NOD32v4 Server Exclusion List

Discussion in 'ESET NOD32 Antivirus' started by towen, Jun 11, 2009.

Thread Status:
Not open for further replies.
  1. towen

    towen Registered Member

    Joined:
    Jun 11, 2009
    Posts:
    4
    We have just reasonly bought into NOD32 V4 AntiVirus Business Edition

    Installed in on 2 Windows XP Clients all seemed OK - When we installed it on our Windows 2003 Servers it ground them to a halt! :mad: - Not Good!

    After a short phonecall to the ESET Helpdesk they told me I had to add exclusions. He sent me a document a few links to check out; I have done this -

    If I add these will this cure it; Can anyone confirm?

    D:\System Files*.* (This contains off our AD Data)
    C:\Windows\System32*.* (For DNS, DHCP etc)
    C:\Program Files\Microsoft SQL Server (For SQL Server)
    C:\Windows\SoftwareDistribution*.*
    C:\Windows\Security*.*

    Is there any others that I should be aware off and that I should add....?
     
  2. WayneP

    WayneP Support Specialist

    Joined:
    Apr 9, 2009
    Posts:
    339
    Hello towen,

    Adding exclusions should solve the problem you described. However, there are many factors that can cause the same type of issue. You should add the exclusions and then if it still does the same thing, you can either let us know here or call the ESET support line again.
     
  3. towen

    towen Registered Member

    Joined:
    Jun 11, 2009
    Posts:
    4
    Thanks Wayne;

    I will give it a go tommorrow; hopefully these exclusions will do the trick...

    If not I will be back on the phone to ESET Tech Support UK!

    Not a very good start for a new customer to NOD32 I might add!
     
  4. towen

    towen Registered Member

    Joined:
    Jun 11, 2009
    Posts:
    4
    Tried to install this first thing this morning added all the exclusions and made some changes in advanced mode - low and behold the same thing happens - the server came to a grinding halt :mad:

    Righty after another call to ESET Support Helpdesk;

    Apprently I need to use the /* to include all sub folders and files...

    So this would be:

    D:\System Files/* (This contains off our AD Data)
    C:\Windows\System32/* (For DNS, DHCP etc)
    C:\Program Files\Microsoft SQL Server/* (For SQL Server)
    C:\Windows\SoftwareDistribution/*
    C:\Windows\Security/*

    Can anyone confirm that I have the correct syntax? As I dont want another morning like I had this morning server lockup

    Why can't ESET just create a general exceptions for standard Microsoft Components! - Surely this is not to much to ask is it?
     
  5. jimwillsher

    jimwillsher Registered Member

    Joined:
    Mar 4, 2009
    Posts:
    668
    If you need the /* then that's the first I've heard about it....and I don't have that on any of my servers. That said, I do have two servers which crash and burn with V4 installed so they have V3 on them.

    Jim
     
  6. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    Forgetting a few important ones...
    Active Directory database files = C:\WINDOWS\NTDS
    SYSVOL C:\WINDOWS\SYSVOL
    NTFRS Database Files = C:\WINDOWS\ntfrs

    The following is a list for Microsoft Small Business Server....but you can easily figure out which ones are related to Windows Server, and Microsoft Exchange
    http://www.sbsfaq.com/Lists/FAQs/DispForm.aspx?ID=137
     
  7. tanstaafl

    tanstaafl Registered Member

    Joined:
    Apr 8, 2005
    Posts:
    207
    In my opinion this is not just a good question, it is absolutely ridiculous that it even needs to be asked.

    The fact is, these exclusions should be HARD-CODED into the program, both so that it never scans these files/folders from the very first time it runs after installation, but also so that it doesn't rely on someone finding out the hard way that they are necessary, and then hoping you don't miss one or rely on bad information from someone/where else.

    ESET - HARD-CODE these exclusions NOW.
     
  8. jimwillsher

    jimwillsher Registered Member

    Joined:
    Mar 4, 2009
    Posts:
    668
    I don't agree that they should be hardcoded, as that's removing control from the user, but I do think it should be a tickbox on the installation screen.

    During installation we get asked if we want to enable advanced heuristics and warning of potential nasty apps, so why not ask if we want to exclude everything that should be excluded? Especially on a server...
     
  9. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    why not install with default settings. Verify that all is well and move slowly from there.
     
  10. jimbo1199

    jimbo1199 Registered Member

    Joined:
    May 25, 2009
    Posts:
    19
    This includes AD, Exchange and Windows Update for Vista and 2008

    I have gleaned this from technet and interpolated it to my install. It includes Exchange, do not use the <guid> - correct it for yours. Use your locations
    I can find no referecne in the doco about /* doing Subdirectories, and you DO not want to do that, it provides an exploit, Ideally you dont want any wildcards, but who can do that.. :mad:

    A clever user can add these lines to the XML settings file and load them in that way (create a single exclusion, export settings, find it and use the XML as a template but be carefull how you go)

    These links will help you find other OS information.

    http://support.microsoft.com/kb/822158
    http://technet.microsoft.com/en-us/library/bb332342.aspx


    C:\Program Files\Microsoft\Exchange Server\ExchangeOAB\*.*
    C:\Program Files\Microsoft\Exchange Server\ExchangeOAB\<your guid>\*.*
    C:\Program Files\Microsoft\Exchange Server\Logging\*.*
    C:\Program Files\Microsoft\Exchange Server\Logging\TraceLogs\*.*
    C:\Program Files\Microsoft\Exchange Server\Logging\lodctr_backups\*.*
    C:\Program Files\Microsoft\Exchange Server\Mailbox\*.*
    C:\Program Files\Microsoft\Exchange Server\Mailbox\First Storage Group\
    C:\Program Files\Microsoft\Exchange Server\Mailbox\First Storage Group\CatalogData-<guid>\*.*
    C:\Program Files\Microsoft\Exchange Server\Mailbox\MDBTEMP\*.*
    C:\Program Files\Microsoft\Exchange Server\Mailbox\Second Storage Group\*.*
    C:\Program Files\Microsoft\Exchange Server\Mailbox\schema\*.*
    C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\*.*
    C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\MessageTracking\*.*
    C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\ProtocolLog\*.*
    C:\Program Files\Microsoft\Exchange Server\Working\*.*
    C:\Program Files\Microsoft\Exchange Server\Working\OleConverter\*.*
    C:\ProgramData\ntuser.pol
    C:\Windows\NTDS\*.*
    C:\Windows\SYSVOL\*.*
    C:\Windows\SYSVOL\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory\*.*
    C:\Windows\SYSVOL\staging areas\*.*
    C:\Windows\SYSVOL\staging\*.*
    C:\Windows\SYSVOL\staging\domain\*.*
    C:\Windows\SYSVOL\sysvol\*.*
    C:\Windows\Security\Database\*.sdb
    C:\Windows\Security\Database\edb*.jrs
    C:\Windows\Security\Database\edb*.log
    C:\Windows\Security\Database\edb.chk
    C:\Windows\Security\Logs\*.log
    C:\Windows\Security\edb.log
    C:\Windows\SoftwareDistribution\DataStore\DataStore.edb
    C:\Windows\SoftwareDistribution\DataStore\Logs\*.edb
    C:\Windows\SoftwareDistribution\DataStore\Logs\edb*.jrs
    C:\Windows\SoftwareDistribution\DataStore\Logs\edb*.log
    C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk
    C:\Windows\System32\GroupPolicy\*.*
    C:\Windows\System32\GroupPolicy\ADMIN$\*.*
    C:\Windows\System32\GroupPolicy\Machine\*.*
    C:\Windows\System32\GroupPolicy\User\*.*
    C:\Windows\System32\inetsrv\*.*
    C:\Windows\ntfrs\jet\log\*.log
    C:\Windows\ntfrs\jet\log\edbres00001.jrs
    C:\Windows\ntfrs\jet\log\edbres00002.jrs
    C:\Windows\ntfrs\jet\ntfrs.jdb
    C:\Windows\ntfrs\jet\sys\edb.chk
     
  11. goldrushtech

    goldrushtech Registered Member

    Joined:
    Jun 26, 2005
    Posts:
    59
    Location:
    Greensborough, VIC, Australia
    You don't need to stuff around with editing an xml file.

    From the remote console. choose configuration then save the config file.

    When the config editor opens, find the exclusions eset kernal/setup/exclusions.

    select edit, then click on list and you can import the exclusions
     
  12. a_kerbouchard

    a_kerbouchard Registered Member

    Joined:
    Apr 17, 2008
    Posts:
    35
    Dont use version 4 on servers yet. I have all exclusions and it still causes lockups and have to be manually restarted by holding in the power button.
     
  13. goldrushtech

    goldrushtech Registered Member

    Joined:
    Jun 26, 2005
    Posts:
    59
    Location:
    Greensborough, VIC, Australia
    Anyone have any idea when V4 will be OK on servers. My understanding it's just DCs that have the issue. I'm running it on a Terminal Server without issue, but had a clients DC hang every few days. Nearly cost me a client and lots of cash (he threatened to send the server back) until I found out about the issue with V4. I did a search of Wilders looking for server 2003 and found the issue. Be nice to have been notified....
     
  14. jimbo1199

    jimbo1199 Registered Member

    Joined:
    May 25, 2009
    Posts:
    19
    I have got 4.0.437 working with help from ESET AU on windows 2008 X64, Active Directory and Exchange 2007, and I am not having lockups, however, there were
    Huge problems with earlier V4 builds
    sidebyside problems in the eventlog started by EGUI.exe, solution install all the MS C++ 2005 redistributables - especially on machines with not very much other software installed
    Also uninstall V3 first and run the Uninstall utility from ESET

    Jim
     
  15. towen

    towen Registered Member

    Joined:
    Jun 11, 2009
    Posts:
    4
    Still having major issues with v4 - System Lockups result in restarting the server by hitting the Power Button :mad:

    Even after support have looked at it - 3rd Line Support are now on the case... Waiting to hear back

    Perhaps if they designed a Server Version which gives the options for the exclusions that might help....!

    Incidentally does v3 require all of these exclusions?
     
  16. goldrushtech

    goldrushtech Registered Member

    Joined:
    Jun 26, 2005
    Posts:
    59
    Location:
    Greensborough, VIC, Australia
    V3 doesn't hang without the exclusions, but they are a good idea.

    Cut and paste the list from Jimbo1199 into notepad, update the specific folders you need to (GUID).
    Use the remote admin to import the list as I stated earlier.

    Takes about 5 minutes.

    Just go back to V3. V4 is not worth the grief.
     
  17. jimbo1199

    jimbo1199 Registered Member

    Joined:
    May 25, 2009
    Posts:
    19
    There is one typo at least in the list, first storage group is missing it's \*.*

    I note also that VISTA workstations need some of these, especially to do with Windows Updates...

    Only copy my list - if your data is where this data may be, and note the exact location of some of them is per machine dependent.
    remember dir c:\<xyz>\widget.* /b/s > a_file.txt is a good tool - still finds things faster than any index

    Jim
     
  18. goldrushtech

    goldrushtech Registered Member

    Joined:
    Jun 26, 2005
    Posts:
    59
    Location:
    Greensborough, VIC, Australia
    Jim,

    thanks for that. Did pick up on the typo, but forgot about it.

    and yes, use some (no so) common sense..... Check the files before you load it. I did.

    Just a question. I had three folders with different GUIDs, so I added all three. I assume that's correct.
     
  19. jimbo1199

    jimbo1199 Registered Member

    Joined:
    May 25, 2009
    Posts:
    19
    M'thinks as I only have one I should not speculate, however, if inside exchange you reference more Mailbox databases than one, and they are mounted booted and spurred, they may have more than one catalog and hence more than one GUID, are the files under that folder current dates?

    In security retrospect, would be keener to see
    C:\Program Files\Microsoft\Exchange Server\Mailbox\First Storage Group\*.edb
    and
    C:\Program Files\Microsoft\Exchange Server\Mailbox\First Storage Group\*.log
     
  20. goldrushtech

    goldrushtech Registered Member

    Joined:
    Jun 26, 2005
    Posts:
    59
    Location:
    Greensborough, VIC, Australia
    Duh,,,

    OAB is for Offline Address Book... and I have three on the server

    Which is a whole other story.

    Migrating from SBS 2003, to SBS 2008.

    I had three separate organisations on my server, with isolated multiple Global Address Lists.

    Migrate to SBS 2008 and everyone sees everyone else....

    Search high and low and tweek stuff etc until at 2.30 am this morning I found this..
    http://technet.microsoft.com/en-us/library/bb936719.aspx

    and I wasn't about to start into 26 pages at that time so off to bed I went... Small job for this weekend.
     
  21. peterdevlin

    peterdevlin Registered Member

    Joined:
    May 5, 2009
    Posts:
    6
    I had to get a heads up on the use of \* from ESET UK Tech Support. Apparently this is the correct syntax for exclusion of files and subdirs for a target directory. I was informed that \*.* is a file exclusion syntax only.

    From my POV this is strange (and crazy) as I was building these exclusion lists using the ESET Configuration Editor. And no, it is not documented anywhere that I could find :rolleyes:
     
  22. tanstaafl

    tanstaafl Registered Member

    Joined:
    Apr 8, 2005
    Posts:
    207
    ?! Are you serious??

    AGAIN, we need some CLARIFICATION, please.

    Would someone from ESET PLEASE confirm this?

    All of my exclusions have \*.*

    Is it true that in order to include SUBDIRS, the *.* should be changed to just *?

    And one more time... please, please PLEASE either hardcode these, or at least allow them to be enabled/disabled with a single checkbox option (for ALL microsoft recommended exclusions).

    I honestly cannot understand why ESET does this - they could probably avoid a LOT of complaints and problems and SUPPORT TICKETS (read: WASTED MONEY) by doing this...
     
  23. peterdevlin

    peterdevlin Registered Member

    Joined:
    May 5, 2009
    Posts:
    6
    I'm very serious. I had to download the ESET remote support application that allowed the ESET support tech to access my server. Whilst I watched he ran through the NOD32 config section putting everything to \* and, as we were on a phone call at the time, explained what he was doing and why he was doing it.
     
  24. Ragefire

    Ragefire Registered Member

    Joined:
    Jun 30, 2009
    Posts:
    1
    So, if I'm reading this right, you can replace:

    C:\Program Files\Microsoft\Exchange Server\ExchangeOAB\*.*
    C:\Program Files\Microsoft\Exchange Server\ExchangeOAB\<your guid>\*.*
    C:\Program Files\Microsoft\Exchange Server\Logging\*.*
    C:\Program Files\Microsoft\Exchange Server\Logging\TraceLogs\*.*
    C:\Program Files\Microsoft\Exchange Server\Logging\lodctr_backups\*.*
    C:\Program Files\Microsoft\Exchange Server\Mailbox\*.*
    C:\Program Files\Microsoft\Exchange Server\Mailbox\First Storage Group\
    C:\Program Files\Microsoft\Exchange Server\Mailbox\First Storage Group\CatalogData-<guid>\*.*
    C:\Program Files\Microsoft\Exchange Server\Mailbox\MDBTEMP\*.*
    C:\Program Files\Microsoft\Exchange Server\Mailbox\Second Storage Group\*.*
    C:\Program Files\Microsoft\Exchange Server\Mailbox\schema\*.*
    C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\*.*
    C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\MessageTracking\*.*
    C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\ProtocolLog\*.*
    C:\Program Files\Microsoft\Exchange Server\Working\*.*
    C:\Program Files\Microsoft\Exchange Server\Working\OleConverter\*.*

    With:

    C:\Program Files\Microsoft\Exchange Server\*
     
  25. peterdevlin

    peterdevlin Registered Member

    Joined:
    May 5, 2009
    Posts:
    6
    That is correct.
     
Thread Status:
Not open for further replies.