Recommended list of antivirus exclusions for Symantec Enterprise Vault

Article:TECH48856  |  Created: 2006-01-21  |  Updated: 2014-07-09  |  Article URL http://www.symantec.com/docs/TECH48856
Article Type
Technical Solution


Issue



The purpose of this document is to provide a list of the recommended antivirus exclusions in order to maintain Enterprise Vault data integrity. These may not apply to all Enterprise Vault servers depending on which services and functionality are implemented on the particular Enterprise Vault server. It is important to reach a balance between a secure server antivirus configuration that does not cause reliability issues and performance degradation. These guidelines apply to both Real-Time and On-Demand antivirus scanning.

* For information on the recommended list of antivirus exclusions for SQL Server when used for Symantec Enterprise Vault, Compliance Accelerator and Discovery Accelerator reference TECH176828

 


Solution



Apply the below exclusions to your Enterprise Vault servers

Microsoft Message Queues
Default Typical Location - %system32\MSMQ
Risk - Scanning this location can cause MSMQ message corruption and severe performance issue which could interrupt archiving tasks, cause data loss and create database inconsistencies.
Conditions - This applies to all Enterprise Vault servers. 

Vault Stores
Default Typical Location - <root>Enterprise Vault Stores
Risk - Scanning this location can cause saveset corruption which could interrupt archiving tasks, cause data loss and create database inconsistencies as well as performance issues.
Conditions - This applies to all Enterprise Vault servers.

Centera Collections Temporary Folder
Default Typical Location - user configurable
Risk - Scanning this location can cause saveset corruption which could interrupt collection and archiving tasks, cause data loss and create database inconsistencies as well as performance issues.
Conditions - This applies to all Enterprise Vault servers running a storage service and which has at least one partition writing to a Centera device with collections enabled.

Index Locations
Default Typical Index Locations - user configurable
Risk - Scanning these location(s) can cause corruption of indexes and search performance issues.  These Indexes contain metadata and do not directly represent end user data.  Recreating indexes due to corruption and the associated potential downtime this could cause makes this medium to high risk.
Conditions - This applies to all Enterprise Vault servers running an Indexing Service.
 

Shopping
Default Typical Location - <root>Program Files\Enterprise Vault\Shopping
Risk - Scanning this location can cause corruption of shopping baskets.  Baskets are pointers to archived files and therefore they do not directly represent end user data.  For this reason the risk of scanning shopping baskets is low.
Conditions - This applies to all Enterprise Vault servers running a shopping service.

PST Temporary Folder
Default Typical Location - user configurable
Risk - Scanning this location can cause performance issues with the PST Locator, Collector and Migrator tasks. These .PST files are copies of end user data and deletion of the original is configurable such that the original would not be deleted until the .PST was completely migrated into Enterprise Vault. Since there is a workaround to provide more protection from data loss from a corrupt .PST file due to virus scanning this  be classified as a low risk but the performance impact to .PST migration operations could be great enough to stop .PST migration activities.
Conditions - This applies to all Enterprise Vault servers running a PST Collector or Migrator Task and any server that can host a PST Temporary Folder.

Enterprise Vault Temporary Folder
Default Typical Location - pre Windows 2008 = <root>\Documents and settings\<VaultServiceAccount>\Local Settings\temp. Windows 2008 = <root>\Users\<VaultServiceAccount>\AppData\Local\Temp
Risk - Scanning this file can cause Enterprise Vault services and tasks to fail.  This can be classified as a medium risk due to the downtime potential and because it is possible that end user data could be corrupted.
Conditions - This applies to all Enterprise Vault servers.
 
Enterprise Vault Server Cache Location
Default Typical Location - user configurable. Right-click on the Enterprise Vault server in the Vault Administration Console and click Properties. Then click on the Cache tab.
Risk - Scanning this location can cause performance issues which could impact Vault Cache synchronization.

Enterprise Vault Cache Location
Default Typical Location -

Windows XP: %HOMEPATH%\Local Settings\Application Data\KVS\Enterprise Vault\<STOREKEYDIR>

Windows 7: %USERPROFILE%\AppData\Local\KVS\Enterprise Vault\<STOREKEYDIR>

Risk - Scanning this location can cause performance issues which could impact Vault Cache synchronization and File System Archiving from EMC Celerra.
Conditions - This applies to all Enterprise Vault servers and clients.

File Server Archiving "Pass Through" Cache Location
Default Typical Location - user configurable
Risk
- Scanning this location can cause a performance issue because the item is scanned as it is placed in the export folder with Pass-Through Cache.
Conditions - This applies to all Enterprise Vault File Server Archiving with Pass Through Cache configuration.

Enterprise Vault 10 onwards

Note, the following new sections are only applicable to environments running Enterprise Vault 10 or later.

Enterprise Vault Indexing Engine Data Folder
Default Typical Location - <root>Program Files (x86)\Enterprise Vault\EVIndexing\data
Risk - Scanning this location can potentially quarantine vital files and applications integral to the running of the 64-bit Indexing Engine
Conditions - This applies to all Enterprise Vault servers running the Enterprise Vault Indexing Service.

Enterprise Vault Indexing Metadata location
Default Typical Location - <root>Program Files (x86)\Enterprise Vault\EVIndexing\data\indexmetadata

This location can be updated through the Enterprise Vault Administration Console, by selecting the properties of the Indexing Service on the Enterprise Vault Server. See  Enterprise Vault help for more information regarding this.
Risk - Scanning this location can potentially quarantine vital files integral to the health of 64-bit index volumes.
Conditions - This applies to all Enterprise Vault servers running the Enterprise Vault Indexing Service.

Additional Index related exclusions:

EV converters will use the 'Temporary Internet Files\content.ie5' location as needed by the StorageCrawler process

Default Typical Location - Pre Windows 2008: <root>\Documents and Settings\<VaultServiceAccount>\Local Settings\Temporary Internet Files\Content.IE5

Windows 2008 and higher:<root>\Users\<VaultServiceAccount>\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5

Risk - Scanning this location can potentially quarantine vital files integral to the health of index volumes.
Conditions - This applies to all Enterprise Vault servers running the Enterprise Vault Indexing Service.

EV 64-bit Index broker will use Windows and inetpub temporary folder for search queries and results.

Default Typical Location - C:\inetpub\temp\apppools\EnterpriseVaultAppPool\
Default Typical Location - C:\Windows\inf\Enterprise Vault Index Query Server\
Default Typical Location - C:\Windows\TEMP\

Risk - Scanning this location can potentially quarantine vital files integral to the health of index volumes.
Conditions - This applies to all Enterprise Vault servers running the Enterprise Vault Indexing Service.

 

Enterprise Vault 11 onwards

Note, the following new sections are only applicable to environments running Enterprise Vault 11 or later.

 

Enterprise Vault Storage Queue location

Enterprise Vault 11.0 introduces a new storage queue for each Storage service.
Following upgrade, Enterprise Vault creates the new storage queue automatically when you start the Storage service


Default Typical Location - C:\EVStorageQueue (This can be changed in the properties of the Storage Service, on the Storage Queue tab)
Risk - Scanning this location can cause corruption of the items as they are being archived, severe performance issues, which could interrupt archiving tasks, cause data loss and create database inconsistencies.
Conditions - This applies to all Enterprise Vault servers with a Storage Service. 

 

Special Considerations for Clearwell, Discovery Accelerator and Compliance Accelerator servers:

The following are additional locations to be excluded from antivirus Real-Time and On-Demand antivirus scanning for Discovery Accelerator and Compliance Accelerator servers.

Vault Service Account Temporary Folder
Default Typical Location - Pre Windows 2008: <root>\Documents and settings\<VaultServiceAccount>\Local Settings\temp. Windows 2008 and higher: <root>\Users\<VaultServiceAccount>\AppData\Local\Temp
Risk - Scanning this file can cause Accelerator services and tasks, such as Exports, to fail.
Conditions - This applies to all Enterprise Vault and Accelerator servers.

Accelerator Export Folder
Default Typical Location - user configurable per Export.
Risk - Scanning this location can cause a performance issue because the item is scanned as it is placed in the Export folder with Compliance Accelerator and Discovery Accelerator.  Items can be marked as quarantined, which could list the items as having failed the Export.
Conditions - This applies to all Compliance Accelerator and Discovery Accelerator servers.

Accelerator Prefetch Cache Location
Default Typical Location - uses the Vault Service Account's local profile TEMP folder on the Accelerator server by default. If the The Prefetch Cache has been customized, the Cache Location is configured in the Accelerator Client under Configuration | Settings | Item Prefetch Cache | Cache location.
Risk - Scanning this location can cause performance issues which could impact Reviews, Exports/Productions and Analytics (Discovery Accelerator only).
Conditions - This applies to all Compliance Accelerator Discovery Accelerator Enterprise Vault servers.

Additional Clearwell Considerations
Download the attached file: Clearwell Anti-Virus Guidelines

 


Attachments

Clearwell Anti-Virus Guidelines
Virus Scanning Guidelines - RI.pdf (507 kBytes)


Legacy ID



284807


Article URL http://www.symantec.com/docs/TECH48856


Terms of use for this information are found in Legal Notices