Do we *really* need to set antivirus exclusions up for our SharePoint servers?


Do we *really* need to set antivirus exclusions up for our SharePoint servers?

 

Yes.  You should set RTAV exclusions up for the servers in your SharePoint farm.

 

Back in the days when ASP.NET was new and I was supporting IIS, it seemed extremely common to see Real Time Antivirus (RTAV) scanning cause problems for both classic ASP and ASP.NET.  But things seemed to change over time as Antivirus vendors made improvements and problems became less and less frequent.  Now that it's my job to try to advise my customers on best practices for SharePoint, I still am quick to remind them of the need to set exclusions for RTAV on their SharePoint servers, FAST search servers, and SQL servers.  Those that don't have exclusions tend to resist the recommendation.  But they shouldn't.  I admit I haven't seen many problems where the lack of RTAV exclusions are the likely cause of a problem. In 2012 I believe I saw lack of RTAV exclusions cause a serious performance problem for one bank of FAST Search servers.  I saw lack of exclusions on a SQL server cause performance problems for SharePoint in early 2013.   And then recently, in June 2013 I saw (with the help of some memory dumps and a process monitor capture) lack of RTAV exclusions contribute to a "perfect storm" equation for bringing a SharePoint 2010 farm to the point of incapacitation--the type of incapacitation that requires an Application Pool recycle or IIS reset to get temporary relief from.  There were so many factors in the equation that this particular scenario isn't likely to affect many SharePoint farms.  And there were many good workarounds that would have prevented the problem.  But the fact is that if they had just set up their RTAV exclusions on their SharePoint servers, the problem would have probably been avoided entirely.   This gave me the impetus to try to remind everyone of the best practices and recommendations that Microsoft has made regarding RTAV exclusions.

  

RTAV Exclusions for Windows Servers

 http://support.microsoft.com/kb/822158/en-us 
 Virus scanning recommendations for Enterprise computers that are running currently supported versions of Windows

 

RTAV Exclusions for SharePoint Servers

 http://support.microsoft.com/kb/952167 
 Certain folders may have to be excluded from antivirus scanning when you use a file-level antivirus program in SharePoint
 
 http://support.microsoft.com/kb/322941 
 Microsoft's Position on Antivirus Solutions for Microsoft SharePoint Portal Server

 

RTAV Exclusions for SQL Servers

 http://support.microsoft.com/kb/309422 
 How to choose antivirus software to run on computers that are running SQL Server

 

RTAV Exclusions for FAST servers

http://technet.microsoft.com/en-us/library/ff381239(v=office.14).aspx
 

For other server roles, see http://social.technet.microsoft.com/wiki/contents/articles/953.windows-anti-virus-exclusion-list.aspx

 

Excerpt from 871042    Why is my ASP.NET application restarting? (http://support.microsoft.com/default.aspx?scid=kb;EN-US;871042): "Article 316148 describes one of the most common causes of an application restarting frequently in this scenario: antivirus software scanning the files of your ASP.NET application. More specifically, the application restarts may occur in some situations because antivirus software is scanning the Web.config file in the root of the application, the Machine.config file, the Bin folder, or the Global.asax file"

 

Not sure?  Process Monitor can help show you which processes are interacting with the GAC, the Bin folders, and folders containing .config files or .asax files.  Link:  http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx

 

 

Postscript:  As for SharePoint 2010, it's probably a good idea to get Service Pack 2 and the August 2013 CU.  

 

 

 

 

Additional search keywords:

ASP.net\requests current; ASP.NET Apps v2.0.50727(*)\Compilations Total; numRecompilesBeforeAppRestart; get-SPWebApplicationHTTPThrottlingMonitors; 503; Server too busy; AppDom recycle; App Doman recycle; App Domain Shut down;
Log Name:      Application
Source:        Microsoft-SharePoint Products-SharePoint Foundation
Event ID:      8062   Event ID:      8032 Task Category: Http Throttling  Level:         Critical
Description: Http throttling on SharePoint - 443 stops because there is no heavy load detected now. xxx requests have been throttled during the throttling period.
Description: Http throttling starts because a heavy load was detected on SharePoint - 443. The excessive performance counters include: \ASP.NET\Requests Current
the HttpRuntime for the application ... is in the middle of a shutdown due to MaxRecompilationsReached.  Recompilation limit of 15 reached. The application domain is restarting because of reason:- The maximum number of dynamic recompiles of resources was reached.

 

 

Adjusting the numRecompilesBeforeAppRestart element in web.config (or machine.config) from the default value (15) to a higher number (such as 250 for example) could be of some help in reducing the pain by avoiding the appdomain shutdown.  Here is the type of thing debugdiag's analysis report shows for this secondary problem: 
In w3wp.DMP, the HttpRuntime for the application /LM/W3SVC/1512381070/ROOT is in the middle of a shutdown.
ShutDown Reason
MaxRecompilationsReached
Message
Recompilation limit of 15 reached
HostingEnvironment initiated shutdown
HostingEnvironment caused shutdown
ShutDownStack
at System.Environment.get_StackTrace()
at System.Web.Hosting.HostingEnvironment.InitiateShutdownInternal()
at System.Web.Hosting.HostingEnvironment.InitiateShutdown()
at System.Web.HttpRuntime.ShutdownAppDomain(String stackTrace)
at System.Web.Compilation.DiskBuildResultCache.ShutdownCallBack(Object state)
at System.Threading.ExecutionContext.runTryCode(Object userData)
at System.Runtime.CompilerServices.RuntimeHelpers.ExecuteCodeWithGuaranteedCleanup(TryCode code, CleanupCode backoutCode, Object userData)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Threading._ThreadPoolWaitCallback.PerformWaitCallbackInternal(_ThreadPoolWaitCallback tpWaitCallBack)
at System.Threading._ThreadPoolWaitCallback.PerformWaitCallback(Object state) The application domain is restarting because of reason:- The maximum number of dynamic recompiles of resources was reached  


Comments (1)
  1. McAfee SME says:

    Exclusions aren't the only solution with a decent AV product.

    AV software that allows "process exclusions" can do the trick as well, without creating a directory safe haven for mal-ware.

    For example, McAfee's Virus Scan Enterprise (VSE) can allow you to list trusted process, and ignore scanning of any files touched by those processes.  Giving you all the benefit of directory exclusion, without a directory that a user can KNOWINGLY place mal-ware.  I stress "kowningly" because it would require someone with intent to exploit directory exclusions.

    The trick is…  knowing all the processes for any given product that should be listed in the policy.

Comments are closed.

Skip to main content