\Windows\SoftwareDistribution\DataStore\DataStore.edb
C:\Windows\SoftwareDistribution\DataStore\Logs\*.edb
C:\Windows\SoftwareDistribution\DataStore\Logs\edb*.jrs
C:\Windows\SoftwareDistribution\DataStore\Logs\edb*.log
C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk
C:\Windows\System32\GroupPolicy\*.*
C:\Windows\System32\GroupPolicy\ADMIN$\*.*
C:\Windows\System32\GroupPolicy\Machine\*.*
C:\Windows\System32\GroupPolicy\User\*.*
C:\Windows\System32\inetsrv\*.*
C:\Windows\ntfrs\jet\log\*.log
C:\Windows\ntfrs\jet\log\edbres00001.jrs
C:\Windows\ntfrs\jet\log\edbres00002.jrs
C:\Windows\ntfrs\jet\ntfrs.jdb
C:\Windows\ntfrs\jet\sys\edb.chk

 

You don't need to stuff around with editing an xml file.

From the remote console. choose configuration then save the config file.

When the config editor opens, find the exclusions eset kernal/setup/exclusions.

select edit, then click on list and you can import the exclusions

 

Dont use version 4 on servers yet. I have all exclusions and it still causes lockups and have to be manually restarted by holding in the power button.

 

Anyone have any idea when V4 will be OK on servers. My understanding it's just DCs that have the issue. I'm running it on a Terminal Server without issue, but had a clients DC hang every few days. Nearly cost me a client and lots of cash (he threatened to send the server back) until I found out about the issue with V4. I did a search of Wilders looking for server 2003 and found the issue. Be nice to have been notified....

 

I have got 4.0.437 working with help from ESET AU on windows 2008 X64, Active Directory and Exchange 2007, and I am not having lockups, however, there were
Huge problems with earlier V4 builds
sidebyside problems in the eventlog started by EGUI.exe, solution install all the MS C++ 2005 redistributables - especially on machines with not very much other software installed
Also uninstall V3 first and run the Uninstall utility from ESET

Jim

 

Still having major issues with v4 - System Lockups result in restarting the server by hitting the Power Button

Even after support have looked at it - 3rd Line Support are now on the case... Waiting to hear back

Perhaps if they designed a Server Version which gives the options for the exclusions that might help....!

Incidentally does v3 require all of these exclusions?

 

V3 doesn't hang without the exclusions, but they are a good idea.

Cut and paste the list from Jimbo1199 into notepad, update the specific folders you need to (GUID).
Use the remote admin to import the list as I stated earlier.

Takes about 5 minutes.

Just go back to V3. V4 is not worth the grief.

 

There is one typo at least in the list, first storage group is missing it's \*.*

I note also that VISTA workstations need some of these, especially to do with Windows Updates...

Only copy my list - if your data is where this data may be, and note the exact location of some of them is per machine dependent.
remember dir c:\<xyz>\widget.* /b/s > a_file.txt is a good tool - still finds things faster than any index

Jim

 

Jim,

thanks for that. Did pick up on the typo, but forgot about it.

and yes, use some (no so) common sense..... Check the files before you load it. I did.

Just a question. I had three folders with different GUIDs, so I added all three. I assume that's correct.

 

M'thinks as I only have one I should not speculate, however, if inside exchange you reference more Mailbox databases than one, and they are mounted booted and spurred, they may have more than one catalog and hence more than one GUID, are the files under that folder current dates?

In security retrospect, would be keener to see
C:\Program Files\Microsoft\Exchange Server\Mailbox\First Storage Group\*.edb
and
C:\Program Files\Microsoft\Exchange Server\Mailbox\First Storage Group\*.log

 

Duh,,,

OAB is for Offline Address Book... and I have three on the server

Which is a whole other story.

Migrating from SBS 2003, to SBS 2008.

I had three separate organisations on my server, with isolated multiple Global Address Lists.

Migrate to SBS 2008 and everyone sees everyone else....

Search high and low and tweek stuff etc until at 2.30 am this morning I found this..
http://technet.microsoft.com/en-us/library/bb936719.aspx

and I wasn't about to start into 26 pages at that time so off to bed I went... Small job for this weekend.

 

I had to get a heads up on the use of \* from ESET UK Tech Support. Apparently this is the correct syntax for exclusion of files and subdirs for a target directory. I was informed that \*.* is a file exclusion syntax only.

From my POV this is strange (and crazy) as I was building these exclusion lists using the ESET Configuration Editor. And no, it is not documented anywhere that I could find

 

?! Are you serious??

AGAIN, we need some CLARIFICATION, please.

Would someone from ESET PLEASE confirm this?

All of my exclusions have \*.*

Is it true that in order to include SUBDIRS, the *.* should be changed to just *?

And one more time... please, please PLEASE either hardcode these, or at least allow them to be enabled/disabled with a single checkbox option (for ALL microsoft recommended exclusions).

I honestly cannot understand why ESET does this - they could probably avoid a LOT of complaints and problems and SUPPORT TICKETS (read: WASTED MONEY) by doing this...

 

I'm very serious. I had to download the ESET remote support application that allowed the ESET support tech to access my server. Whilst I watched he ran through the NOD32 config section putting everything to \* and, as we were on a phone call at the time, explained what he was doing and why he was doing it.

 

So, if I'm reading this right, you can replace:

C:\Program Files\Microsoft\Exchange Server\ExchangeOAB\*.*
C:\Program Files\Microsoft\Exchange Server\ExchangeOAB\<your guid>\*.*
C:\Program Files\Microsoft\Exchange Server\Logging\*.*
C:\Program Files\Microsoft\Exchange Server\Logging\TraceLogs\*.*
C:\Program Files\Microsoft\Exchange Server\Logging\lodctr_backups\*.*
C:\Program Files\Microsoft\Exchange Server\Mailbox\*.*
C:\Program Files\Microsoft\Exchange Server\Mailbox\First Storage Group\
C:\Program Files\Microsoft\Exchange Server\Mailbox\First Storage Group\CatalogData-<guid>\*.*
C:\Program Files\Microsoft\Exchange Server\Mailbox\MDBTEMP\*.*
C:\Program Files\Microsoft\Exchange Server\Mailbox\Second Storage Group\*.*
C:\Program Files\Microsoft\Exchange Server\Mailbox\schema\*.*
C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\*.*
C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\MessageTracking\*.*
C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\ProtocolLog\*.*
C:\Program Files\Microsoft\Exchange Server\Working\*.*
C:\Program Files\Microsoft\Exchange Server\Working\OleConverter\*.*

With:

C:\Program Files\Microsoft\Exchange Server\*

 

That is correct.