Recommended list of antivirus exclusions for Enterprise Vault

Article: 100017720
Last Published: 2023-01-19
Ratings: 32 5
Product(s): Enterprise Vault

Problem

The purpose of this document is to provide a list of the recommended antivirus exclusions in order to maintain Enterprise Vault data integrity.

These may not apply to all Enterprise Vault servers depending on which services and functionality are implemented on the particular Enterprise Vault server. It is important to reach a balance between a secure server antivirus configuration that does not cause reliability issues and performance degradation.

These guidelines apply to both Real-Time and On-Demand antivirus scanning.

Recommended list of antivirus exclusions for SQL Server when used for Enterprise Vault, Compliance Accelerator and Discovery Accelerator
 

Solution

The exclusions are separated by the type of environment.  Please choose one of the following options for the configuration options.

 




Apply the following exclusions to all versions of Enterprise Vault

 
Type Typical Default Location Conditions
Microsoft Message Queues %system32\MSMQ All Enterprise Vault servers
* Associated Risks: Scanning this location can cause MSMQ message corruption and severe performance issue which could interrupt archiving tasks, cause data loss and create database inconsistencies.

 
Type Typical Default Location Conditions
Vault Stores < root >Enterprise Vault Stores Applies to all Enterprise Vault servers
* Associated Risks: Scanning this location can cause saveset corruption which could interrupt archiving tasks, cause data loss and create database inconsistencies as well as performance issues.

 
Type Typical Default Location Conditions
Index Locations Configured during installation Applies to all Enterprise Vault servers running an Indexing Service.
* Associated Risks: Scanning these location causes corruption of indexes and search performance issues. These Indexes contain metadata and do not directly represent end user data. Recreating indexes due to corruption and the associated potential downtime making this a medium to high risk.
 
 
Type Typical Default Location Conditions
Centera Collections Temporary Folder Configured during installation Applies to all Enterprise Vault servers running a storage service and which has at least one partition writing to a Centera device with collections enabled.
* Associated Risks: Scanning this location can cause saveset corruption which could interrupt collection and archiving tasks, cause data loss and create database inconsistencies as well as performance issues.
 
 
Type Typical Default Location Conditions
Shopping < root >Program Files\Enterprise Vault\Shopping All Enterprise Vault servers running a shopping service
* Associated Risks: Scanning this location can cause corruption of shopping baskets. Baskets are pointers to archived files and therefore they do not directly represent end user data. For this reason the risk of scanning shopping baskets is low.
 
 
Type Typical Default Location Conditions
PST Temporary Folder Configured during installation All Enterprise Vault servers running a PST Collector or Migrator Task and any server that can host a PST Temporary Folder
* Associated Risks: Scanning this location can cause performance issues with the PST Locator, Collector and Migrator tasks. These .PST files are copies of end user data and deletion of the original is configurable such that the original would not be deleted until the .PST was completely migrated into Enterprise Vault. Since there is a workaround to provide more protection from data loss from a corrupt .PST file due to virus scanning this be classified as a low risk but the performance impact to .PST migration operations could be great enough to stop .PST migration activities.
 
 
Type Typical Default Location Conditions
Enterprise Vault Temporary Folder Windows 2003 and earlier = < root >\Documents and settings\Local Settings\temp

Windows 2008 and later = < root > \Users\AppData\Local\Temp
Applies to all Enterprise Vault servers
* Associated Risks: Scanning this file can cause Enterprise Vault services and tasks to fail. Classified as a medium risk due to the downtime potential and because it is possible that end user data could be corrupted.
 
 
Type Typical Default Location Conditions
Enterprise Vault Server Cache Location Configured during installation:
  1. Right-click on the Enterprise Vault server in the Vault Administration Console
  2. Click Properties.
  3. Click on the Cache tab.
Applies to all Enterprise Vault servers that have a cache location.
* Associated Risks: Scanning this location can cause performance issues which could impact Vault Cache synchronization.
 
 
Type Typical Default Location Conditions
Enterprise Vault Cache Location Local Workstation:
  • Windows XP: %HOMEPATH%\ Local Settings\ Application Data\ KVS\ Enterprise Vault
  • Windows 7/8/10: %USERPROFILE%\ AppData\ Local\ KVS\ Enterprise Vault\
Applies to all Enterprise Vault servers and clients.
* Associated Risks: Scanning this location can cause performance issues which could impact Vault Cache synchronization and File System Archiving from EMC Celerra.
 
 
Type Typical Default Location Conditions
File Server Archiving "Pass Through" Cache Location Configured during installation Applies to all Enterprise Vault File Server Archiving with Pass Through Cache configuration.
* Associated Risks: Scanning this location can cause a performance issue because the item is scanned as it is placed in the export folder with Pass-Through Cache
 



Apply the following exclusions to all environments running Enterprise Vault greater than version 10

 
Type Typical Default Location Conditions
Enterprise Vault Indexing Engine Data Folder < root >Program Files (x86)\Enterprise Vault\EVIndexing\data Applies to all Enterprise Vault servers running the Enterprise Vault Indexing Service.
* Associated Risks: Scanning this location can potentially quarantine vital files and applications integral to the running of the 64-bit Indexing Engine

 
Type Typical Default Location Conditions
Enterprise Vault Indexing Metadata location < root >Program Files (x86)\Enterprise Vault\EVIndexing\data\indexmetadata Applies to all Enterprise Vault servers running the Enterprise Vault Indexing Service
* Associated Risks: Scanning this location can potentially quarantine vital files integral to the health of 64-bit index volumes.

 
Type Typical Default Location Conditions
EV 64-bit Index broker:
Uses Windows and inetpub temporary folder for search queries and results.
#1: C:\inetpub\temp\apppools\EnterpriseVaultAppPool\
#2: C:\Windows\inf\Enterprise Vault Index Query Server\
#3: C:\Windows\TEMP\
Applies to all Enterprise Vault servers running the Enterprise Vault Indexing Service.
* Associated Risks: Scanning this location can potentially quarantine vital files integral to the health of index volumes.
 



Apply the following exclusions to all environments running Enterprise Vault greater than version 11

 
Enterprise Vault 11.0 introduces a new storage queue for each Storage service.
Following upgrade, Enterprise Vault creates the new storage queue automatically when you start the Storage service

Special consideration needs to be taken, when a VaultStore is configured to maintain Safety Copies in the new Storage Queues. These Storage Queues cannot be stored on the same drive as the partitions. As such, the Storage Queue location will not be in a default location, but rather in a location chosen by the EV Admin. This location needs to be excluded.

 
Type Typical Default Location Conditions
Storage Queue location

This location is configured on the Properties of the Storage Service.

Applies to all Enterprise Vault servers with a Storage Service

SMTP Archiving Task holding folder

This location is configured on the Properties of the SMTP Archiving Tasp Applies to all Enterprise Vault servers with an SMTP Archiving Task 
* Associated Risks: Scanning these locations can cause corruption of the items as they are being archived, severe performance issues, which could interrupt archiving tasks, cause data loss and create database inconsistencies.
   

Apply the following exclusions to all environments running Enterprise Vault greater than version 14.2

Enterprise Vault 14.2 introduces Elasticsearch as a new indexing engine that supports backup of index data location by using snapshot mechanism.

 

Type Typical Default Location Conditions
Index Snapshot locations This location is configured by an Enterprise Vault Administrator using the Set-EVIndexSnapshotLocation PowerShell command. Applies to all Enterprise Vault servers running an Indexing service.

* Associated Risks: Scanning these locations can cause corruption of snapshots and that may cause issues while restoring index data during disaster recovery. Recreating indexes due to corruption and the associated potential downtime makes this a medium to high risk.

   



Special Considerations for eDiscovery Platform, Discovery Accelerator and Compliance Accelerator servers:

 
The following are additional locations to be excluded from antivirus Real-Time and On-Demand antivirus scanning for Discovery Accelerator and Compliance Accelerator servers.
 
Type Typical Default Location Conditions
Vault Service Account Temporary Folder Pre Windows 2008: < root >\Documents and settings\\Local Settings\temp

Windows 2008 and higher: < root > \Users\\AppData\Local\Temp
Applies to all Enterprise Vault and Accelerator servers
* Associated Risks: Scanning this file can cause Accelerator services and tasks, such as Exports, to fail.
   

 
Type Typical Default Location Conditions
Accelerator Export Folder Configured per export Applies to all Compliance Accelerator and Discovery Accelerator servers
* Associated Risks: Scanning this location can cause a performance issue because the item is scanned as it is placed in the Export folder with Compliance Accelerator and Discovery Accelerator. Items can be marked as quarantined, which could list the items as having failed the Export.
   

 
Type Typical Default Location Conditions
Accelerator Prefetch Cache Location Uses the Vault Service Account's local profile TEMP folder on the Accelerator server by default. If the The Prefetch Cache has been customized, the Cache Location is configured in the Accelerator Client under Configuration | Settings | Item Prefetch Cache | Cache location. Applies to all Compliance Accelerator and Discovery Accelerator servers
* Associated Risks: Scanning this location can cause performance issues which could impact Reviews, Exports/Productions and Analytics (Discovery Accelerator only)..
   
 
Type Typical Default Location Conditions
ECM Temporary Storage Area Location Uses the Vault Service Account's local profile TEMP folder or the Windows TEMP folder on the Accelerator server by default. If the ECM Temporary storage area location must be moved per 000040672 the storage area Location is configured in 2 places in the Accelerator Client under Configuration | Settings | Reviewing | ECM Temporary storage area and under Configuration | Settings | API | Temporary storage area. Applies to all Compliance Accelerator and Discovery Accelerator servers

* Associated Risks: Scanning this location can cause performance issues, such as failure to obtain a file lock, which could impact Reviews and Exports along with Discovery Accelerator's Productions and Analytics processing.

Process-based exclusions:

Enterprise Vault installations include a process logging tool named Dtrace.  This took can be used to view all currently running Enterprise Vault, Compliance Accelerator / Veritas Advanced Supervision and Discovery Accelerator processes that would need to be excluded from AV scanning.  For more information about the Dtrace available processes, see Article 100001741.

For additional eDiscovery Powered by Clearwell Considerations see 100013987

Was this content helpful?