Application pool gets recycled due to anti-virus?
It's not the first time that I heard of my customers complaining about their anti-virus: after a certain activity (such as a regular scanning for system files), their application pools get restarted automatically.
When this issue happens, some customers are seeing the following event in System Event Log:
Log Name: System
Source: Microsoft-Windows-WAS
Date: XXXX
Event ID: 5080
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: XXXX
Description:
The worker processes serving application pool ' [Application pool name] ' are being recycled due to 1 or more configuration changes in the application pool properties which necessitate a restart of the processes.
But the anti-virus didn't make any modification to the configuration file. How could this happen?
In fact, there may be several reasons. For example, when anti-virus scans the concerned file, it changed the "Last modification time"; It can also occur when WAS tries to detect if the configuration file has been changed, while anti-virus is scanning the file at the same time hence WAS detects the handle on the file and considers it being modified.
One effective way to avoid this scenario is by excluding the related configuration files of IIS from the anti-virus scanning scope.
Here is an exclusion list that you may consider to configure your anti-virus.
Attention: this is not an official list provided by Microsoft, it is simply a recommended list summarized according to our support experience. You should find your own compromise between security and performance. If you need any further information, please contact your anti-virus vendor.
- Default folder for x86 compiled ASP.Net Code : %WINDIR%\Microsoft.NET\Framework\{version}\Temporary ASP.NET Files
- Default folder for x64 compiled ASP.Net Code : %WINDIR%\Microsoft.NET\Framework64\{version}\Temporary ASP.NET Files
- IIS Configuration Folder : %WINDIR%\System32\Inetsrv\Config
- Default Content Location (where the web.config stands) : %SYSTEMDRIVE%\Inetpub\WWWRoot (or the customized folder)
- Default Logging Location : %SYSTEMDRIVE%\Inetpub\Logs\LogFiles (or the customized folder)
- Default FREB Logging Location : %SYSTEMDRIVE%\inetpub\logs\FailedReqLogFiles (or the customized folder)
- Default HTTP.SYS Logging Location : %WINDIR%\System32\LogFiles\HTTPERR
- Default History Location : %SYSTEMDRIVE%\Inetpub\History
- Default Backup Location : %WINDIR%\System32\Inetsrv\backup
- Default folder for storing Compressed Content : %SYSTEMDRIVE%\Inetpub\temp\IIS Temporary Compressed Files
- Default folder for compiled ASP templates : %SYSTEMDRIVE%\Inetpub\temp\ASP Compiled Templates
- Default Configuration Isolation Path : %SYSTEMDRIVE%\Inetpub\temp\appPools
- Default Folder for Error pages : %SYSTEMDRIVE%\Inetpub\custerr
Hope this is useful for you.
Jin W. and IIS/ASP.NET support team of Microsoft France
Articles you may be interested in:
Microsoft Anti-Virus Exclusion List
IIS Application Pool Recycling Events
https://technet.microsoft.com/en-us/library/cc735206(v=ws.10).aspx
Common reasons why your application pool may unexpectedly recycle