Microsoft have update recommended exclusions for Windows

Discussion in 'other anti-virus software' started by Quitch, Dec 6, 2008.

Thread Status:
Not open for further replies.
  1. Quitch

    Quitch Registered Member

    Joined:
    Apr 24, 2008
    Posts:
    94
    Microsoft have revised their article for exclusions under Windows. While the revision date is old, as I check this article every time I install or change AV I know there's new material in here along with some revisions.

    http://support.microsoft.com/kb/822158

    Note that the %windir%\security block is a mess, and those exclusions are actually for a combination of the database and logs subfolders. I believe the security.sdb file is in fact a reference to secedit.sdb

    My exclusions now look like this:

    Windows XP

    %windir%\Windows\SoftwareDistribution\Datastore\Datastore.edb
    %windir%\Windows\SoftwareDistribution\Datastore\Logs\edb*.log
    %windir%\Windows\SoftwareDistribution\Datastore\Logs\Res1.log
    %windir%\Windows\SoftwareDistribution\Datastore\Logs\Res2.log
    %windir%\Windows\SoftwareDistribution\Datastore\Logs\Edb.chk
    %windir%\Windows\SoftwareDistribution\Datastore\Logs\Tmp.edb

    I don't have an XP machine handy to check these new entries, so these are guesses based on the Vista ones.

    %windir%\Windows\security\database\edb.chk
    %windir%\Windows\security\database\edb*.log
    %windir%\Windows\security\database\res1.log
    %windir%\Windows\security\database\res2.log
    %windir%\Windows\security\database\Secedit.sdb
    %windir%\Windows\security\logs\*.log


    Windows Vista

    %windir%\Windows\SoftwareDistribution\Datastore\Datastore.edb
    %windir%\Windows\SoftwareDistribution\Datastore\Logs\edb*.log
    %windir%\Windows\SoftwareDistribution\Datastore\Logs\Edbres00001.jrs
    %windir%\Windows\SoftwareDistribution\Datastore\Logs\Edbres00002.jrs
    %windir%\Windows\SoftwareDistribution\Datastore\Logs\Edb.chk
    %windir%\Windows\SoftwareDistribution\Datastore\Logs\Tmp.edb
    %windir%\Windows\security\database\edb.chk
    %windir%\Windows\security\database\edb*.log
    %windir%\Windows\security\database\edbres00001.jrs
    %windir%\Windows\security\database\edbres00002.jrs
    %windir%\Windows\security\database\Secedit.sdb
    %windir%\Windows\security\logs\*.log
     
  2. Joliet Jake

    Joliet Jake Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    911
    Location:
    Scotland
    I didn't find these...

    You want to add the following files in the %windir%\security path to the exclusions. Otherwise, the scanning of the folder typically corrupts security databases and prevents group policy from applying. To do so, exclude all the following files:

    * *.edb
    * *.sdb
    * *.log
    * *.chk

    Note The wildcard character indicates that there may be several files. Specifically, you must exclude the following files:

    * Edb.chk
    * Edb.log
    * *.log
    * Security.sdb in the <drive>:\windows\security\database folder
     
  3. Quitch

    Quitch Registered Member

    Joined:
    Apr 24, 2008
    Posts:
    94
    As I said, that block is a mess. From what I could see, the security\database subfolder follows the same pattern as the Datastore\log area, so I used the same patterns. The security\logs folder should have *.log as I have seen at least a couple of log names used in there.
     
  4. denniz

    denniz Registered Member

    Joined:
    Jul 26, 2007
    Posts:
    430
    Location:
    The Netherlands
    And all this applies to the average computer user in what way?

    One might think that anti-virus vendors would know this also and would apply these kind of exclusions automatically, and yet all anti-virus programs I came across never mention these exclusions.

    Also I think most people don't know about this. So would that mean that anti-virus software would wreck those peoples computers by corrupting files?
     
    Last edited: Dec 6, 2008
  5. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    This is highly technical.

    In what way is it relevant to someone using a home edition of Windows ?
     
  6. Quitch

    Quitch Registered Member

    Joined:
    Apr 24, 2008
    Posts:
    94
    The first section on SoftwareDistribution is related to Windows Updates. It's saying that a virus-scanner can cause updates to fail or the service to lock because the Automatic Updates service keeps trying to access those files and the virus-scanner keeps trying to scan them and thus locks them. This is VERY relevant to a home user and why it's not in AV scanners by default I have no idea.

    The security section is vague and I couldn't tell whether this would only apply in corporate situations where you're getting group policies pushed out (and this might account for some of the odd failures I've seen at my place), or whether it's more extensive than that.

    Everything beyond that point is corporate.
     
  7. denniz

    denniz Registered Member

    Joined:
    Jul 26, 2007
    Posts:
    430
    Location:
    The Netherlands
    I've never noticed these kind of problems on my own computer with anti-virus software.
     
  8. Quitch

    Quitch Registered Member

    Joined:
    Apr 24, 2008
    Posts:
    94
    And I've never been hit by a car. What's your point?
     
  9. denniz

    denniz Registered Member

    Joined:
    Jul 26, 2007
    Posts:
    430
    Location:
    The Netherlands
    My point is:

    - why doesn't the average computer user have any problems regarding corruptions of there Windows computers.
    - why doesn't the average computer user have any problems regarding using Windows Update or running services?
    - why isn't this widespread knowledge?
    - why don't anti-virus vendors include these settings as default if it's so important and widespread?

    I doubt that anti-virus vendors want to corrupt peoples computers and since they also don't include these exclusions in the default settings, then they must have preventive measures in place to prevent these problems from happening.

    This all makes me believe that the actual chance of these problems occurring on home computers with Windows XP/Vista Home/Pro/Ultimate are very small.
     
  10. Quitch

    Quitch Registered Member

    Joined:
    Apr 24, 2008
    Posts:
    94
    Please cite your sources.

    Not being a vendor I can't answer this.

    So, like a virus then? Yet you run AV, yes?

    So we've identified the downside to not entering these settings, so what's the upside that would stop you?
     
  11. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    some av's are microsoft certified and dont have these exclusions.
    this does seem strange if microsoft reccomended to excluded the above files and folders?
     
  12. Quitch

    Quitch Registered Member

    Joined:
    Apr 24, 2008
    Posts:
    94
    But that doesn't make the certification right and the exclusions wrong. What are the requirements for certification? Are these even written by the same department which wrote these exclusions? You need to remember that Microsoft is a HUGE company.
     
  13. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    True.
    btw i did notice that once when i tryed kav6 for servers on windows server 2003 it did ask me if i wanted to apply the microsoft reccomended exclusions so i said yes. maybe its mainly for servers?
     
  14. ambient_88

    ambient_88 Registered Member

    Joined:
    Jun 23, 2008
    Posts:
    854
    Maybe the file locking issue is the reason why Windows Update sometimes decide to stop working properly.
     
Loading...
Thread Status:
Not open for further replies.