Microsoft have update recommended exclusions for Windows

Microsoft have revised their article for exclusions under Windows. While the revision date is old, as I check this article every time I install or change AV I know there's new material in here along with some revisions.

http://support.microsoft.com/kb/822158

Note that the %windir%\security block is a mess, and those exclusions are actually for a combination of the database and logs subfolders. I believe the security.sdb file is in fact a reference to secedit.sdb

My exclusions now look like this:

Windows XP

%windir%\Windows\SoftwareDistribution\Datastore\Datastore.edb
%windir%\Windows\SoftwareDistribution\Datastore\Logs\edb*.log
%windir%\Windows\SoftwareDistribution\Datastore\Logs\Res1.log
%windir%\Windows\SoftwareDistribution\Datastore\Logs\Res2.log
%windir%\Windows\SoftwareDistribution\Datastore\Logs\Edb.chk
%windir%\Windows\SoftwareDistribution\Datastore\Logs\Tmp.edb

I don't have an XP machine handy to check these new entries, so these are guesses based on the Vista ones.

%windir%\Windows\security\database\edb.chk
%windir%\Windows\security\database\edb*.log
%windir%\Windows\security\database\res1.log
%windir%\Windows\security\database\res2.log
%windir%\Windows\security\database\Secedit.sdb
%windir%\Windows\security\logs\*.log


Windows Vista

%windir%\Windows\SoftwareDistribution\Datastore\Datastore.edb
%windir%\Windows\SoftwareDistribution\Datastore\Logs\edb*.log
%windir%\Windows\SoftwareDistribution\Datastore\Logs\Edbres00001.jrs
%windir%\Windows\SoftwareDistribution\Datastore\Logs\Edbres00002.jrs
%windir%\Windows\SoftwareDistribution\Datastore\Logs\Edb.chk
%windir%\Windows\SoftwareDistribution\Datastore\Logs\Tmp.edb
%windir%\Windows\security\database\edb.chk
%windir%\Windows\security\database\edb*.log
%windir%\Windows\security\database\edbres00001.jrs
%windir%\Windows\security\database\edbres00002.jrs
%windir%\Windows\security\database\Secedit.sdb
%windir%\Windows\security\logs\*.log

 

I didn't find these...

You want to add the following files in the %windir%\security path to the exclusions. Otherwise, the scanning of the folder typically corrupts security databases and prevents group policy from applying. To do so, exclude all the following files:

* *.edb
* *.sdb
* *.log
* *.chk

Note The wildcard character indicates that there may be several files. Specifically, you must exclude the following files:

* Edb.chk
* Edb.log
* *.log
* Security.sdb in the <drive>:\windows\security\database folder

 

As I said, that block is a mess. From what I could see, the security\database subfolder follows the same pattern as the Datastore\log area, so I used the same patterns. The security\logs folder should have *.log as I have seen at least a couple of log names used in there.

 

And all this applies to the average computer user in what way?

One might think that anti-virus vendors would know this also and would apply these kind of exclusions automatically, and yet all anti-virus programs I came across never mention these exclusions.

Also I think most people don't know about this. So would that mean that anti-virus software would wreck those peoples computers by corrupting files?

 

This is highly technical.

In what way is it relevant to someone using a home edition of Windows ?

 

The first section on SoftwareDistribution is related to Windows Updates. It's saying that a virus-scanner can cause updates to fail or the service to lock because the Automatic Updates service keeps trying to access those files and the virus-scanner keeps trying to scan them and thus locks them. This is VERY relevant to a home user and why it's not in AV scanners by default I have no idea.

The security section is vague and I couldn't tell whether this would only apply in corporate situations where you're getting group policies pushed out (and this might account for some of the odd failures I've seen at my place), or whether it's more extensive than that.

Everything beyond that point is corporate.

 

I've never noticed these kind of problems on my own computer with anti-virus software.

 

And I've never been hit by a car. What's your point?

 

My point is:

- why doesn't the average computer user have any problems regarding corruptions of there Windows computers.
- why doesn't the average computer user have any problems regarding using Windows Update or running services?
- why isn't this widespread knowledge?
- why don't anti-virus vendors include these settings as default if it's so important and widespread?

I doubt that anti-virus vendors want to corrupt peoples computers and since they also don't include these exclusions in the default settings, then they must have preventive measures in place to prevent these problems from happening.

This all makes me believe that the actual chance of these problems occurring on home computers with Windows XP/Vista Home/Pro/Ultimate are very small.

 

Please cite your sources.

Not being a vendor I can't answer this.

So, like a virus then? Yet you run AV, yes?

So we've identified the downside to not entering these settings, so what's the upside that would stop you?

 

some av's are microsoft certified and dont have these exclusions.
this does seem strange if microsoft reccomended to excluded the above files and folders?

 

But that doesn't make the certification right and the exclusions wrong. What are the requirements for certification? Are these even written by the same department which wrote these exclusions? You need to remember that Microsoft is a HUGE company.

 

True.
btw i did notice that once when i tryed kav6 for servers on windows server 2003 it did ask me if i wanted to apply the microsoft reccomended exclusions so i said yes. maybe its mainly for servers?

 

Maybe the file locking issue is the reason why Windows Update sometimes decide to stop working properly.