File and folder exclusion articles

This article contains links to articles and pre-filtered lists of content. It covers only the
most frequently used articles on file and folder exclusions for ENS 10.x and VSE 8.x in
the Knowledge Center on the ServicePortal. The list is not comprehensive and does not
contain specific issues that you might experience when you set exclusions. Search the
Knowledge Center for either the error you received or a description of the issue you
experienced.

IMPORTANT: The Microsoft exclusions and McAfee applications listed in this article are
not required for ENS if you select the option Let McAfee Decide when choosing when to
scan files with the On-Access Scanner. For more information about how the option Let
McAfee Decide uses the AMCore trust model for scan avoidance, see the community
post at: https://community.mcafee.com/t5/Documents/Explanation-of-AMCore-Trust-
Model-v1p3-pdf/ta-p/550630.

Recommended exclusions for Endpoint Security/VirusScan

Enterprise on DHCP and WINS servers
Technical Articles ID: KB58146
Last Modified: 7/19/2018
Rated:

Environment

McAfee Endpoint Security (ENS) Threat Prevention 10.x

McAfee VirusScan Enterprise 8.x
Microsoft Windows Server 2012
Microsoft Windows Server 2008
Microsoft Windows Server 2003

Summary

It is recommended that you exclude the following locations in the Default Processes for
the On-Access Scanner to ensure that the DHCP and WINS databases function
correctly:

For DHCP servers:

Exclude the DHCP directory under \WINDOWS\System32\

For WINS servers:

Exclude the Wins directory under \WINDOWS\System32\

Recommended exclusions for Endpoint Security/VirusScan

Enterprise on Microsoft SQL Servers
Technical Articles ID: KB67211
Last Modified: 7/19/2018
Rated:

Environment

McAfee Endpoint Security (ENS) Threat Prevention 10.x

McAfee VirusScan Enterprise (VSE) 8.x

Microsoft Windows SQL Server 2012

Microsoft Windows SQL Server 2008

Summary

List of exclusions needed for Microsoft SQL Server

To ensure compatibility with Microsoft SQL Server, exclude the locations recommended
by Microsoft for File Level scanners in the On-Access Scanner for ENS/VSE. For the most
accurate list of file exclusions, refer to the following Microsoft Technet article:
https://social.technet.microsoft.com/wiki/contents/articles/953.microsoft-anti-virus-
exclusion-list.aspx. Within the Technet article, go to the "SQL" section and click the
article link for the version of Microsoft SQL Server in use in your environment.

How to configure exclusions in ENS/VSE:

When configuring exclusions, always apply the principle that the more precise the
exclusion, the smaller the potential security risk. For instructions to configure exclusions,
refer to the following documentation:

• ENS:
o "Configuring exclusions" section of the Endpoint Security 10.5 Product Guide
(PD26799)
o KB88595 - Understanding ENS scan profiles and how to exclude an
application executable from On-Access Scanning

2
 • VSE:
o KB66909 - Consolidated list of ENS/VSE exclusion articles
o KB55898 - Understanding VSE Exclusions
o KB67544 - How to create low-risk and high-risk process exclusions for VSE
8.x in ePolicy Orchestrator
o KB50998 - How to manage file and folder exclusions in VSE 8.x using
wildcards
o KB61000 - VSE exclusions and hardware paths (physical address versus
logical address)

Recommended Endpoint Security/VirusScan Enterprise exclusions

on a Microsoft SharePoint server with Security for Microsoft
SharePoint
Technical Articles ID: KB58274
Last Modified: 7/19/2018
Rated:

Environment

McAfee Endpoint Security (ENS) Threat Prevention 10.x

McAfee Security for Microsoft SharePoint (MSMS) 3.5, 3.0
McAfee VirusScan Enterprise (VSE) 8.x

Microsoft Office SharePoint Portal Server 2007 with SP1

Microsoft Office SharePoint Portal Server 2007
Microsoft SharePoint Server 2013
Microsoft SharePoint Server 2010
Microsoft Windows SharePoint Services 3.0

For detailed information on supported environments for Security for Microsoft

SharePoint, see KB68141.

Summary

To ensure compatibility with Microsoft SharePoint server and MSMS, you must exclude
the following folders in the ENS/VSE On-Access Scanner.

MSMS locations to exclude:

3
Exclude Comment

Also select Exclude sub

\Program Files (x86)\McAfee\McAfee PortalShield\
folders.

\Program Files (x86)\McAfee\McAfee Also select Exclude sub

PortalShield\Data\PSHData\ folders.

NOTES:

• The first path shown in the table is the default installation path. If you have
chosen to install MSMS to a non-default folder, ensure that you specify that path
for the exclusion.
• The PSHData folder is created under the installation folder by default and
contains the Quarantine Database; however, this is configurable in the MSMS
interface under Settings & Diagnostics, Detected Items. If you choose to locate
the Quarantine Database in a different folder (or even a different local drive),
ensure that the correct path is excluded.

SharePoint locations to exclude:

For Microsoft SharePoint Server 2007/2010/2013 and Windows SharePoint Services 3.0,
see Microsoft Knowledge Base article http://support.microsoft.com/kb/952167, which
explains why you need to exclude certain folders from anti-virus scanning.

How to configure exclusions in ENS/VSE:

When configuring exclusions, always apply the principle that the more precise the
exclusion, the smaller the potential security risk. For instructions to configure exclusions,
refer to the following documentation:

• ENS: "Configuring exclusions" section of the Endpoint Security 10.5 Product Guide
(PD26799)
• VSE:
o KB66909 - Consolidated list of Endpoint Security/VirusScan Enterprise
exclusion articles
o KB55898 - Understanding VirusScan Enterprise Exclusions
o KB67544 - How to create low-risk and high-risk process exclusions for
VirusScan Enterprise 8.x in ePolicy Orchestrator
o KB50998 - How to manage file and folder exclusions in VirusScan
Enterprise 8.x using wildcards
o KB61000 - VirusScan Enterprise exclusions and hardware paths (physical
address versus logical address)

4
Slow performance with Java-based applications when Endpoint
Security or VirusScan Enterprise is installed
Technical Articles ID: KB58727
Last Modified: 7/19/2018
Rated:

Environment

McAfee Endpoint Security (ENS) Threat Prevention 10.x

McAfee VirusScan Enterprise (VSE) 8.x

Problem

Slow performance occurs with Java-based applications when ENS or VSE is installed.

Cause

Java uses .JAR and .CLASS archive files. ENS/VSE include the ability to scan these archive
types for malicious content. Archive scanning requires that each file in the archive be
extracted and scanned individually. For large archives or programs that access multiple
archives, this can cause slow system performance and an increase in the CPU resources
used by the McShield.exe process.

Solution 1

Disable archive scanning (disabled by default)

NOTE: There is minimal risk when archive scanning is disabled. When an archive is
extracted, each file must still be scanned before it is saved.

To disable archive scanning with ENS:

1. Log on to the ePO console.

2. Click Menu, Policy, Policy Catalog.
3. Select Endpoint Security Threat Prevention from the Product drop-down list.
4. Select On-Access Scan from the Category drop-down list.
5. Click the name of your policy.
6. Click Show Advanced.
7. Deselect Compressed archive files.

To disable archive scanning with VSE:

1. Click Start, Programs, McAfee, VirusScan Console.

2. Double-click On-Access Scanner.

5
 3. Click Default Processes or All Processes.
4. Click Advanced, and then deselect Scan inside archives (e.g. .ZIP).

NOTE: For computers managed by ePolicy Orchestrator (ePO), you must make this
change in the On-Access Default Processes Policies for VSE. Click the Advanced tab,
deselect Scan inside archives (e.g. .ZIP), and then click Apply. See the ePolicy
Orchestrator Product Guide for detailed information on configuring policies in ePO.

Solution 2

Add Java files to Low Risk processes

Identify the processes of applications writing or reading Java files and create an On-
Access Scanner Low Risk process exclusion for them. Disable scanning when writing to
or reading from disk. If you are unsure which processes to exclude, use Process Monitor
(ProcMon) to find out which processes have the most I/O or archives. Ensure you
exclude only safe and trusted processes. For full information and ProcMon downloads,
see KB72766.

NOTE: Processes in the High Risk processes policy should never be excluded.

Solution 3

Exclude files with JAR, CLA, JAV extensions from Default Processes scanning
Exclude by extension only if Java files are accessed by a large number of processes or by
processes that should not be added to Low Risk processes.

NOTE: Although it is generally advised not to disable scanning of file types (exclusion by
extension) that are accessed by any process, you can exclude these file types if they are
known to be safe.

Endpoint Security/VirusScan Enterprise/SaaS Endpoint Protection

exclusions for Exchange Server
Technical Articles ID: KB51471
Last Modified: 7/19/2018
Rated:

6
Environment

McAfee Endpoint Security (ENS) Threat Prevention 10.2.x, 10.1.x

McAfee SaaS Endpoint Protection 6.0, 5.4
McAfee Security for Microsoft Exchange (MSME) 8.x
McAfee VirusScan Enterprise (VSE) 8.x

Microsoft Exchange Server 2016, 2013, 2010, 2007

Summary

List of exclusions needed for Exchange Server

To ensure compatibility with Microsoft Exchange, exclude the locations recommended
by Microsoft for File Level scanners in the On-Access Scanner for ENS, VSE, and SaaS
Endpoint Protection. For the most accurate list of file exclusions, refer to the following
Microsoft Technet article:
https://social.technet.microsoft.com/wiki/contents/articles/953.microsoft-anti-virus-
exclusion-list.aspx. Within the Technet article, go to the "E" section and click the article
link for the version of Exchange in use in your environment. The following is the list of
Exchange articles as of November 2016:

• Exchange 2016 - https://technet.microsoft.com/en-

us/library/bb332342(v=exchg.160).aspx
• Exchange 2013 - https://technet.microsoft.com/en-
us/library/bb332342(v=exchg.150).aspx
• Exchange 2010 - https://technet.microsoft.com/en-
us/library/bb332342(v=exchg.141).aspx
• Exchange 2007 - https://technet.microsoft.com/en-
us/library/bb332342(v=exchg.80).aspx

Exclusions required if McAfee Security for Microsoft Exchange (MSME) is installed

The following additional exclusions are required only if MSME is installed:

• <MSME installation folder>\bin (Default installation folder is C:\Program Files

(x86)\McAfee\MSME\Data)
• <MSME defined quarantine folder>\MSMEData (Default defined quarantine
folder is %programdata%\McAfee\MSME\Data)

Required exclusions for running Endpoint Security/VirusScan

Enterprise on Oracle Database servers
Technical Articles ID: KB54817
Last Modified: 7/19/2018
Rated:

7
Environment

McAfee Endpoint Security (ENS) Threat Prevention 10.x

McAfee VirusScan Enterprise (VSE) 8.x

Oracle Database servers

Summary

The following table outlines the exclusions required for running ENS/VSE on an Oracle
Database server.

Oracle Required Example

Comments
Exclusions
Data files generally have a
Data files ....\oracle\oradata\*.dbf
.dbf extension.

Redo files have a .log

extension.

Redo files NOTE: Redo logs will exist if ....\oracle\Inventory\logs\*.log

the Oracle Development
toolkit or backup and recovery
are used.

Control files have a .ctl

Control files ....\oracle\oradata\*.ctl
extension.

NOTES:

• It is not advised to exclude entire directories (such as the Oracle Database

directory and subdirectories) from scanning because this poses a potential high
security risk.
• If you are in a clustered environment, you might need to consider additional rules
for the Port Blocking section of Access Protection.

How to configure exclusions in ENS/VSE:

8
When configuring exclusions, always apply the principle that the more precise the
exclusion, the smaller the potential security risk. For instructions to configure exclusions,
refer to the following documentation:

• ENS: "Configuring exclusions" section of the Endpoint Security 10.5 Product Guide
(PD26799)

Related Information

Oracle site: www.oracle.com

Oracle support: http://www.oracle.com/us/support/index.html

How to exclude SAN and NAS mount points from scanning with
VirusScan Enterprise
Technical Articles ID: KB54457
Last Modified: 7/19/2018
Rated:

Environment

McAfee Endpoint Security Threat Prevention 10.x

McAfee VirusScan Enterprise (VSE) 8.x

Storage Area Network (SAN) devices and servers

Network Attached Storage (NAS) devices and servers

Summary

To exclude SAN and NAS devices and servers that use mount points from scanning with
VSE, create an On-Access Scanner process exclusion for the volume names of the SAN /
NAS devices and servers.

IMPORTANT: These exclusions will not work with Endpoint Security. Endpoint Security
does not support physical path exclusions yet.

To receive email notification when this article is updated, click Subscribe on the right
side of the page. You must be logged on to subscribe.

9
Use the following syntax for exclusions:

\Device\HarddiskVolumeN\ (where N represents the volume number)

Examples:

\Device\Harddisk\*
\Device\HarddiskVolume*
\Device\HarddiskVolume1\
\Device\HarddiskVolume1\Exchsrvr*

How to configure exclusions in VSE:

When configuring exclusions, always apply the principle that the more precise the
exclusion, the smaller the potential security risk. For instructions to configure exclusions,
refer to the following documentation:

• KB66909 - Consolidated list of Endpoint Security/VirusScan Enterprise exclusion

articles

VirusScan Enterprise exclusions for Symantec Backup Exec

Technical Articles ID: KB68701
Last Modified: 8/24/2016
Rated:

Environment

McAfee VirusScan Enterprise (VSE) 8.x

Symantec Backup Exec

Summary

This article provides guidance to implement the suggested settings from the Veritas
article General recommendations for virus scanner exclusions working with NetBackup

10
(https://www.veritas.com/support/en_US/article.TECH152328) into VirusScan Enterprise.

Backup programs such as Backup Exec touch a large number of files. This can cause
performance issues if each read and write operation triggers a scan by the VirusScan
Enterprise On-Access Scanner. This article explains how to add Low Risk Processes
policies and exclusions for Backup Exec in VirusScan Enterprise.

Solution

Add Low Risk Processes policies and exclusions for Backup Exec, and add Access
Protection exclusions for Backup Exec:

1. Click Start, Programs, McAfee, VirusScan Console.

2. Double-click On-Access Scanner.
3. Select All Processes.

If All Processes is not available, skip to step 6.

4. Click Processes.
5. Select Use different settings for high-risk and low-risk processes.
6. Select Low-Risk Processes.
7. In the Processes tab, click Add.
8. Click Browse and navigate to each of the following Low-Risk Processes and click
Open:

C:\Program Files\Symantec\Backup Exec\beremote.exe

C:\Program Files\Symantec\Backup Exec\beserver.exe
C:\Program Files\Symantec\Backup Exec\bengine.exe
C:\Program Files\Symantec\Backup Exec\benetns.exe
C:\Program Files\Symantec\Backup Exec\pvlsvr.exe
C:\Program Files\Symantec\Backup Exec\BackupExec.exe
C:\Program Files\Symantec\Backup Exec\backupexecmanagementservice.exe
C:\Program Files\Symantec\Backup Exec\bedbg.exe
C:\Program Files\Symantec\Backup Exec\pdvfsservice.exe
C:\Program Files\Symantec\Backup Exec\spad.exe
C:\Program Files\Symantec\Backup Exec\spoold.exe
C:\Program Files\Symantec\Backup Exec\pddb\bin\pg_ctl.exe

NOTES:
o Change the path as appropriate, depending on which root volume the
Media Server or Remote Agent has been installed.
o For a complete current list of processes to add, see section B, Processes
to Exclude in https://www.veritas.com/support/en_US/article.TECH152328

9. When all of the above processes have been added, with Low-Risk Processes
selected, select the Scan items tab.

11
 10. Deselect When writing to disk and When reading from disk.

IMPORTANT: Be advised that adding processes to the Low Risk profile, and
applying step 10 for that profile, means that files accessed by those listed
processes are not scanned by the On-Access scanner. Ensure that you only add
fully trusted processes to this list.

To exclude Backup Exec paths from scanning:

1. Click Start, Programs, McAfee, VirusScan Console.

2. Double-click On-Access Scanner.
3. Select Default Processes.
4. In the Exclusions tab, click Exclusions, Add.
5. Under What to exclude, select By name/location.
6. Click Browse to select:

C:\Program Files\Symantec\Backup Exec\

7. Add two asterisks (**) to the path as wildcards after each path has been added.

Example:

C:\Program Files\Symantec\Backup Exec\**

8. Select Also exclude subfolders.

9. Under When to exclude, select On read and On write.

To configure McAfee not to scan files opened for backup:

1. Click Start, Programs, McAfee, VirusScan Console.

2. Double-click On-Access Scanner.
3. Select Default Processes.
4. In the Scan Items tab, under Scan files, deselect Opened for backup.
5. Repeat this for Low-Risk Processes and High-Risk Processes.
6. Click OK.

NOTE: Disable the Opened for Backup option on Media Servers and Remote
Agents. This can be done locally or using ePolicy Orchestrator.

To configure McAfee to allow Backup Exec to use tftp:

The Access Protection rule "Anti-virus Standard Protection --> Prevent use of tftp.exe" is
disabled by default. If it is enabled, the following exclusions must be added:

12
 1. Click Start, Programs, McAfee, VirusScan Console.
2. Double-click Access Protection.
3. Select Anti-virus Standard Protection.
4. Select Prevent use of tftp.exe, and click Edit.
5. In the Processes to exclude: box, add the Backup Exec process names separated
by a comma:

BackupExec.exe, beremote.exe, benetns.exe, pvlsvr.exe, bengine.exe,

backupexecmanagementservice.exe, beserver.exe, bedbg.exe,
pdvfsservice.exe, spad.exe, spoold.exe, pg_ctl.exe

NOTE: For a complete current list of processes to add, see section B, Processes
to Exclude in https://www.veritas.com/support/en_US/article.TECH152328

6. Click OK to save and close both windows.

Exclusions for Application and Change Control to improve post-

install performance
Technical Articles ID: KB88915
Last Modified: 3/15/2017
Rated:

Environment

McAfee Application and Change Control (MACC) 8.x, 7.x, 6.x

McAfee Endpoint Security (ENS) Threat Prevention 10.x
McAfee VirusScan Enterprise (VSE) 8.x

Summary

After MACC installation, system performance can be significantly impacted by

scanning and require the creation of exclusions for MACC processes/folders. This
article contains information about excluding MACC processes and folders
from scans by the ENS/VSE scanning engine.

• Create an On-Access Scanner low-risk process exclusion (Disable scanning

when writing to or reading from disk) for the MACC process Scsrvc.exe

13
NOTE: The default location for this process is C:\Program Files\McAfee\Solidcore.

• Create an exclusion for the MACC folder <drive>\Solidcore\

When configuring exclusions in ENS/VSE, always apply the principle that the
more precise the exclusion, the smaller the potential security risk. For
instructions to configure exclusions, refer to the following documentation:

• ENS: "Configuring exclusions" section of the Endpoint Security 10.5 Product

Guide (PD26799)

Endpoint Security and VirusScan Enterprise exclusions for Data

Loss Prevention Endpoint to improve performance
Technical Articles ID: KB68520
Last Modified: 11/8/2018
Rated:

Environment

McAfee Data Loss Prevention Endpoint (DLP Endpoint) 11.x, 10.x

McAfee Endpoint Security (ENS) Threat Prevention 10.x
McAfee VirusScan Enterprise (VSE) 8.x

Summary

After you install DLP Endpoint, if scanning significantly affects your system
performance, you might need to exclude DLP Endpoint content from scans. This article
contains a list of the DLP Endpoint processes and folders to exclude from being scanned
by the ENS or VSE scanning engine.

DLP Endpoint processes to exclude:

Create an on-access scanner low-risk process exclusion for the following DLP Endpoint
processes. Disable scanning when writing to or reading from disk.

• fcags.exe
• fcagte.exe
• fcagswd.exe
• fcag.exe

14
NOTE: The default location for these processes is:

C:\Program Files\McAfee\DLP\Agent

DLP Endpoint folder to exclude:

Create an exclusion for the following DLP Endpoint folder:

C:\ProgramData\McAfee\DLP\

DLP Endpoint for Mac folders to exclude:

Create an exclusion for the following DLP Endpoint for Mac folders:

/usr/local/McAfee/DlpAgent/
/etc/cma.d/DATALOSS2000/
/usr/local/McAfee/fmp/config/DlpAgent/

How to configure exclusions in ENS and VSE:

When configuring exclusions, always apply the principle that the more precise the
exclusion, the smaller the potential security risk. For instructions to configure exclusions,
see the following documentation:

• ENS: "Preventing Threat Prevention from blocking trusted programs, networks,

and services" section of the Endpoint Security 10.6.x Threat Prevention Product
Guide (ePO managed) (PD27574)

How to configure Endpoint Security/VirusScan Enterprise to

minimize issues with Vulnerability Manager
Technical Articles ID: KB54038
Last Modified: 12/21/2018
Rated:

15
Environment

McAfee Endpoint Security (ENS) Threat Prevention 10.x

McAfee VirusScan Enterprise (VSE) 8.x
McAfee Vulnerability Manager (MVM) 7.x

Summary

This article describes configuration changes you can make to improve ENS/VSE
performance with MVM. It is recommended that you add all the executables and
processes for MVM to the exclusion list in ENS/VSE to avoid conflicts.

IMPORTANT: It is recommended that you either disable or completely uninstall any

anti-virus software before you run the MVM installer. After you install MVM, you must
then configure your anti-virus software to avoid conflicts. This article lists the
appropriate processes to exclude for your anti-virus software. Technical Support cannot
advise on how to implement these changes in non-McAfee products.

Solution

Add all the executables and processes for MVM to the ENS/VSE exclusion list to avoid
conflicts.

MVM processes to exclude from the On-Access Scanner:

1. Create an On-Access Scanner low-risk process exclusion for the following MVM
processes. Disable scanning when writing to or reading from disk.
o FCAgent.exe
o FCAgentSettings.exe
o FCMConsole.exe
o FCServer.exe
o FSAPI.exe
o FSAssessment.exe
o FSDataSync.exe
o FSDiscovery.exe
o FSLogDispatcher.exe
o FSLogToDiskSvc.exe
o FSNotification.exe
o FSPatch.exe
o FCPatchInstallAgent.exe
o FCPatchInstallApiServer.exe
o FCPatchInstallController.exe
o FCPatchInstallDataSync.exe
o FCPatchInstallEngine.exe
o FCPatchInstallNotification.exe
o FCPatchInstallPortal.exe
o FCPatchInstallReportServer.exe

16
 o FCPatchInstallServer.exe
o FCPatchInstallUpdate.exe
o FSScanCtrlSvc.exe
o FSScanEngineSvc.exe
o FSUpdate.exe
o FSUpdateService.exe
o LCDServices.exe
o RegFS.exe
o ReportServer.exe
o TransformerX.exe

2. Restart the MVM server.

MVM processes to exclude from Access Protection:

Expected behavior for MVM includes requesting permission to terminate certain
protected processes. To allow these actions, create an Access Protection process
exclusion for the MVM process FCAgent.exe.

MVM Database server SQL exclusions:

On the server that runs the MVM Database component, create the recommended
exclusions for ENS/VSE on Microsoft SQL Servers. For details see KB67211.

How to configure exclusions in ENS/VSE:

When configuring exclusions, always apply the principle that the more precise the
exclusion, the smaller the potential security risk. For instructions to configure exclusions,
refer to the following documentation:

• ENS: "Configuring exclusions" section of the Endpoint Security 10.5 Product Guide
(PD26799)

17