Problem
The purpose of this document is to provide a list of the recommended antivirus exclusions in order to maintain Enterprise Vault data integrity.
These may not apply to all Enterprise Vault servers depending on which services and functionality are implemented on the particular Enterprise Vault server. It is important to reach a balance between a secure server antivirus configuration that does not cause reliability issues and performance degradation.
These guidelines apply to both Real-Time and On-Demand antivirus scanning.
Recommended list of antivirus exclusions for SQL Server when used for Enterprise Vault, Compliance Accelerator and Discovery Accelerator
Solution
The exclusions are separated by the type of environment. Please choose one of the following options for the configuration options.
- All versions of Enterprise Vault
- Enterprise Vault Version 10 or greater
- Enterprise Vault Version 11 or greater
- Enterprise Vault Version 14.2 or greater
- Special Considerations for eDiscovery Platform, Discovery and Compliance Accelerator Servers
- Process-based exclusions
Apply the following exclusions to all versions of Enterprise Vault
Type | Typical Default Location | Conditions |
Microsoft Message Queues | %system32\MSMQ | All Enterprise Vault servers |
Type | Typical Default Location | Conditions |
Vault Stores | < root >Enterprise Vault Stores | Applies to all Enterprise Vault servers |
Type | Typical Default Location | Conditions |
Index Locations | Configured during installation | Applies to all Enterprise Vault servers running an Indexing Service. |
Type | Typical Default Location | Conditions |
Centera Collections Temporary Folder | Configured during installation | Applies to all Enterprise Vault servers running a storage service and which has at least one partition writing to a Centera device with collections enabled. |
Type | Typical Default Location | Conditions |
Shopping | < root >Program Files\Enterprise Vault\Shopping | All Enterprise Vault servers running a shopping service |
Type | Typical Default Location | Conditions |
PST Temporary Folder | Configured during installation | All Enterprise Vault servers running a PST Collector or Migrator Task and any server that can host a PST Temporary Folder |
Type | Typical Default Location | Conditions |
Enterprise Vault Temporary Folder | Windows 2003 and earlier = < root >\Documents and settings\Local Settings\temp Windows 2008 and later = < root > \Users\AppData\Local\Temp |
Applies to all Enterprise Vault servers |
Type | Typical Default Location | Conditions |
Enterprise Vault Server Cache Location | Configured during installation:
|
Applies to all Enterprise Vault servers that have a cache location. |
Type | Typical Default Location | Conditions |
Enterprise Vault Cache Location | Local Workstation:
|
Applies to all Enterprise Vault servers and clients. |
Type | Typical Default Location | Conditions |
File Server Archiving "Pass Through" Cache Location | Configured during installation | Applies to all Enterprise Vault File Server Archiving with Pass Through Cache configuration. |
Apply the following exclusions to all environments running Enterprise Vault greater than version 10
Type | Typical Default Location | Conditions |
Enterprise Vault Indexing Engine Data Folder | < root >Program Files (x86)\Enterprise Vault\EVIndexing\data | Applies to all Enterprise Vault servers running the Enterprise Vault Indexing Service. |
Type | Typical Default Location | Conditions |
Enterprise Vault Indexing Metadata location | < root >Program Files (x86)\Enterprise Vault\EVIndexing\data\indexmetadata | Applies to all Enterprise Vault servers running the Enterprise Vault Indexing Service |
Type | Typical Default Location | Conditions |
EV 64-bit Index broker: Uses Windows and inetpub temporary folder for search queries and results. |
#1: C:\inetpub\temp\apppools\EnterpriseVaultAppPool\ #2: C:\Windows\inf\Enterprise Vault Index Query Server\ #3: C:\Windows\TEMP\ |
Applies to all Enterprise Vault servers running the Enterprise Vault Indexing Service. |
Apply the following exclusions to all environments running Enterprise Vault greater than version 11
Enterprise Vault 11.0 introduces a new storage queue for each Storage service.
Following upgrade, Enterprise Vault creates the new storage queue automatically when you start the Storage service
Special consideration needs to be taken, when a VaultStore is configured to maintain Safety Copies in the new Storage Queues. These Storage Queues cannot be stored on the same drive as the partitions. As such, the Storage Queue location will not be in a default location, but rather in a location chosen by the EV Admin. This location needs to be excluded.
Type | Typical Default Location | Conditions |
Storage Queue location | This location is configured on the Properties of the Storage Service. |
Applies to all Enterprise Vault servers with a Storage Service |
SMTP Archiving Task holding folder |
This location is configured on the Properties of the SMTP Archiving Tasp | Applies to all Enterprise Vault servers with an SMTP Archiving Task |
Apply the following exclusions to all environments running Enterprise Vault greater than version 14.2
Enterprise Vault 14.2 introduces Elasticsearch as a new indexing engine that supports backup of index data location by using snapshot mechanism.
Type | Typical Default Location | Conditions |
Index Snapshot locations | This location is configured by an Enterprise Vault Administrator using the Set-EVIndexSnapshotLocation PowerShell command. |
Applies to all Enterprise Vault servers running an Indexing service. |
* Associated Risks: Scanning these locations can cause corruption of snapshots and that may cause issues while restoring index data during disaster recovery. Recreating indexes due to corruption and the associated potential downtime makes this a medium to high risk.
Special Considerations for eDiscovery Platform, Discovery Accelerator and Compliance Accelerator servers:
The following are additional locations to be excluded from antivirus Real-Time and On-Demand antivirus scanning for Discovery Accelerator and Compliance Accelerator servers.
Type | Typical Default Location | Conditions |
Vault Service Account Temporary Folder | Pre Windows 2008: < root >\Documents and settings\\Local Settings\temp Windows 2008 and higher: < root > \Users\\AppData\Local\Temp |
Applies to all Enterprise Vault and Accelerator servers |
Type | Typical Default Location | Conditions |
Accelerator Export Folder | Configured per export | Applies to all Compliance Accelerator and Discovery Accelerator servers |
Type | Typical Default Location | Conditions |
Accelerator Prefetch Cache Location | Uses the Vault Service Account's local profile TEMP folder on the Accelerator server by default. If the The Prefetch Cache has been customized, the Cache Location is configured in the Accelerator Client under Configuration | Settings | Item Prefetch Cache | Cache location. | Applies to all Compliance Accelerator and Discovery Accelerator servers |
Type | Typical Default Location | Conditions |
ECM Temporary Storage Area Location | Uses the Vault Service Account's local profile TEMP folder or the Windows TEMP folder on the Accelerator server by default. If the ECM Temporary storage area location must be moved per 000040672 the storage area Location is configured in 2 places in the Accelerator Client under Configuration | Settings | Reviewing | ECM Temporary storage area and under Configuration | Settings | API | Temporary storage area. | Applies to all Compliance Accelerator and Discovery Accelerator servers |
* Associated Risks: Scanning this location can cause performance issues, such as failure to obtain a file lock, which could impact Reviews and Exports along with Discovery Accelerator's Productions and Analytics processing.
Process-based exclusions:
Enterprise Vault installations include a process logging tool named Dtrace. This took can be used to view all currently running Enterprise Vault, Compliance Accelerator / Veritas Advanced Supervision and Discovery Accelerator processes that would need to be excluded from AV scanning. For more information about the Dtrace available processes, see Article 100001741.
For additional eDiscovery Powered by Clearwell Considerations see 100013987