System Center Orchestrator AV exclusions

 

I was asked recently about antivirus/antimalware exclusions for Orchestrator and after some digging it seems Microsoft do not publish such a thing. So after bouncing the question around to a few experienced people I have drawn up this initial list and added it to the TechNet Wiki.  I also updated the generic AV exclusion wiki page which is worth checking out if you haven’t already seen it.

This is a first effort and hopefully people will make suggestions and contribute over time.

The following are recommended exclusions for antivirus/antimalware scans in order to achieve optimum performance and minimise the risk of problematic behaviour in your Orchestrator infrastructure.
Exclusions by process executable

You must be very careful when you add exclusions that are based on executables as incorrect exclusions may prevent some potentially dangerous programs from being detected. Because of this we do not recommend that you rely on exclusions that are based on any process executables for Orchestrator servers. However, if you have to make exclusions that are based on the process executables, use the following processes:

  • Management Service - ManagementService.exe
  • Remoting Service - OrchestratorRemotingService.exe
  • Run Program Service - OrchestratorRunProgramService.exe
  • Runbook Server Monitor Service - RunbookServerMonitorService.exe
  • Runbook Service - RunbookService.exe

Exclusions by folders
SQL Database servers

These exclusions include the SQL Server database files that are used by Orchestrator components and the system database files for the master database and for the tempdb database. To exclude these files by directory, exclude the directory for the .ldf and .mdf files.

For example:

  • C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data
  • D:\MSSQL\DATA
  • E:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Log

Standard Microsoft SQL Server specific exclusions should still apply - http://support.microsoft.com/kb/309422/en-us 
Orchestrator (Management Server, Runbook Server)

These exclusions include the default installation locations for all Orchestrator server roles. Any deviation from these default locations should be included also.

For a Management Server:

  • C:\Program Files (x86)\Microsoft System Center 2012 R2\Orchestrator\Management Server

For a Runbook Server:

  • C:\Program Files (x86)\Microsoft System Center 2012 R2\Orchestrator\Runbook Server

Exclusion of file type by extension

The following file name extension-specific exclusions for Orchestrator includes real-time scans, scheduled scans, and local scans.
SQL database servers

These exclusions include the SQL Server database files that are used by Orchestrator components and the system database files for the master database and for the tempdb database.

For example:

  • MDF
  • LDF
  • NDF

Standard Microsoft SQL Server specific exclusions should still apply - http://support.microsoft.com/kb/309422/en-us 

Orchestrator (Management Server, Runbook Server)

These exclusions include the log files that are used by Orchestrator.

For Example:

  • LOG

Page files should also be excluded from any real-time scans.