Endpoint Security and Control can be installed on active/passive and active/active Windows cluster configurations. Care must be taken to ensure that certain files and folders are not scanned by either on-demand or on-access scanning.
The Endpoint Security and Control product is not cluster aware, it does not need to be cluster aware in order to protect clustered machines.
The Endpoint services run on each node of the cluster allowing it to protect each node as if it were an independent machine. On active nodes, it still has access to the shared storage devices used by applications that are cluster aware, and so it offers full protection for those applications.
Note: Endpoint Security and Control should be temporarily disabled when upgrading Windows and other major components, e.g. Exchange or SQL.
What to do
Files and folders to exclude
These exclusions apply to on-access and on-demand scanning.
- The quorum disk
- The %Winnt%\Cluster folder location (Note: This should be the full path rather than the system variable, for example C:\Windows\System32\Cluster to ensure that the exclusion functions correctly)
- The temp folder for the Cluster Service account.
For example, exclude the \clusterserviceaccount\Local Settings\Temp folder from virus scanning
Microsoft Knowledgebase article, 250355 gives more information on running anti-virus software on Windows clusters.
Upgrading and on-access scanning
Endpoint Security and Control on-access scanning should be temporarily disabled when
- updating the Windows operating system
- updating other components which have this requirement. This includes service packs, version upgrades and hotfixes.
NOTE: Sophos strongly advises users to regularly check Microsoft guidance on anti-virus software and Windows clusters.