Recommended list of antivirus exclusions for Enterprise Vault

Problem

The purpose of this document is to provide a list of the recommended antivirus exclusions in order to maintain Enterprise Vault data integrity.

These may not apply to all Enterprise Vault servers depending on which services and functionality are implemented on the particular Enterprise Vault server. It is important to reach a balance between a secure server antivirus configuration that does not cause reliability issues and performance degradation.

These guidelines apply to both Real-Time and On-Demand antivirus scanning.

* For information on the recommended list of antivirus exclusions for SQL Server when used for Enterprise Vault, Compliance Accelerator and Discovery Accelerator reference TECH176828


 

Solution

The exclusions are separated by the type of environment.  Please choose one of the following options for the configuration options.

 




Apply the following exclusions to all versions of Enterprise Vault

 
TypeTypical Default LocationConditions
Microsoft Message Queues%system32\MSMQAll Enterprise Vault servers
* Associated Risks: Scanning this location can cause MSMQ message corruption and severe performance issue which could interrupt archiving tasks, cause data loss and create database inconsistencies.

 
TypeTypical Default LocationConditions
Vault Stores< root >Enterprise Vault StoresApplies to all Enterprise Vault servers
* Associated Risks: Scanning this location can cause saveset corruption which could interrupt archiving tasks, cause data loss and create database inconsistencies as well as performance issues.

 
TypeTypical Default LocationConditions
Index LocationsConfigured during installationApplies to all Enterprise Vault servers running an Indexing Service.
* Associated Risks: Scanning these location causes corruption of indexes and search performance issues. These Indexes contain metadata and do not directly represent end user data. Recreating indexes due to corruption and the associated potential downtime making this a medium to high risk.
 
 
TypeTypical Default LocationConditions
Centera Collections Temporary FolderConfigured during installationApplies to all Enterprise Vault servers running a storage service and which has at least one partition writing to a Centera device with collections enabled.
* Associated Risks: Scanning this location can cause saveset corruption which could interrupt collection and archiving tasks, cause data loss and create database inconsistencies as well as performance issues.
 
 
TypeTypical Default LocationConditions
Shopping< root >Program Files\Enterprise Vault\ShoppingAll Enterprise Vault servers running a shopping service
* Associated Risks: Scanning this location can cause corruption of shopping baskets. Baskets are pointers to archived files and therefore they do not directly represent end user data. For this reason the risk of scanning shopping baskets is low.
 
 
TypeTypical Default LocationConditions
PST Temporary FolderConfigured during installationAll Enterprise Vault servers running a PST Collector or Migrator Task and any server that can host a PST Temporary Folder
* Associated Risks: Scanning this location can cause performance issues with the PST Locator, Collector and Migrator tasks. These .PST files are copies of end user data and deletion of the original is configurable such that the original would not be deleted until the .PST was completely migrated into Enterprise Vault. Since there is a workaround to provide more protection from data loss from a corrupt .PST file due to virus scanning this be classified as a low risk but the performance impact to .PST migration operations could be great enough to stop .PST migration activities.
 
 
TypeTypical Default LocationConditions
Enterprise Vault Temporary FolderPre Windows 2008 = < root >\Documents and settings\Local Settings\temp

Windows 2008 = < root > \Users\AppData\Local\Temp
Applies to all Enterprise Vault servers
* Associated Risks: Scanning this file can cause Enterprise Vault services and tasks to fail. Classified as a medium risk due to the downtime potential and because it is possible that end user data could be corrupted.
 
 
TypeTypical Default LocationConditions
Enterprise Vault Server Cache LocationConfigured during installation:
  1. Right-click on the Enterprise Vault server in the Vault Administration Console
  2. Click Properties.
  3. Click on the Cache tab.
Applies to all Enterprise Vault servers that have a cache location.
* Associated Risks: Scanning this location can cause performance issues which could impact Vault Cache synchronization.
 
 
TypeTypical Default LocationConditions
Enterprise Vault Cache LocationLocal Workstation:
  • Windows XP: %HOMEPATH%\ Local Settings\ Application Data\ KVS\ Enterprise Vault
  • Windows 7: %USERPROFILE%\ AppData\ Local\ KVS\ Enterprise Vault\
Applies to all Enterprise Vault servers and clients.
* Associated Risks: Scanning this location can cause performance issues which could impact Vault Cache synchronization and File System Archiving from EMC Celerra.
 
 
TypeTypical Default LocationConditions
File Server Archiving "Pass Through" Cache LocationConfigured during installationApplies to all Enterprise Vault File Server Archiving with Pass Through Cache configuration.
* Associated Risks: Scanning this location can cause a performance issue because the item is scanned as it is placed in the export folder with Pass-Through Cache
 



Apply the following exclusions to all environments running Enterprise Vault greater than version 10

 
TypeTypical Default LocationConditions
Enterprise Vault Indexing Engine Data Folder< root >Program Files (x86)\Enterprise Vault\EVIndexing\dataApplies to all Enterprise Vault servers running the Enterprise Vault Indexing Service.
* Associated Risks: Scanning this location can potentially quarantine vital files and applications integral to the running of the 64-bit Indexing Engine

 
TypeTypical Default LocationConditions
Enterprise Vault Indexing Metadata location< root >Program Files (x86)\Enterprise Vault\EVIndexing\data\indexmetadataApplies to all Enterprise Vault servers running the Enterprise Vault Indexing Service
* Associated Risks: Scanning this location can potentially quarantine vital files integral to the health of 64-bit index volumes.

 
TypeTypical Default LocationConditions
EV 64-bit Index broker:
Uses Windows and inetpub temporary folder for search queries and results.
#1: C:\inetpub\temp\apppools\EnterpriseVaultAppPool\
#2: C:\Windows\inf\Enterprise Vault Index Query Server\
#3: C:\Windows\TEMP\
Applies to all Enterprise Vault servers running the Enterprise Vault Indexing Service.
* Associated Risks: Scanning this location can potentially quarantine vital files integral to the health of index volumes.
 



Apply the following exclusions to all environments running Enterprise Vault greater than version 11

 
Enterprise Vault 11.0 introduces a new storage queue for each Storage service.
Following upgrade, Enterprise Vault creates the new storage queue automatically when you start the Storage service

Special consideration needs to be taken, when a VaultStore is configured to maintain Safety Copies in the new Storage Queues. These Storage Queues cannot be stored on the same drive as the partitions. As such, the Storage Queue location will not be in a default location, but rather in a location chosen by the EV Admin. This location needs to be excluded.

 
TypeTypical Default LocationConditions
SMTP Archiving now stores messages in a holding folder to be processed by the SMTP archiving task.
This location is custom, and should be excluded.
C:\EVStorageQueue
(This can be changed in the properties of the Storage Service, on the Storage Queue tab)
Applies to all Enterprise Vault servers with a Storage Service
* Associated Risks: Scanning this location can cause corruption of the items as they are being archived, severe performance issues, which could interrupt archiving tasks, cause data loss and create database inconsistencies.
   



Special Considerations for eDiscovery Platform, Discovery Accelerator and Compliance Accelerator servers:

 
The following are additional locations to be excluded from antivirus Real-Time and On-Demand antivirus scanning for Discovery Accelerator and Compliance Accelerator servers.
 
TypeTypical Default LocationConditions
Vault Service Account Temporary FolderPre Windows 2008: < root >\Documents and settings\\Local Settings\temp

Windows 2008 and higher: < root > \Users\\AppData\Local\Temp
Applies to all Enterprise Vault and Accelerator servers
* Associated Risks: Scanning this file can cause Accelerator services and tasks, such as Exports, to fail.
   

 
TypeTypical Default LocationConditions
Accelerator Export FolderConfigured per exportApplies to all Compliance Accelerator and Discovery Accelerator servers
* Associated Risks: Scanning this location can cause a performance issue because the item is scanned as it is placed in the Export folder with Compliance Accelerator and Discovery Accelerator. Items can be marked as quarantined, which could list the items as having failed the Export.
   

 
TypeTypical Default LocationConditions
Accelerator Prefetch Cache LocationUses the Vault Service Account's local profile TEMP folder on the Accelerator server by default. If the The Prefetch Cache has been customized, the Cache Location is configured in the Accelerator Client under Configuration | Settings | Item Prefetch Cache | Cache location.Applies to all Compliance Accelerator and Discovery Accelerator servers
* Associated Risks: Scanning this location can cause performance issues which could impact Reviews, Exports/Productions and Analytics (Discovery Accelerator only)..
   
 
TypeTypical Default LocationConditions
ECM Temporary Storage Area LocationUses the Vault Service Account's local profile TEMP folder or the Windows TEMP folder on the Accelerator server by default. If the ECM Temporary storage area location must be moved per TECH76144 the storage area Location is configured in 2 places in the Accelerator Client under Configuration | Settings | Reviewing | ECM Temporary storage area and under Configuration | Settings | API | Temporary storage area.Applies to all Compliance Accelerator and Discovery Accelerator servers
* Associated Risks: Scanning this location can cause performance issues, such as failure to obtain a file lock, which could impact Reviews and Exports along with Discovery Accelerator's Productions and Analytics processing.

For additional eDiscovery Powered by Clearwell Considerations see TECH224423

Terms of use for this information are found in Legal Notices.

Search

Survey

Did this article answer your question or resolve your issue?

No
Yes

Did this article save you the trouble of contacting technical support?

No
Yes

How can we make this article more helpful?

Email Address (Optional)