With the release of Service Pack 1 for System Center 2012 Configuration Manager, we have been seeing some issues (not necessarily new issues) revealed with Antivirus Exclusion issues around OSD and Boot Image related activities as follows:
OSD Related A/V Exclusion Considerations:
Boot image actions:
- Importing default boot WIM’s during initial site setup
- Updating default boot WIM’s during site upgrade
- Manual import of custom boot images (customer action)
- Customize boot images (drivers, prestart command, WinPE optional components, background
image, etc.)
Folders to exclude from AV scanning:
- Temporary folder for these cases is C:\Windows\TEMP\BootImages\{GUID}. Exclude C:\Windows\TEMP\BootImages
and subfolders.
OS image actions:
- Offline Servicing
Folders to exclude from AV scanning:
- Temporary folder for offline servicing is <X:>\ConfigMgr_OfflineImageServicing
and several subfolders used for different purposes – staging files, mounting
OS, etc. – where <X:> is the StagingDrive value from the Offline
Servicing Manager section of the site control file. If this value is
missing, we use the drive where the site is installed. Exclude <X:>\ConfigMgr_OfflineImageServicing
and subfolders.\
Boot images not updated after upgrading to SP1 in System Center 2012 Configuration Manager:
I was also provided anecdotal information from an issue that if you find yourself in situation where boot images didn’t get updated during site upgrade to SP1, you
can manually update the boot images using the following instructions:
- Rename the boot.wim and the default boot wims in each architecture folder of the <smsinstall>OSD\boot\ folder – both the i386 and x64 to <wim>.bak
- Starting with the i386 folder first...Find the install folder of the ADK, which should be here if you installed with the defaults: “C:\Program Files (x86)\Windows
Kits\8.0\Assessment and Deployment Kit\Windows Preinstallation Environment\x86\en-us\winpe.wim”. You will need to copy the winpe.wim to the <smsinstall>OSD\boot\i386 folder. Rename it to boot.wim. - You will also need to copy it again, but this time rename it so it matches the name of the default boot wim for the site – so it should look like boot.<packageid>.wim
- Update default boot image. Click “Execute Method” -> input object path as SMS_BootImagePackage.PackageID="<Image ID you see in the Console e.g. POL00001>" -> UpdateDefaultImage
- You will need to do this for the x64 folder as well. Do not do this for any custom boot images – this is just to update the default boot wims installed during setup of the site.
General Antivirus Exclusions and Additional Information for System Center 2012 Configuration Manager Endpoint Protection
Additionally per my other post showing how to import various templates for different servers, here is the general list of file/folder exclusions exported from the Endpoint Protection System Center 2012 Configuration Manager template"
%allusersprofile%\NTUser.pol
%systemroot%\system32\GroupPolicy\registry.pol
%windir%\Security\database\*.chk
%windir%\Security\database\*.edb
%windir%\Security\database\*.jrs
%windir%\Security\database\*.log
%windir%\Security\database\*.sdb
%windir%\SoftwareDistribution\Datastore\Datastore.edb
%windir%\SoftwareDistribution\Datastore\Logs\edb.chk
%windir%\SoftwareDistribution\Datastore\Logs\edb*.log
%windir%\SoftwareDistribution\Datastore\Logs\Edbres00001.jrs
%windir%\SoftwareDistribution\Datastore\Logs\Edbres00002.jrs
%windir%\SoftwareDistribution\Datastore\Logs\Res1.log
%windir%\SoftwareDistribution\Datastore\Logs\Res2.log
%windir%\SoftwareDistribution\Datastore\Logs\tmp.edb
%programfiles%\Microsoft Configuration Manager\Inboxes\*.* (shortened list for blog sake)
%programfiles(x86)%\Microsoft Configuration Manager\Inboxes\*.* (shortened list for blog sake)
These entries above were taken directly from one of the included templates in System Center 2012 Configuration Manager which I have attached to the post
Additional links to Antivirus and Antimalware Information:
Where is the Documentation for System Center 2012 Endpoint Protection?
Forefront Endpoint Protection Blog
Guidance on serve initial FEP definition update with SCCM through DP
Important Changes to Forefront Product Roadmaps
Virus scanning recommendations for Enterprise computers that are running currently supported versions of Windows
http://support.microsoft.com/kb/822158
Antivirus programs may contribute to file backlogs in SMS 2.0, SMS 2003 and Configuration Manager 2007:
http://support.microsoft.com/kb/327453
ConfigMgr 2007 Antivirus Scan and Exclusion Recommendations:
http://blogs.technet.com/b/configurationmgr/archive/2010/11/30/configmgr-2007-antivirus-scan-and-exclusion-recommendations.aspx
Thanks, Cliff Hughes
Premier Field Engineer
System Center 2012 Configuration Manager