Recommended antivirus exclusions for Configuration Manager site servers, site systems, and clients

05/25/2020

3 minutes to read





In this article

This article contains recommendations that may help an administrator determine the cause of potential instability on a computer that's running a supported version of Configuration Manager site servers, site systems, and clients when it's used together with antivirus software.

Original product version: Microsoft System Center 2012 Configuration Manager, Microsoft System Center 2012 R2 Configuration Manager, Configuration Manager (current branch)

Original KB number: 327453

Summary

We recommend that you temporarily apply these procedures to evaluate a system. If your system performance or stability is improved by the recommendations that are made in this article, contact your antivirus software vendor for instructions or for an updated version of the antivirus software.

Important This article contains information that shows how to help lower security settings or how to temporarily turn off security features on a computer. You can make these changes to understand the nature of a specific problem. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this workaround in your particular environment.

Antivirus real-time protection can cause many problems on Configuration Manager site servers, site systems, and clients.

The following is a non-comprehensive list of possible symptoms:

Remote site system components are not installed. SiteComp.log, Distmgr.log, hman.log, or other Configuration Manager log files may contain errors such as error 80070005.

The Configuration Manager client cannot be installed through client push.

Client inventory information is inaccurate, missing, or out-of-date.

Backlogs occur in the Install_Directory\Inboxes folders on site servers.

Backlogs occur in the Install_Directory\MP\Outboxes subfolders on management points (MP).

Software Center is not populated by deployed software on client systems, or does not start. Also, the CCMRepair.log file may contain errors that resemble the following: Database verification failed with result: 0x80004005 but DB: C:\Windows\CCM\filename.sdf could be opened, skipping DB repair.

Software that is deployed to clients cannot be installed.

Compliance data for software deployments is inaccurate.

Exclusions

We recommend that you add the following real-time protection exclusions to prevent these problems.

Default installation folders

Folder Path Configuration Manager installation folder %ProgramFiles%\Microsoft Configuration Manager MP installation folder %ProgramFiles%\SMS_CCM Client installation folder %Windir%\CCM

Folder exclusions for site servers

ConfigMgr installation folder\Inboxes

ConfigMgr installation folder\Logs

ConfigMgr installation folder\EasySetupPayload

Folder exclusions for site systems

Management points MP installation folder\ServiceData Either of the following: ConfigMgr installation folder\MP\OUTBOXES Installation drive\SMS\MP\OUTBOXES

Distribution points Client installation folder\ServiceData ContentLib_drive\SMS_DP$ ContentLib_drive\SMSPKGDrive_Letter$ ContentLib_drive\SMSPKG ContentLib_drive\SMSPKGSIG ContentLib_drive\SMSSIG$

Site database servers How to choose antivirus software to run on computers that are running SQL Server



Folder exclusions for clients

Client installation folder\*.sdf

Client installation folder\ServiceData

C:\Windows\CCMCache

C:\Windows\CCMSetup

Client installation folder\Logs

File exclusions for MPs

POL00000.pol in MP installation folder\PolReqStaging

Do not scan outgoing files on MPs

Most antivirus software has an option to scan files that are copied to a remote location (outgoing files). This should be disabled on management points.

For Windows Defender, the policy name is Configure monitoring for incoming and outgoing file and program activity and it should be set to Scan only incoming files. For more information, see Enable and configure Windows Defender Antivirus always-on protection in Group Policy.

Process exclusions

Process Exclusions are necessary only if aggressive antivirus programs consider Configuration Manager executables (.exe) to be high-risk processes.

ConfigMgr installation folder\bin\x64\Smsexec.exe

Either of the following: Client installation folder\Ccmexec.exe MP installation folder\Ccmexec.exe

Client installation folder\CmRcService.exe (client-side)

ConfigMgr installation folder\bin\x64\Sitecomp.exe

ConfigMgr installation folder\bin\x64\Smswriter.exe

ConfigMgr installation folder\bin\x64\Smssqlbkup.exe, or SMS_SQLFQDN\bin\x64\ Smssqlbkup.exe

ConfigMgr installation folder\bin\x64\Cmupdate.exe

Client installation folder\Ccmrepair.exe (client-side)

%windir%\CCMSetup\Ccmsetup.exe (client-side)

References