Partager via


ConfigMgr and Anti-Virus solutions...sometimes they don't play nice

So today, I was at a customer site and they ran into a rather interesting issue when reassigning a Distribution Point from ConfigMgr 2007 to ConfigMgr 2012 R2. Here's a quick rundown...

In distmgr.log the customer was seeing a few entries related to files and trust - here is a sanitized error:

  • Error in verifying the trust of file '\\SERVER.DOMAIN.COM\SMS_DP$\sms\Tools\ExtractContent.exe'. SMS_DISTRIBUTION_MANAGER 

  • Error in verifying the trust of file '\\SERVER.DOMAIN.COM\SMS_DP$\sms\bin\smsdpusage.exe'. SMS_DISTRIBUTION_MANAGER 

    After these errors appeared, the console would display an error “failed to update binaries”. What gives?

    During our troubleshooting, the customer was able to disable their Anti-Virus solution as a test.  Once AV was disabled....content started converting and the DP reassignment completed successfully!  It turns out, there were some missing AV exclusions. If they aren’t setup properly, there could be unexpected behavior where ConfigMgr and your AV solution might not play nice together...

    Here is a great Wiki list of Anti-Virus exclusions that might be defined for Windows Server and a few other products:

    https://social.technet.microsoft.com/wiki/contents/articles/953.microsoft-anti-virus-exclusion-list.aspx

    Whoa! That's a lot of files, folders, paths, etc. that have to be excluded!?  You might be asking yourself: Is there is an easy way to create these exclusions?  With System Center Endpoint Protection, it’s very easy to create Antimalware policies, by simply importing them. A lot of the heavy lifting has  already been done! 

    Just navigate in the CM12 console under Assets and Compliance>Endpoint Protection > Antimalware Policies, right click and select import:

    After selecting import, the console will present you a list of canned xml files available to import:

    Here is what the policy looks like after it is imported:

    Here is another view of the console after importing the Endpoint Protection Configuration Manager 2012 policy:

    Don't forget to set those exclusions so that ConfigMgr 2012 R2 and your AV solution will play nice together!

    Disclaimer: The information on this site is provided "AS IS" with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of included script samples are subject to the terms specified
    in the
    Terms of Use .