Events
Apr 29, 2 PM - Apr 30, 7 PM
Join the ultimate Windows Server virtual event April 29-30 for deep-dive technical sessions and live Q&A with Microsoft engineers.
Sign up nowRecommendations for antivirus exclusions that relate to Operations Manager 2019 and later
This article outlines antivirus exclusions that relate to System Center 2019 Operations Manager and later. For earlier versions of Operations Manager, see antivirus exclusions (Operations Manager 2012, 2012 R2, and 2016).
For specific exclusion recommendations for supported versions of SQL Server, see: Configure antivirus software to work with SQL Server.
If exclusions are configured based on process executable, exclude the following processes:
| Component | Process |
|---|---|
| Management servers | HealthService.exe MonitoringHost.exe MOMPerfSnapshotHelper.exe Microsoft.Mom.Sdk.ServiceHost.exe cshost.exe |
| Gateway server | HealthService.exe MonitoringHost.exe |
| Windows agent | HealthService.exe MonitoringHost.exe MOMPerfSnapshotHelper.exe |
| Web Console server | HealthService.exe MonitoringHost.exe |
| SQL Server1 | HealthService.exe MonitoringHost.exe |
1 For SQL Server servers hosting the Operations Manager databases (Operational, Data Warehouse, ACS) and Reporting server role.
Note
You must be careful when you add exclusions that are based on executables. Incorrectly configured exclusions may prevent some potentially dangerous programs from being detected. Therefore, we don't recommend relying on exclusions that are based on any process executables for Operations Manager servers.
The following directory-specific exclusions for Operations Manager include real-time scans, scheduled scans, and local scans. The directories that are listed here are default application directories, so you may have to modify these paths based on your specific environment. Only the following Operations Manager related directories should be excluded.
Note
When a directory that is to be excluded has a directory name greater than 8 characters long, add both the short and long directory names of the directory to the exclusion list. These names are required by some antivirus programs to traverse sub-directories.
| Component | Directory Exclusion |
|---|---|
| SQL Server database server | Exclude the directory containing the .ldf and .mdf files for all Operations Manager databases, Report server databases, and the master and tempdb databases. |
| Management server | %ProgramFiles%\Microsoft System Center 2016\Operations Manager\Server\Health Service State |
| Gateway server | %ProgramFiles%\System Center Operations Manager\Gateway\Health Service State |
| Windows agent | %ProgramFiles%\Microsoft Monitoring Agent\Agent\Health Service State |
| Reporting server | %ProgramFiles%\Microsoft System Center 2016\Operations Manager\Reporting |
| Web Console server | %ProgramFiles%\Microsoft System Center 2016\Operations Manager\WebConsole |
| Component | Directory Exclusion |
|---|---|
| SQL Server database server | Exclude the directory containing the .ldf and .mdf files for all Operations Manager databases, Report server databases, and the master and tempdb databases. |
| Management server | %ProgramFiles%\Microsoft System Center\Operations Manager\Server\Health Service State |
| Gateway server | %ProgramFiles%\System Center Operations Manager\Gateway\Health Service State |
| Windows agent | %ProgramFiles%\Microsoft Monitoring Agent\Agent\Health Service State |
| Reporting server | %ProgramFiles%\Microsoft System Center\Operations Manager\Reporting |
| Web Console server | %ProgramFiles%\Microsoft System Center\Operations Manager\WebConsole |
The following file name extension-specific exclusions for Operations Manager include real-time scans, scheduled scans, and local scans.
| Component | File Type Extension Exclusion |
|---|---|
| SQL Server database server | Exclude file type extension .ldf and .mdf. These exclusions include SQL Server database files for all Operations Manager databases, Report Server databases, and the system database files for master and tempdb. |
| Management server Gateway server Agents |
Exclude file type extensions .edb, .chk, and .log. These exclusions include the queue and log files used by Operations Manager. |
For a complete listing of ports used, the direction of the communication, and if the ports can be configured, see Configuring a Firewall for Operations Manager.
Additional resources
Training
Learning path
SC-200: Mitigate threats using Microsoft Defender for Endpoint - Training
SC-200: Mitigate threats using Microsoft Defender for Endpoint
Certification
Microsoft Certified: Security Operations Analyst Associate - Certifications
Investigate, search for, and mitigate threats using Microsoft Sentinel, Microsoft Defender for Cloud, and Microsoft 365 Defender.
Documentation
-
Antivirus exclusions (Operations Manager 2012, 2012 R2, and 2016) - Operations Manager
Describes some antivirus exclusions that relate to Operations Manager. These exclusions include process-based exclusions, directory-specific exclusions, and file name extension-specific exclusions.
-
Configure a Firewall for Operations Manager
This article provides design guidance for which ports and protocols need to be allowed for Operations Manager to communicate through network firewalls and proxy servers.
-
Troubleshoot event 2115-related performance problems - Operations Manager
Discusses how to troubleshoot event ID 2115-related performance problems in Systems Center Operations Manager.