Follow

arcserve-KB : arcserve RHA best practices with regards to Anti-virus exclusion and various AV vendor configurations

Last Update: 2016-04-20 18:41:05 UTC

 

Description:

 

This document explains the best practices when implementing and configuring environments for CA ARCserve RHA specifically with regards to various popular anti-virus applications available to date of this document.

Due to the sheer nature of replication read / write IO that is required the CA ARCserve RHA engine process should be excluded whenever possible from anti-virus 'On Read Access' or scanning all-together. This will alleviate additional IO overhead on the read access of the files that we need to capture changes from and also the amount of IO that occurs when we create our journal files for replication within the RHA “Spool” directory.
 
 
Many popular anti-virus solutions allow for an entire process to be excluded from scanning or at the very least “On read access” scans. These are below with information pertaining to how to enable such exclusions.
 
Required Exclusions:

At a bare minimum the spool folder needs to be excluded from anti-virus 'On-Access Scanning'. The default location for the spool folder is '%SYSTEMDRIVE%\Program Files\CA\ARCserve RHA\engine\tmp'.

Recommended Exclusions:

Whenever possible please also add in file exclusions for '*.jrnl'. These are the spool journal file extensions and will help reduce IO overhead if the spool folder is changed in the scenario from the default or user defined location that is already excluded.

In addition to this many anti-virus solutions allow for an entire process to be excluded. If possible please also add the 'ws_rep.exe' process as excluded from all 'On-Access' AV scanning. Below are some popular AV solutions with information on how to exclude a process from scanning.

 

 

 
Symantec Endpoint Protection:
Below are screen shots of how to exclude a process within Symantec Endpoint Protection

 

1.      First open Symantec Endpoint Protection by right clicking on the right hand corner task menu
2.      Then click on the options button for Virus and Spyware Protection
3.      Then click on Change settings
4.      On the Global Settings tab click on View List
5.      Next click Add then click on Application Exception
6.      Then browse to the ws_rep.exe process within the engine install directory. Select it and click OK
7.      It will now show in the exceptions list

 

 
McAfee VirusScan Enterprise
 
Sophos Endpoint Security
Sophos does not allow for process exclusion, only folder and file within the GUI. But it does have the capability of exclusion a process with registry keys that also require reboots.
            Win2K/XP:
KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SAVOnAccessControl
 
Vista/Win7:
HEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SAVOnAccess
 
Create a string value called:
ExcludedProcess0 
The value can then be for example: 'notepad.exe' to exclude the notepad.exe process.
 
If you need to exclude multiple processes you would need to create additional string keys, i.e. 
ExcludedProcess1
ExcludedProcess2
with no gaps in the numbering, etc..
 
Kapersky Anti-Virus Enterprise Edition
Has a “trusted zone list” that allows for process exclusion as well:

  Adding exclusions from Anti-Virus scan via Trusted zone

 
eTrust Threat Management

 

 

 

 

 

 

 

 

 
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments