DPM and Anti-Virus Exclusions

The Technet topic on Running Antivirus Software on the DPM Server recommends that you exclude two processes:

  • csc.exe
  • dpmra.exe

In McAfee you accomplish this by adding the processes to the low risk list. I discovered today that at least with McAfee, this isn't really enough. You also need to add eseutil.exe to the exclusion list. For good measure I would also specifically exclude scanning of:

  • *.edb
  • *.chk
  • *.log

I haven't discovered a way to exclude all of the paths DPM uses in McAfee given that they aren't accessible (e.g. no drive letter) in a fashion that you can provide to McAfee, so, excluding the file types is as close as I have figured out how to get.

I had been having an on and off again issue where DPM would stop protecting storage groups and it would report the replica was inconsistent with unknown error 0xFFFFF8ED. A quick look up of this error will yield JET_errFileNotFound. I took a look at the McAfee log file and discovered it had been deleting random replicated transaction logs because they matched one signature or another:

11/12/2009 8:45:44 AM Deleted (Clean failed because the detection isn't cleanable) NT AUTHORITY\SYSTEM C:\Program Files\Microsoft DPM\DPM\bin\eseutil.exe \Device\HarddiskVolume63\ba2eea65-e710-412d-81f2-1b6ac2c33ab3\Logs\SG08\E0600021063.log Malformed Archive (Trojan)
11/12/2009 9:30:45 AM Deleted (Clean failed because the detection isn't cleanable) NT AUTHORITY\SYSTEM C:\Program Files\Microsoft DPM\DPM\bin\eseutil.exe \Device\HarddiskVolume63\ba2eea65-e710-412d-81f2-1b6ac2c33ab3\Logs\SG08\E0600021063.log Malformed Archive (Trojan)
11/12/2009 10:15:45 AM Deleted (Clean failed because the detection isn't cleanable) NT AUTHORITY\SYSTEM C:\Program Files\Microsoft DPM\DPM\bin\eseutil.exe \Device\HarddiskVolume63\ba2eea65-e710-412d-81f2-1b6ac2c33ab3\Logs\SG08\E0600021063.log Malformed Archive (Trojan)
11/12/2009 11:00:45 AM Deleted (Clean failed because the detection isn't cleanable) NT AUTHORITY\SYSTEM C:\Program Files\Microsoft DPM\DPM\bin\eseutil.exe \Device\HarddiskVolume63\ba2eea65-e710-412d-81f2-1b6ac2c33ab3\Logs\SG08\E0600021063.log Malformed Archive (Trojan)

Posted Saturday, November 14 2009 6:07 PM by Brian Desmond | 3 Comments
Tagged as: , ,

Comments, Trackbacks, & Pingbacks

#1 re: DPM and Anti-Virus Exclusions

Monday, November 23 2009 5:18 AM by Ciprian Lozonschi

Hi Brian,

In McAfee you can exclude folders from beeing scaned On-Access, on read or on write

Open VirusScan Console - select On-Access Scanner - right click - Properties - select All Processes on the laft pane - Exclusions tab - Exclusions button. From here you can add what you want to be excluded.

I hope that this is what you are looking for.

Ciprian

#2 re: DPM and Anti-Virus Exclusions

Monday, November 23 2009 5:27 AM by Ciprian Lozonschi

I forgot to say that this can be configured as a policy in ePO console (3.6 or 4) witch can be applied to multiple servers. The policy from ePO server can overwrite the local policy, so if you configure this only on local you can end up that it will be gone when policy is refresh from ePO.

#3 re: DPM and Anti-Virus Exclusions

Monday, November 23 2009 9:56 AM by Brian Desmond

Hi-

Yes I know how to exclude folders, but, if you use custom volumes your drives are all hidden as they're not mounted anywhere. There are some mount points on the file system that point to parts of these drives but I don't know if or how McAfee handles this.

Leave a comment