Help

Recommended Anti-Virus exclusions?

ianmb
Contributor

Posted on ‎02-27-2014 06:38 AM

Are there any recommended antivirus exclusions for Mavericks? We use Sophos but they don't provide any best practice guidance related to this.

By exclusions I'm meaning files not to scan with on access scanning Sometimes when you on access scan certain files / directories there can be detrimental effects on performance i.e. scanning the files used for certain database products.

0 Kudos
Reply
10 REPLIES 10

bentoms
Release Candidate Programs Tester

Posted on ‎02-27-2014 10:47 AM

I've excluded the Microsoft User Data folder before (particularly the Database) & JAMF waiting/download folders.

0 Kudos
Reply

kirkmshaffer
New Contributor II

Posted on ‎02-27-2014 11:56 AM

Agree with @bentoms - when we had SEP on Macs in our environment we excluded the MUD folder (at Symantec's request).

I'd clarify with your AV vendor and your Security team about exclusions. I know in SEP's case an exclusion was universal: it applied to both autoprotect and full system scans. We toyed with excluding a set directory for developers so their builds/compiles/dbs wouldn't make things go nuts, while still getting a scan in once a week. But since we couldn't *just* exclude for autoprotect, we couldn't exclude it, period. We have since moved to just using Gatekeeper with App Store and identified developer only settings.

0 Kudos
Reply

ianmb
Contributor

Posted on ‎03-02-2014 07:04 AM

Thanks. Sophos aren't very forthcoming and can only provide general 'how-to' exclude advice. I've searched other vendors but there's very little advice for Macs.

The Linux advice is a little better, and I was hoping for something along these lines (see Page 16):

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23607/en_US/...

0 Kudos
Reply

franton
Valued Contributor III

Posted on ‎09-08-2017 12:50 AM

I've been looking at this and realised all the info out there is pre-SIP. I've amalgamated the findings of a few people, plus my own digging into this list of folders to exclude from AV generally. This is written for McAfee but you get the idea.

/.*\\cache.db
/.*\\.vmwarevm/.*

/private/var/db/.*
/private/var/vm/.*
/private/var/folders/.*
/private/var/root/Library/Caches/com.apple.SoftwareUpdate/.*

/Applications/.*/Contents/(version|Info).plist

/Library/Application Support/JAMF/.*
/Library/Updates/.*
/Library/Caches/.*
/Users/.*/Library/Caches/.*
/Users/.*/Library/Developer/.*
/System/.*
/bin/.*
/sbin/.*
/etc/.*
/tmp/.*
/vm/.*

/usr/bin/.*
/usr/lib/.*
/usr/libexec/.*
/usr/sbin/.*
/usr/share/.*
/usr/standalone/.*

edit: quoted text really didn't like all the wildcards!

0 Kudos
Reply

jconte
Contributor II

Posted on ‎09-19-2017 01:48 PM

Thanks @franton we are having issues where Office 2016 takes up to an hour to install with McAfee, without it takes less than 10 minutes. Can't figure out what it is in McAfee but will try these exclusions.

Thanks

0 Kudos
Reply

prbsparx
Contributor II

Posted on ‎09-05-2018 01:08 PM

@jconte did you ever find a solution?

0 Kudos
Reply

jconte
Contributor II

Posted on ‎09-05-2018 01:24 PM

Yes, @prbsparx

Here is what we are excluding:

/var/root/Library/Caches/
/Users//Library/Caches/
/Users//Library/Containers/
/Library/Updates/

Hope this helps.

0 Kudos
Reply

prbsparx
Contributor II

Posted on ‎09-06-2018 10:34 AM

@jconte did you try limiting /Users/*/Library/Containers/* to just the Microsoft Office Containers and Group Containers?

0 Kudos
Reply

jconte
Contributor II

Posted on ‎09-06-2018 12:40 PM

Sorry @prbsparx We didn't try that idea.

Thanks

0 Kudos
Reply