Best Practice: SharePoint Server Antivirus Exclusions

There are a number of SharePoint Server related paths that should be excluded from being scanned by the server Antivirus.

Web Server Extensions

You may have to configure your antivirus software to exclude the following folders and subfolders from antivirus scanning:

  • Drive:\Program Files\Common Files\Microsoft Shared\Web Server Extensions

If you do not want to exclude the whole Web Server Extensions folder from antivirus scanning, you can exclude only the following two folders:

  • Drive:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\Logs
  • Drive:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\Data\Applications

Note The Applications folder must be excluded only if the computer is running the SharePoint Foundation Search service. If the folder that contains the index file is located elsewhere, you must also exclude that folder.

.NET Framework

  • Drive:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files
  • Drive:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config

Log Files

  • Drive:\WINDOWS\System32\LogFiles
  • Drive:\Windows\Syswow64\LogFiles
  • Drive:\WINDOWS\System32\LogFiles
  • Drive:\Windows\Syswow64\LogFiles
  • Drive:\Users\ServiceAccount\AppData\Local\Temp
  • Drive: \Users\ServiceAccount\AppData\Local\Temp\WebTempDir
  • Drive:\Users\Default\AppData\Local\Temp
  • Drive:\Users\account that the search service is running as\AppData\Local\Temp
NOTE: The search account creates a folder in the Gthrsvc_spsearch4 Temp folder to which it periodically has to write.


  • Drive:\inetpub\wwwroot\wss\VirtualDirectories\ and all the folders under Drive:\inetpub\temp\IIS Temporary Compressed Files\.
  • Drive:\ProgramData\Microsoft\SharePoint
  • Drive:\Program Files\Microsoft Office Servers

If you do not want to exclude the whole Microsoft Office Servers folder from antivirus scanning, you can exclude only the following folders:

  • Drive:\Program Files\Microsoft Office Servers\15.0\Data
  • Drive:\Program Files\Microsoft Office Servers\15.0\Logs
  • Drive:\Program Files\Microsoft Office Servers\15.0\Bin
  • Drive:\Program Files\Microsoft Office Servers\15.0\Synchronization Service

BLOB Cache

  • <BlobCache Drive>:\<BlobCache Directory>

Search Index

  • <Index File Drive>:\<Index File Directory>

SQL Server Exclusions

When you configure your antivirus software settings, make sure that you exclude the following files or directories (as applicable) from virus scanning. Doing this improves the performance of the files and helps make sure that the files are not locked when the SQL Server service must use them. However, if these files become infected, your antivirus software cannot detect the infection.

SQL Server data files

These files usually have one of the following file-name extensions:

  • .mdf
  • .ldf
  • .ndf

SQL Server backup files

These files frequently have one of the following file-name extensions:

  • .bak
  • .trn

Full-Text catalog files

  • Default instance: Program Files\Microsoft SQL Server\MSSQL\FTDATA
  • Named instance: Program Files\Microsoft SQL Server\MSSQL$instancename\FTDATA

Trace files

These files usually have the .trc file-name extension. These files can be generated either when you configure profiler tracing manually or when you enable C2 auditing for the server.

  • SQL audit files (for SQL Server 2008 or later versions)

These files have the .sqlaudit file-name extension. For more information, see the following topic in SQL Server Books Online: Audits (General Page)

SQL query files

These files typically have the .sql file-name extension and contain Transact-SQL statements.


SQL Server 2016

  • %ProgramFiles%\Microsoft SQL Server\MSSQL13.<Instance Name>\MSSQL\Binn\SQLServr.exe
  • %ProgramFiles%\Microsoft SQL Server\MSRS13.<Instance Name>\Reporting Services\ReportServer\Bin\ReportingServicesService.exe
  • %ProgramFiles%\Microsoft SQL Server\MSAS13.<Instance Name>\OLAP\Bin\MSMDSrv.exe

SQL Server 2014

  • %ProgramFiles%\Microsoft SQL Server\MSSQL12.<Instance Name>\MSSQL\Binn\SQLServr.exe
  • %ProgramFiles%\Microsoft SQL Server\MSRS12.<Instance Name>\Reporting Services\ReportServer\Bin\ReportingServicesService.exe
  • %ProgramFiles%\Microsoft SQL Server\MSAS12.<Instance Name>\OLAP\Bin\MSMDSrv.exe

SQL Server 2012

  • %ProgramFiles%\Microsoft SQL Server\MSSQL11.<Instance Name>\MSSQL\Binn\SQLServr.exe
  • %ProgramFiles%\Microsoft SQL Server\MSRS11.<Instance Name>\Reporting Services\ReportServer\Bin\ReportingServicesService.exe
  • %ProgramFiles%\Microsoft SQL Server\MSAS11.<Instance Name>\OLAP\Bin\MSMDSrv.exe

Helpful Links

Here are some helpful links related to the topics covered in this article:

Best Practices: SharePoint Permissions Do’s and Don’ts


  • Do follow the Principle of Least Privilege: Give people the lowest permission levels they need to perform their assigned tasks.
  • Do give people access by adding them to standard, default SharePoint groups (such as Members, Visitors, and Owners). Make most people members of the Members or Visitors groups and limit the number of people in the Owners group.
  • Do use permissions inheritance to create a clean, easy-to-visualize hierarchy. That is, avoid granting permissions to individuals, instead work with SharePoint groups. Where possible, have sub-sites simply inherit permissions from your team site, rather than having unique permissions.
  • Do organize your content to take advantage of permissions inheritance: Consider segmenting your content by security level – create a site or a library specifically for sensitive documents, rather than having them scattered in a larger library and protected by unique permissions.
  • Do always assign a group as the group owner. The default group owner is whomever created the site or group. Assign the site collection owner or site owner group as the group owner to minimize issues when a user account may become deleted.
  • Do use AD and SharePoint permission groups to grant permissions.
  • SharePoint Groups – Site owners can manage the site permissions by adding people to groups within just their site.
  • Active Directory Distribution Groups – Can be re-used for other services and when a user needs to be added to a group, you only need to add them once to the appropriate Directory groups.


  • Do not give Full Control to everyone. Ensure the user is properly trained on SharePoint, verify what the SharePoint governance policy dictates for providing this permission to users, and consider other permission levels that may fulfill the user requirements (e.g. Design, Contribute, etc.).
  • Do not assign permissions to individual users or grant them item level permissions. Instead, always use SharePoint permission groups to grant user permissions. Item level permission management is a manual process and may be laborious in addition to leading to negative permissions issues.

Example SharePoint Permission Scenario

A possible SharePoint permissions scenario is to restrict certain users’ capabilities to file transfers where they cannot create Site collections, edit page layout, and other tasks beyond file transfers.

A recommendation would be to create a new SharePoint site collection permission level that is copied from the “Contribute” permission level.  This will allow users granted this permission level the capabilities to add, edit, delete, and open files without the capabilities to create sub-sites, change the site design, and manage permissions.

Edit this new permission level and uncheck the following boxes to limit what’s allowed.

  • Use Self-Service Site Creation
  • Add/Remove Personal Web Part
  • Update Personal Web Part
NOTE: This new permission level will need to be created at each site collection.

Helpful Links

Here are some helpful links related to the topics covered in this article: