We have recently received queries from customers about the official exclusion list recommendations from Microsoft. It seems that they have published a Knowledge Base entry that lists down recommendations to improve performance in Windows when running antivirus scanners.
This list recommends customers to exclude certain extensions and folders from antivirus scanning. Now, although it actually makes sense to stop checking Windows Update and some Group Policy-related files if you really want to speed up the system, we are concerned by the fact that this was released publicly.
This is an overview of these recommendations from Microsoft:
- Certain files in the SoftwareDistribution folder
- Certain specific file name (e.g., edb.chk)
- A small extension list in certain specific folder (*.log)
Plus, some other similar lists for the Group Policy.
Following the recommendations does not pose a significant threat as of now but it has a very big potential of being one. Cybercriminals may strategically drop or download a malicious file into one of the folders that are recommended to be excluded from scanning or use a file name extension that is also in the excluded list.
We find it sensible for users to aim for better system performance. However, we also think that excluding certain file types or folders from antivirus scanning is not something novice users should tinker with. Doing so may expose the system to risks that can lead to an inconvenience far more severe than a slightly slower system.
In line with this, we advise users to educate themselves fully about these recommendations before taking any action. We recommend users not to exclude any file unless there is a critical reason to do so and be aware of the risks entailed by such an action.