Yet Another Antivirus Program
The time had come to renew my antivirus program. I decided instead to try one that I’ve been reading good things about on some Yahoo forums: ESET‘s NOD32. The main attraction is the promise of a fast, lightweight, and accurate scan engine.
As warned, the setup of the server components is not exactly intuitive. It’s made more complex by the fact that ESET is currently transitioning from version 2.7 to 3.0, a change that includes some fundamental reconfiguration of how modules are named. Not all documentation has been updated yet, and so far there is no Exchange component for 3.0.
I will say, though, that once I got the hang of creating XML configuration files using the ESET Configuration Editor, creating install packages, then pushing those files to server and client computers, it’s been a pretty straightforward process.
Update 3/1/2008: a couple of weeks into this experiment with NOD32, my reservations are increasing, at least regarding version 3.0. I’ve had two complete server lockups so far, and I’m not alone. ESET Support has suggested some changes to the server configuration, but it has been maddening trying to figure out how to implement those changes in the ESET Configuration Editor. There is a complete lack of continuity between the client UI and the ESET Configuration Editor, and it seems that some things simply do not appear in the Editor at all (like disabling email and web protection, as support recommended for the server). I have had some success by directly editing the XML files, but that is not fun. Many admins are reverting to version 2.7. Since I’m just starting with NOD32, I’d rather not have to learn an old version, but I may be forced to if version 3.0 doesn’t stabilize.
Update 3/6/2008: the 3.0 configuration changes seem to have helped–no crashes for six days. However, after checking with other NOD32 users, I decided to downgrade to 2.7 for now. I was able to continue with the 3.0 Remote Administrator and downgrade only the client software. All the exclusions etc. have to be set up again, but in the case of 2.7, there is a better correspondence between the Configuration Editor and the client interface, so this seemed to go a little more smoothly. I did get a new error on a previously unexcluded file (C:\WINNT\security\tmp.edb), so I extended the list below to include a few files from that folder.
File Exclusions
The main thing I wanted to focus on here is the file exclusions. NOD32 scans all files by default. While I wasn’t experiencing problems, that can theoretically cause lots of grief especially on Small Business Server, which runs a domain controller, DNS server, Exchange server, and SQL/MSDE servers.
It took a call to ESET support to clarify that if I add file and folder exclusions to ESET Kernel > Setup, that will cover all accesses by the program; I don’t need to additionally add specific exclusions of various extensions to all the individual program modules.
With the help of a this thread in the official ESET forum, I was able to come up with a list of files to exclude on my SBS 2003 server and its clients. I also found a workaround for a bug that was preventing the exclusion lists from pushing to the server and clients. I won’t duplicate all the explanations of what each file and folder is, but the procedure is as follows:
1. Create a text file listing the files to exclude. Paste the following into Notepad and save as a text file , e.g. “SBS exclusions.txt”:
D:\Mail Server\Exchsrvr\MDBDATA\*.*
C:\Program Files\Exchsrvr\Mtadata\*.*
C:\Program Files\Exchsrvr\MCB03.log\*.*
C:\Program Files\Exchsrvr\Mailroot\*.*
C:\Program Files\Exchsrvr\Mdbdata\*.*
C:\Program Files\Exchsrvr\Conndata\*.*
C:\Program Files\Exchsrvr\srsdata\*.*
C:\WINNT\system32\inetsrv\*.*
C:\WINNT\IIS Temporary Compressed Files\*.*
C:\WINNT\NTDS\*.*
C:\WINNT\sysvol\*.*
C:\WINNT\ntfrs\*.*
C:\WINNT\security\edb*.log
C:\WINNT\security\tmp.edb
C:\WINNT\Security\Database\secedit.sdb
C:\WINNT\system32\CertLog\*.* – added 3/13/2008 (Certificate Authority files)
C:\WINNT\system32\dhcp\*.*
C:\WINNT\system32\wins\*.*
C:\Program Files\Microsoft SQL Server\MSSQL$BKUPEXEC\Data\*.*
C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Data\*.*
C:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Data\*.*
F:\MSSQL2000\MSSQL\Data\*.*
C:\WINNT\System32\ntmsdata\*.*
C:\Program Files\Microsoft Windows Small Business Server\Networking\POP3\Failed Mail\*.*
C:\Program Files\Microsoft Windows Small Business Server\Networking\POP3\Incoming Mail\*.*
C:\WINNT\SoftwareDistribution\DataStore\*.*
C:\pagefile.sys
C:\WINNT\system32\licstr.cpa
C:\WINNT\system32\lls\*.* – corrected 3/10/2008
G:\*.*
H:\*.*
Note that your drives and paths may vary. The last two entries exclude drives that store disk-based backup files.
2. In the ESET Configuration Editor, open the following node:
ESET Smart Security, ESET NOD32 Antivirus > ESET Kernel > Setup > Exclusions > Exclusions
and click on the Edit button.
3. Click on the +List button and import the text file from step 1. Click on OK.
4. Save the configuration file as a separate file, e.g. “SBS exclusions.xml”.
5. Close the ESET Configuraiton Editor and open the “SBS exclusions.xml” file in an XML editor. (I used FrontPage 2003.) Replace all occurrences of
<NODE NAME=”Exclusion” DELETE=”0″>
with
<NODE NAME=”Exclusion” TYPE=”SUBNODE” DELETE=”0″>
This works around a bug and will allow the configuration file to update exclusions when it is pushed to the server.
6. Use the ESET Remote Administrator Console to push the configuration file to the server in the usual manner. (In the Clients tab, right-click on the server name and select New Task > Configuration Task.)
7. Once the configuration task completes (see the Tasks tab), open the NOD32 client on the server, press F5 to open the Advanced Setup window, then check the Antivirus and antispyware > Exclusions node to make sure that the exclusions were imported correctly.
Exclusions for Client Computers
I followed a similar procedure to add following exclusions to the configuration file that I push to client computers:
C:\WINDOWS\SoftwareDistribution\DataStore
C:\Program Files\Microsoft Windows Small Business Server\Clients\SBSClientApps.log
Note that the exclusion of *.mdf and *.ldf as suggested in the original version of this article do not work as expected: exluding them at the root of C:\ does not exclude them in all subfolders. They can either be excluded using the extension exclusions in the various scanning components, or those extension settings can be reversed so that instead of scanning all extensions (the default), only a long list of specific file extensions are included. If you choose the latter route, be sure to remove the “*.MD?” extension that is included in the default list of extensions to be scanned.
Thanks for your information…
Someone from Johannesburg, South Africa, sent me the following today as an email:
“hi. needed to renew my antivirus software. was advised to change from nortons to nod32. our ‘guy’ came out today. now we cannot VPN into our server anymore. they say its because the remote access routing service has ‘fallen over’. am getting desparate – most of my technicians access our server from remote sites – we run a 24 hour service for our customers. why would this happen? thanks”
I would suggest contacting your local support professional, or the software manufacturer, for urgent support. If you need support from the community, you can post your question to the ESET area of Wilders Security Forum http://www.wilderssecurity.com/forumdisplay.php?f=15.