These are the recommended exclusions. There may be other file types that are not included in this article that should be excluded. Because domain controllers provide an important service to clients, the risk of disruption of their activities from malicious code, from malware, or from a virus must be minimized.
Antivirus software is the generally accepted way to reduce the risk of infection. Install and configure antivirus software so that the risk to the domain controller is reduced as much as possible and performance is affected as little as possible.
The following list contains recommendations to help you configure and install antivirus software on a Windows Server domain controller. Warning We recommend that you apply the following specified configuration to a test system to make sure that in your specific environment it does not introduce unexpected factors or compromise the stability of the system. The risk from too much scanning is that files are inappropriately flagged as changed.
This causes too much replication in Active Directory. If testing verifies that replication is not affected by the following recommendations, you can apply the antivirus software to the production environment. Note Specific recommendations from antivirus software vendors may supersede the recommendations in this article. Antivirus software must be installed on all domain controllers in the enterprise. Ideally, try to install such software on all other server and client systems that have to interact with the domain controllers.
It is optimal to catch the malware at the earliest point, such as at the firewall or at the client system where the malware is introduced. This prevents the malware from ever reaching the infrastructure systems that the clients depend on.
Use a version of antivirus software that is designed to work with Active Directory domain controllers and that uses the correct Application Programming Interfaces APIs to access files on the server. Older versions of most vendor software inappropriately change a file's metadata as the file is scanned. This causes the File Replication Service engine to recognize a file change and therefore schedule the file for replication.
Newer versions prevent this problem. For more information, see the following article in the Microsoft Knowledge Base:. Do not use a domain controller to browse the Internet or to perform other activities that may introduce malicious code.
We recommend that you minimize the workloads on domain controllers. When possible, avoid using domain controllers in a file server role. Is this for a home or business setup? What size business? The best free AV for a server is none at all. Assuming this isn't a web or outward facing server, you shouldn't need to worry about it catching a virus as it's only you and other IT staff accessing it directly if even at all.
Assuming it is the same or equivalent to Windows 10, it is as good as anything else that it out there. To continue this discussion, please ask a new question. Get answers from your peers along with millions of IT pros who visit Spiceworks.
Suggestions and links please! To get updated antimalware security intelligence, you must have the Windows Update service running. You can change this configuration by using one of the following methods:.
To ensure that protection from malware is maintained, we recommend that you enable the following services:. The following table lists the services for Microsoft Defender Antivirus and the dependent services. Sample submission allows Microsoft to collect samples of potentially malicious software.
To help provide continued and up-to-date protection, Microsoft researchers use these samples to analyze suspicious activities and produce updated antimalware Security intelligence. We collect program executable files, such as. To enable automatic sample submission, start a Windows PowerShell console as an administrator, and set the SubmitSamplesConsent value data according to one of the following settings:. To help ensure security and performance, certain exclusions are automatically added based on the roles and features you install when using Microsoft Defender Antivirus on Windows Server or , or Windows Server If you are using a non-Microsoft antivirus product as your primary antivirus solution on Windows Server, you must set Microsoft Defender Antivirus to passive mode or disabled mode.
When you get to the Features step of the wizard, clear the Windows Defender Features option. Go to the Actions tab and select New Ensure that Start a program is selected in the Action field.
The installer script handles the installation, and immediately perform the onboarding step after installation completes. The recommended execution policy setting is Allsigned. The installer package md4ws. Also ensure that the permissions of the UNC path allows read access to the computer account that's installing the platform. In the dialogue box that is displayed, select the Group Policy Object that you wish to link. Click OK. For additional configuration settings, see Configure sample collection settings and Other recommended configuration settings.
The following steps are only applicable if you're using a third-party anti-malware solution. You'll need to apply the following Microsoft Defender Antivirus passive mode setting. Verify that it was configured correctly:. For more information on how to deploy scripts in Configuration Manager, see Packages and programs in Configuration Manager. Follow the steps provided in the Complete the onboarding steps section.
After onboarding the device, you can choose to run a detection test to verify that a device is properly onboarded to the service.
For more information, see Run a detection test on a newly onboarded Microsoft Defender for Endpoint device. Running Microsoft Defender Antivirus is not required but it is recommended. If another antivirus vendor product is the primary endpoint protection solution, you can run Defender Antivirus in Passive mode. This verifcation step is only required if you're using Microsoft Defender Antivirus as your active antimalware solution. If the result is 'The specified service doesn't exist as an installed service', then you'll need to install Microsoft Defender Antivirus.
The result should show it is running. If you encounter issues with onboarding, see Troubleshoot onboarding. Follow the steps in Run a detection test on a newly onboarded device to verify that the server is reporting to Defender for the Endpoint service. After successfully onboarding devices to the service, you'll need to configure the individual components of Microsoft Defender for Endpoint.
Follow the Adoption order to be guided on enabling the various components.
0コメント