Exclude subdirectories

Hello ttl,

like the other Virus scanning recommendations you have to take this one with a grain of salt. Arguably its wording is IMO the best Microsoft has come up with in this area in the last years. Nevertheless it is, like the others, somewhat contradictory.

Won't engage in the discussion this time how feasible it is to efficiently implement these rather complex exclusions. Instead, as the answer to How can I put in these exclusions is: You can't (at least not in an easy, general and economic way), I'd like to point out the subtleties of the mentioned article (all emphasis/underline mine unless noted otherwise):

The INTRODUCTION describes the contents as recommendations that may help an administrator determine the cause of potential instability and further notes we recommend that you temporarily apply these procedures to evaluate a system. If your system performance or stability is improved ... we recommend that you evaluate the risks that are associated with implementing this workaround and finally If you implement this workaround, take any appropriate additional steps to help protect the computer (whatever these are or could be).

This doesn't look like a sine qua non to me. It then goes on with a warning, an interesting almost-repudiation (we do not recommend this workaround) of the article's subject and the dire Use this workaround at your own risk.

The rest is the (usual) mix of mentioning more or less outdated potential problems (older versions of most vendor software inappropriately change a file's metadata as the file is scanned) and "tetchy" components (e.g. FRS) where problems might arise without AV involved and interspersed general security and performance recommendations.

Thus, do you have issues which you suspect to be caused by scanning? And are you trying to assess whether the exclusions help?

Christian

Yes, we are having issues we suspect are being caused by scanning. When we install Windows Updates to servers, the SAV process eats up CPU, despite having added .CAB files to the Exception list.

Hello ttl,

so the issues are in conjunction with Windows Update and not normal operation? Wouldn't have expected that it's the .CAB files themselves (unless the policy is set to scan inside archives). Also I don't think that arbitrarily trying various exclusion is of much help - shouldn't a significant number of others encounter similar problems?

It's probably more efficient to monitor what 's exactly going on and why it results in an apparently excessive resource consumption. I suggest you don't do this on your own, better contact Support.directly for assistance.

Christian

Hello ttl,

sorry for suggesting something you've already tried - wasn't clear to me from your post you were looking for a "second opinion" :smileywink:

Was about to reply yesterday but decided to mull over it. I'm sure we're not the only customers facing this issue - taking it at face value I agree. OTOH - there are articles and tools for virtualized environments (e.g. the Virtualization Scan Controller) and I'd expect at least a little of something if these problems were more widespread.

Scanning naturally causes a non-negligible overhead - but this applies to normal operation as well. Now, Windows updates are not know to be unobtrusive and in the course of updating there's often quite some additional file system activity which keeps the scanner occupied. If your guests are usually only under light load and your hosts moderately busy you'll likely "feel" the impact. If your hosts are already fairly busy the effect might not be dramatic though. 

CPU is only one indicator. Back then, on the mainframe (with virtual guests) 100% CPU were ideal (of course if you met throughput, response times and so on) - it showed that did not "waste" cycles you have bought. Indeed, CPU usage dropping to 95% usually indicated real and severe contention, and then you had a problem.   

Sorry for digressing ... what apart from the CPU spikes are the problems? Unresponsive systems? Delays?

Christian