Antivirus exclusions for Operations Manager 2012; Management, Gateway and SQL servers

SCOM 2012 Antivirus exclusions; Management, Gateway and SQL servers

For information on exclusions on the SCOM 2012 and 2007 agents click here.

This question comes up all of the time in new environments; so I decided to make a blog about exclusions to let the SCOM 2012 and the SQL 2008 R2 servers run efficiently.

Note: replace %programfiles% to the fysical location like C:\Program Files\System Center Operations…. do this for all entries below. Make also sure the path you use is correct ! !

Excluded Processes
Forefront – Excluded processes
McAfee – On Access Low risk processes
SCOM 2012
%programfiles%\System Center Operations Manager\Agent\HealthService.exe
%programfiles%\System Center Operations Manager\Agent\MonitoringHost.exe
-%programfiles%\Microsoft\Exchange Server\v14\Bin\Microsoft.Exchange.Monitoring.CorrelationEngine.exe
-%programfiles%\System Center 2012\Operations Manager\Console\Microsoft.EnterpriseManagement.Monitoring.Console.exe

C:\Windows\system32\AdtAgent.exe
%programfiles%\System Center 2012\Operations Manager\Server\Microsoft.Mom.Sdk.ServiceHost.exe
%programfiles%\System Center 2012\Operations Manager\Server\APMDOTNETAgent\InterceptSvc.exe
-%programfiles%\System Center 2012\Operations Manager\Server\cshost.exe

SQL 2008 R2
-%ProgramFiles%\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Binn\SQLServr.exe
-%ProgramFiles%\Microsoft SQL Server\MSRS10_50.MSSQLSERVER\Reporting Services\ReportServer\Bin\ReportingServicesService.exe
-%ProgramFiles%\Microsoft SQL Server\MSAS10_50.MSSQLSERVER\OLAP\Bin\MSMDSrv.exe

 

Excluded Directory’s
Forefront – Excluded files and locations
McAfee – Exclusions
SCOM 2012
-%programfiles%\System Center Operations Manager\Agent\Health Service State\*

SQL 2008 R2
-%ProgramFiles%\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\DATA\*
-%ProgramFiles%\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\BACKUP\*
-%ProgramFiles%\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\FTDATA\*

Excluded file types
Forefront – Excluded File Types
McAfee – Exclusions
SCOM 2012
.EDB
.CHK
.LOG

SQL 2008 R2 Server data and backup files
.mdf
.ldf
.ndf
.bak
.trn

Antivirus exclusions for Operations Manager / SCOM 2012 and 2007 Agents

SCOM 2012 and 2007 Antivirus exclusions; Agents

For information on exclusions on the SCOM 2012 management, gateway and SQL servers click here.

This question comes up all of the time in new environments; so I decided to make a blog about exclusions to let the SCOM 2012 agents run efficiently.

Note: replace %programfiles% to the fysical location like C:\Program Files\System Center Operations…. do this for all entries below. Make also sure the path you use is correct ! !

SCOM 2012 Agent Exclusions:

-SCOM 2012 Agent – Excluded Processes
Forefront – Excluded processes
McAfee – On Access Low risk processes
  -%programfiles%\System Center Operations Manager\Agent\HealthService.exe
  -%programfiles%\System Center Operations Manager\Agent\MonitoringHost.exe

-SCOM 2012 Agent – Excluded Directory’s
Forefront – Excluded files and locations
McAfee – Exclusions
  -%programfiles%\System Center Operations Manager\Agent\Health Service State\*

-SCOM 2012 Agent – Excluded file types
Forefront – Excluded File Types
McAfee – Exclusions
  .EDB
  .CHK
  .LOG
____________________________

SCOM 2007 R2 Agent Exclusions:

-SCOM 2007 R2 Agent – Excluded Processes
Forefront – Excluded processes
McAfee – On Access Low risk processes
  -%programfiles%\System Center Operations Manager 2007\HealthService.exe
  -%programfiles%\System Center Operations Manager 2007\MonitoringHost.exe

-SCOM 2007 R2 Agent – Excluded Directory’s
Forefront – Excluded files and locations
McAfee – Exclusions
  -%programfiles%\System Center Operations Manager 2007\Health Service State\*

-SCOM 2007 R2 Agent – Excluded file types
Forefront – Excluded File Types
McAfee – Exclusions
  .EDB
  .CHK
  .LOG

Troubleshooting performance SCOM 2012 and SCOM 2007 agent with McAfee Antivirus

I got quite a number of questions on performance of the SCOM and related processes (Heathservice.exe, monitoringhost.exe and CSCRIPTS). High CPU load on the SCOM process is mostly related to antivirus software.

In most cases the culprit ends up being the incorrect setup of the antivirus software; specially McAfee is very tricky when it’s not configured well and when the exclusions are not in the right place.
See my blogpost on antivirus exclusions for SCOM 2012 management, gateway and SQL servers or SCOM 2012 and 2007 agents

Here is how to troubleshoot antivirus in combination with the SCOM agent. In this case we monitor McAfee in combination with SCOM. To troubleshoot I used Procmon from Sysinternals.
In my later post I will make a list of recommended exclusions.
Lot’s of servers with high CPU load specially on the SCOM process; healthservice.exe, cscripts and more.

Troubleshooting the process with “Sysinternals Process Monitor”
1. Lets start with downloading the Process Monitor on http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
2. Stop the monitoring, go to Filter, Enable Advanced Output

3. Go to Filter, Process name, is, Mcshield.exe and click Add, OK

4. Click on the magnifyingglass to start the capture
Ok, we see that the McShield.exe process is scanning the OpsMgr data. This is not good.
After checking we noticed that the antivirus exclusions aren’t configured properly.

We’ve changed the exclusions to the best practice settings.
See my post for the working best practice for Antivirus Exclusions in combination with SCOM 2012 and 2007.