Skip to main content

Are there any recommended antivirus exclusions for Mavericks? We use Sophos but they don't provide any best practice guidance related to this.



By exclusions I'm meaning files not to scan with on access scanning Sometimes when you on access scan certain files / directories there can be detrimental effects on performance i.e. scanning the files used for certain database products.

I've excluded the Microsoft User Data folder before (particularly the Database) & JAMF waiting/download folders.

Agree with @bentoms - when we had SEP on Macs in our environment we excluded the MUD folder (at Symantec's request).



I'd clarify with your AV vendor and your Security team about exclusions. I know in SEP's case an exclusion was universal: it applied to both autoprotect and full system scans. We toyed with excluding a set directory for developers so their builds/compiles/dbs wouldn't make things go nuts, while still getting a scan in once a week. But since we couldn't *just* exclude for autoprotect, we couldn't exclude it, period. We have since moved to just using Gatekeeper with App Store and identified developer only settings.

Thanks. Sophos aren't very forthcoming and can only provide general 'how-to' exclude advice. I've searched other vendors but there's very little advice for Macs.



The Linux advice is a little better, and I was hoping for something along these lines (see Page 16):



https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23607/en_US/VSEL_1_7_Best_Practices_Guide.pdf

FYI



McAfee Endpoint Protection for Mac 2.1.0 - Product Guide



and



Excluding folders with Endpoint Protection for Mac, VirusScan for Mac, and Security for Mac with regular expressions

I've been looking at this and realised all the info out there is pre-SIP. I've amalgamated the findings of a few people, plus my own digging into this list of folders to exclude from AV generally. This is written for McAfee but you get the idea.



/.*\\\\cache.db

/.*\\\\.vmwarevm/.*



/private/var/db/.*

/private/var/vm/.*

/private/var/folders/.*

/private/var/root/Library/Caches/com.apple.SoftwareUpdate/.*



/Applications/.*/Contents/(version|Info).plist



/Library/Application Support/JAMF/.*

/Library/Updates/.*

/Library/Caches/.*

/Users/.*/Library/Caches/.*

/Users/.*/Library/Developer/.*

/System/.*

/bin/.*

/sbin/.*

/etc/.*

/tmp/.*

/vm/.*



/usr/bin/.*

/usr/lib/.*

/usr/libexec/.*

/usr/sbin/.*

/usr/share/.*

/usr/standalone/.*


edit: quoted text really didn't like all the wildcards!

Thanks @franton we are having issues where Office 2016 takes up to an hour to install with McAfee, without it takes less than 10 minutes. Can't figure out what it is in McAfee but will try these exclusions.



Thanks

@jconte did you ever find a solution?

Yes, @prbsparx



Here is what we are excluding:



/var/root/Library/Caches/
/Users//Library/Caches/
/Users//Library/Containers/
/Library/Updates/



Hope this helps.

@jconte did you try limiting /Users/*/Library/Containers/* to just the Microsoft Office Containers and Group Containers?

Sorry @prbsparx
We didn't try that idea.



Thanks

Terms & ConditionsCookie settings