A topic that comes up every so often is how to best handle anti-virus applications with Microsoft Dynamics CRM.  This is actually a great question as performance can be impacted negatively depending on how this has been configured.  Virus scanning can even lock certain files making them inaccessible to other applications.  Since Dynamics CRM can touch multiple servers and multiple areas in an environment, the overall guidance for anti-virus software can be far reaching and bring many areas into consideration.  Anti-virus software can have an effect on the application servers, SQL Server, AD servers, Reporting servers, and client machines. 

The following is a list of files and folders that we feel should be considered to be excluded from anti-virus scanning in order to minimize performance impact.  This is not an exhaustive list, but instead a list built from observing and working with various customer environments.  Keep in mind, however, that each environment requires a thoughtful decision on what to include and exclude, and there is always a possibility that excluding files from scans can lead to unwanted consequences.  This list should be used alongside your well planned internal IT management policies.

CRM Servers

  • The following directory should be excluded:
    • %SystemDrive%inetpubtempIIS Temporary Compressed File
    • %systemroot%system32inetsrv
  • Ensure any script-scanning functionality in your anti-virus software is turned off on the CRM Server(s)
  • The following KB articles provide additional information on anti-virus software used with IIS

SQL Server

  • SQL Server data files. These files usually have the following file name extensions:
    • .mdf
    • .ldf
    • .ndf
  • SQL Server backup files. These usually have the following file name extensions:
    • .bak
    • .trn
  • Full-Text catalog files
  • The directory that holds Analysis Services data
  • If a SQL Server failover cluster is being used, the following should also be excluded:
    • Q: (Quorum drive
    • c:WindowsCluster
  • mssql.exe
  • sqlagent.exe
  • For further information on SQL Server see the following KB article:

Dynamics CRM Client

  • Check for any interference from desktop security software.  Some anti-virus programs include a feature called ScriptScan which can affect performance in Dynamics CRM.  Most programs have functionality to disable scanning on certain web sites.  Make sure the Dynamics CRM URL has been added to this list.  For McAfee specifically see the following KB articles for this setting:
  • If using other anti-virus software, make sure the CRM website URL is included in the trusted zone for the virus scanning and switch off on-access scanning for the CRM website.  See your specific anti-virus application documentation for more details.

Virtual Servers

  • If virtual servers are used in the deployment, make sure the directory on the host machine containing the virtual hard drive files is excluded from scanning.
  • For Hyper-V specifically, the following processes should be excluded:
    • Vmms.ex
    • Vmswp.exe
    • Vmwp.exe
  • Additional information:

Email Router

  • If the email router is being used, the following files should be excluded from scanning: (these files are by default in the C:Program FilesMicrosoft CRM EmailService folder)
    • microsoft.crm.tools.email.management.exe
    • microsoft.crm.tools.emailagent.exe
    • microsoft.crm.tools.emailproviders.dll
    • Microsoft.Exchange.WebServices.dll
    • Microsoft.Crm.Passport.IdCrl.dll
    • Microsoft.Crm.Tools.EmailAgent.Configuration.bin
    • Microsoft.Crm.Tools.EmailAgent.xml
    • Microsoft.Crm.Tools.EmailAgent.SystemState.xml
    • If a trace is being run, the trace file as configured in the emailagent.xml can also be excluded.

Updating with a few additional exclusions, thanks to Jeff Reiser.

Enterprise Windows Servers (Server 2008, Server 2008 R2, Server 2003, Windows 2000, Vista, XP, and Windows 7)

·         Turn off scanning of Windows Update or Automatic Update related files

o   Turn off scanning of the Windows Update or Automatic Update database file (Datastore.edb). This file is located in the following folder:

  •  %windir%SoftwareDistributionDatastore

o   Turn off scanning of the log files that are located in the following folder:

  •  %windir%SoftwareDistributionDatastoreLogs

o   Specifically, exclude the following files:

  •  Res*.log
  •  Res*.jrs
  •  Edb.chk
  •  Tmp.edb

·         The wildcard character (*) indicates that there may be several files.

·         Turn off scanning of Windows Security files

o   Add the following files in the %windir%SecurityDatabase path of the exclusions list:

  •  *.edb
  •  *.sdb
  •  *.log
  •  *.chk
  •  *.jrs

·         Turn off scanning of Group Policy related files

o   Group Policy user registry information. These files are located in the following folder:

  •  %allusersprofile%

o   Specifically, exclude the following file:

  •  NTUser.pol

o   Group Policy client settings file. This file is located in the following folder:

  •  %Systemroot%System32GroupPolicy

o   Specifically, exclude the following file:

  • Registry.pol

·         For additional information on the above exclusions and for information regarding Domain Controllers please visit the following KB Article