Recommended ZCM Anti-Virus Exclusions

  • 7007545
  • 11-Jan-2011
  • 12-Jan-2018

Environment

Novell ZENworks 10 Configuration Management
Novell ZENworks 11 Configuration Management
Novell ZENworks Configuration Management 2017

Situation

The ZCM logon process can involve significant HDD I/O.
Anti-Virus scanning of all of this activity can sometimes significantly slow down computers during the logon process.

It can also cause hangs during install or system update.

Resolution

Notice: The ACTUAL paths entered into your Anti-Virus Exclusion List should be the literal path and not use a variable, because many AV vendors intentionally do not resolve variables.
 
Please Exclude Activity of the Following ZENworks EXEs: (Variables are for Reference...Use literal values that match actual environment such as "c:\windows\" in lieu of %systemroot% if Windows is installed to c:\windows)
%ZENWORKS_HOME%\zapp\zapp.exe (New to ZCM 2017)
%ZENWORKS_HOME%\bin\analyze.exe
%ZENWORKS_HOME%\bin\cabarc32.exe
%ZENWORKS_HOME%\bin\colw32.exe
%ZENWORKS_HOME%\bin\mcescan.exe
%ZENWORKS_HOME%\bin\nalwin.exe
%ZENWORKS_HOME%\bin\nzrInjector.exe
%ZENWORKS_HOME%\bin\remediate.exe
%ZENWORKS_HOME%\bin\zenNotifyIcon.exe
%ZENWORKS_HOME%\bin\zenUserDaemon.exe
%ZENWORKS_HOME%\bin\ZENUpdater.exe
%ZENWORKS_HOME%\bin\zenWindowsDaemon.exe
%ZENWORKS_HOME%\bin\zenWorksWindowsService.exe
%ZENWORKS_HOME%\bin\Handlers\RMENF.exe
%ZENWORKS_HOME%\esm\zesservice.exe
%ZENWORKS_HOME%\esm\zesuser.exe
%ZENWORKS_HOME%\esm\zescommand.exe
 
%ZENWORKS_HOME%\zpm\analyze.exe (This file does exist in two folders.)
%ZENWORKS_HOME%\zpm\cabarc.exe (This file does exist in two folders.)  
%ZENWORKS_HOME%\zpm\LM.Detection.exe
%ZENWORKS_HOME%\zpm\LM.Detection_x64.exe
%ZENWORKS_HOME%\zpm\mcescan.exe (This file does exist in two folders.)
%ZENWORKS_HOME%\zpm\remediate.exe (This file does exist in two folders.)
%SystemRoot%\system32\secedit.exe (Used for GPO Processing)
%SystemRoot%\system32\winlogon.exe (Used for GPO Processing)
%SystemRoot%\system32\wuauclt.exe
%SystemRoot%\system32\ZDPAServe.exe (Used for ZENworks Agent Deployment)
%SystemRoot%\syswow64\ZDPAServe.exe
(Used for ZENworks Agent Deployment)
C:\WINDOWS\TEMP\{D6C5BB8D-8A3A-495F-8252-DF4E0731209B}\InstallHelper.exe 
 
Please exclude the following files from being scanned: 
%ZENWORKS_HOME%\cache\zmd\*.appstate (valid up to ZENworks 11.2.x)
%ZENWORKS_HOME%\cache\zmd\*.applstate (valid since ZENworks 11.3)
%ZENWORKS_HOME%\cache\zmd\*.appdata (valid since ZENworks 11.3)
%ZENWORKS_HOME%\cache\zmd\AppDataLRUCache\*.* (valid since ZENworks 11.3)
%ZENWORKS_HOME%\cache\zmd\zencache\metadata\objinfo.db
%ZENWORKS_HOME%\cache\zmd\zencache\metadata\fileinfo.db
%ZENWORKS_HOME%\esm\*.*
%ZENWORKS_HOME%\work\zmd\status\mdstatus.db
%ZENWORKS_HOME%\logs\*.logs 
(Include SubDirectories)
%SystemRoot%\system32\GroupPolicy\adm\*.adm
%SystemRoot%\system32\GroupPolicy\machine\*.pol
%SystemRoot%\system32\GroupPolicy\user\*.pol
%SystemRoot%\syswow64\GroupPolicy\adm\*.adm
%SystemRoot%\syswow64\GroupPolicy\machine\*.pol
%SystemRoot%\syswow64\GroupPolicy\user\*.pol  
%WINSYSDIR%\drivers\{4bb8218c-aebf-4113-882f-b10ae15c8218} Note:  This directory is on system drive root folder in 11.2.1 and later and will be hidden and protected by agent self defense in 11.3 and later.
C:\WINDOWS\TEMP\{D6C5BB8D-8A3A-495F-8252-DF4E0731209B}
C:\Documents And Settings\All Users\Application Data\Novell\ZES - (winXP and win2k3 only)
C:\ProgramData\Novell\ZES - (Vista, Win7, Win2k8, newer)
 
If the anti-virus/anti-spyware/Internet Security software being used supports the exclusion of registry keys, then exclude the following:
HKLM\SYSTEM\CurrentControlSet\services\zesservice
HKLM\SYSTEM\CurrentControlSet\services\zesuser
HKLM\SYSTEM\CurrentControlSet\services\zestdi
HKLM\SYSTEM\CurrentControlSet\services\zesdac
HKLM\SYSTEM\CurrentControlSet\services\zesdt
HKLM\SYSTEM\CurrentControlSet\services\zesds
HKLM\SYSTEM\CurrentControlSet\services\zesdisk
HKLM\SYSTEM\CurrentControlSet\services\zesocc
HKLM\SYSTEM\CurrentControlSet\services\zesfw (Vista, Win7, Win2k8, newer)
HKLM\SYSTEM\CurrentControlSet\services\zeswifi (Vista, Win7, Win2k8, newer)
HKLM\SYSTEM\CurrentControlSet\services\zesndisim (winXP and win2k3 only)
HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}
HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}
HKLM\SYSTEM\CurrentControlSet\Control\Class\{36FC9E60-C465-11CF-8056-444553540000}

For FDE install/update:

C:\Windows\NAC

Note:  Each Anti-Virus package has different options that can be configured and different syntax used for exclusions.
Please be sure to review the documentation for the Anti-Virus package in use for the proper method and syntax.

Additional Information

In addition to AV Scanning Exclusions, Anti-Virus activity scheduled to occur at startup can also considerably slow down a device's initial logon.
These include but are not limited to the following:
 
Scheduling a HDD Scan during PC Boot.
Scheduling a HDD Scan on during PC Boot if a previously Scheduled scan is missed.
Scheduling Anti-Virus Software and Signature updates during Boot.
Scheduling Anti-Virus Software and Signature updates during Boot if a previously scheduled update is missed.
 
If these scheduled events are causing an issue consider the following options:
Delay missed updates until shortly after the device boots.
Schedule WOL events for devices for 30-60 minutes prior to normal device usage.
 
Performance issues have also been seen when Multiple Anti-Virus packages are installed on a device.
This has most often been seen when Microsoft Security Essentials is installed with another 3rd party Anti-Virus solution.

TrendMicro OfficeScan Exclusion document - 
Performance issues when OfficeScan clients scan machines installed with ZENworks - 1058273
Symantec 10 and 11 Document -