First published on TECHNET on May 24, 2017
Authored by Brandon McMillan
Hey everybody! My name is Brandon McMillan and I am a System Center Configuration Manager (ConfigMgr) PFE at Microsoft. ConfigMgr Current Branch has been the standard service based model since December 2015 with the release of version 1511. You may have noticed that with the continuous improvements, your antivirus exclusions also need to be kept up to date. I hope this will provide you with important antivirus exclusions you could implement within a Current Branch environment.
This blog will provide a comprehensive list of support articles we have released along with other recommendations you could consider for your environment. These articles are the authoritative sources for any official recommendations regarding these exclusions. Please reference the following support articles for further guidance.
Last updated: Oct 15, 2019
We recently updated our support article on ConfigMgr antivirus exclusions - 327453 and our article for Enterprise computers - 822158. We added additional recommendations for MP's within the ConfigMgr Core Installation Exclusions (All Versions) section. Additional guidance and recommendations for Enterprise computers have been added to the Core Exclusions for Supported Versions of Windows section.
Update from: Jun 7, 2019
Added a separate section for SQL Reporting Services (SSRS) recommendations. Also added new paths to consider for SSRS on SQL 2017+. Thanks again to Todd Mote for the feedback.
IMPORTANT: Antivirus real-time protection can cause many problems on Configuration Manager site servers, site systems, and clients. We recommend to always test before implementing any of these changes in a production environment. We strongly encourage you to evaluate the risks that are associated with implementing these changes. We recommend that you temporarily apply these procedures to evaluate a system . If you choose to implement these changes in your environment, ensure you take any additional precautions necessary. Please refer to your antivirus vendor’s documentation for further guidance and recommendations.
The recommendations for each section are separated between "Operational" and "Performance" levels. Operational recommendations are highly encouraged to be added to your exclusions list. Performance recommendations should only be considered if you are experiencing such issues that may be a result of your antivirus product.
The following information will cover what could be recommended for your environment.
Details on the variables referenced:
How to determine the version, edition and update level of SQL Server and its components
Core Exclusions for Supported Versions of Windows
For further information regarding recommended exclusions for server roles such as a Domain Controller, DFS, DHCP, or DNS, please refer to the article below.
ConfigMgr Core Installation Exclusions (All Versions)
Applicable to 1511+
Applicable to 1602+
Applicable to 1610+
Applicable to 1702+
Applicable to 1806+
ConfigMgr Content Library Exclusions
ConfigMgr Imaging Exclusions
Reference: SCCM 2012 Antivirus Exclusions
ConfigMgr Process Exclusions
NOTE*** Process Exclusions are necessary only when aggressive antivirus programs consider System Center Configuration Manager executables (.exe) to be high risk processes.
ConfigMgr Client Exclusions
SQL Server Exclusions
SQL Server Process Exclusions
References: Designed for Optimized Performance, Windows Exclusions for Windows Defender
WSUS Offline Scanning Exclusions - Microsoft Baseline Security Analyzer (MBSA)
NOTE: There are four distinctive methods to choose when using MBSA and WSUS offline scanning. Method 1 has the least amount of risk. If this method does not work for you, we recommend you use Method 2. Methods 3 and 4 may increase your security risk. We recommend that you use Methods 3 or 4 only if required and ensure you please take necessary precautions.
Exclude the following files from scanning:
Exclude all *.cab files from scanning
Exclude all archived files from antivirus scanning
Exclude the folder where the Wsusscan.cab file or the Wsusscn2.cab file is located
Exclude the path of the Wsusscan.cab file or the Wsusscn2.cab file on the local computer
MBSA was largely used in situations where neither Microsoft Update nor a local WSUS/SCCM server was available, or as a compliance tool to ensure that all security updates were deployed to a managed environment. While MBSA version 2.3 introduced support for Windows Server 2012 R2 and Windows 8.1, it has since been deprecated and no longer developed. MBSA 2.3 is not updated to fully support Windows 10 and Windows Server 2016.
A script can help you with an alternative to MBSA’s patch-compliance checking:
References: 900638, MBSA, Wsusscn2.cab
I received numerous feedback on this post and I wanted to highlight the contributions from the following individuals: Max Baldt, David Coulter, Aaron Ellison, and Julie Andreacola .
Special thanks to Kevin Kasalonis, Cameron Cox, Clifton Hughes, Rushi Faldu, and Santos Martinez .
Brandon McMillan, Premier Field Engineer
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.