How to Configure CrowdStrike Exclusions for SQL Server

Last Updated: February 2025

Overview

Running antivirus software on SQL Server systems requires careful configuration to maintain optimal database performance and prevent operational issues. Improper antivirus configuration can lead to database corruption, performance degradation, and service failures.

This guide provides comprehensive exclusion recommendations for CrowdStrike Falcon when protecting SQL Server systems, based on Microsoft’s official antivirus configuration guidelines for SQL Server.

⚠️ Important Security Notice: While these exclusions optimize SQL Server performance and prevent conflicts, they reduce CrowdStrike’s security coverage. Each exclusion creates a potential security blind spot. Carefully evaluate the risks in your environment and implement compensating controls where possible. We strongly recommend testing the entire system under full load before rolling out any virus-protection software.

Common Issues Without Proper Exclusions

Without appropriate exclusions, you may experience:

Database files marked as suspect when SQL Server tries to open them
Database recovery failures during startup
Full-text catalog access problems
Decreased backup and restore performance
Transaction log corruption
Service startup failures
Performance degradation under load
File locking conflicts
FILESTREAM and In-Memory OLTP issues
Replication synchronization problems
Analysis Services cube processing failures

Security Risk Assessment

High-Risk SQL Servers

Servers meeting these criteria require extra security consideration:

Open to the public Internet
Have open ports to servers not behind a firewall
Read or execute files from other servers
Run HTTP servers (IIS, Apache)
Host file shares
Use Database Mail for incoming/outgoing messages

Antivirus Software Types to Consider

Active virus scanning: Checks incoming and outgoing files for viruses
Virus sweep software: Scans existing files (can cause database recovery issues)
Vulnerability scanning software: Security compliance and assessment tools

Prerequisites

CrowdStrike Falcon administrative access
Access to the Falcon Console: https://falcon.crowdstrike.com or https://falcon.us-2.crowdstrike.com/ (varies by tenant)
SQL Server installation paths documented
Understanding of your SQL Server topology (standalone, clustered, AlwaysOn)
List of all SQL Server services and components in use

Step 1: Access CrowdStrike Falcon Console

Open your browser and navigate to your Falcon Console:
- Primary: https://falcon.crowdstrike.com
- US-2: https://falcon.us-2.crowdstrike.com/
- Contact your CrowdStrike administrator if unsure of your tenant location)
Sign in using your admin credentials
Navigate to Endpoint Security > Configure > Exclusions

Step 2: Configure SQL Server Database Engine Exclusions

SQL Server Process Exclusions

In the CrowdStrike Console:

Select Process Exclusions
Click Create Exclusion
Select the appropriate host group for your SQL Servers
Add the following process exclusions:

sqlservr.exe
sqlagent.exe
sqlbrowser.exe
%ProgramFiles%\Microsoft SQL Server\<NN>\Shared\SQLDumper.exe

Note: Replace <NN> with your SQL Server version number (e.g., 150 for SQL 2019, 160 for SQL 2022)

SQL Server Data File Exclusions

Add folder exclusions for data files with these extensions:

*.mdf (Primary data files)
*.ldf (Transaction log files)
*.ndf (Secondary data files)

Default locations by instance type:

Instance Type	Default Data Directory
Default Instance	`%ProgramFiles%\Microsoft SQL Server\MSSQL<NN>.MSSQLSERVER\MSSQL\DATA`
Named Instance	`%ProgramFiles%\Microsoft SQL Server\MSSQL<NN>.<InstanceName>\MSSQL\DATA`

SQL Server Backup File Exclusions

Add exclusions for backup files:

*.bak (Database backups)
*.trn (Transaction log backups)

Default backup locations:

Instance Type	Default Backup Directory
Default Instance	`%ProgramFiles%\Microsoft SQL Server\MSSQL<NN>.MSSQLSERVER\MSSQL\Backup`
Named Instance	`%ProgramFiles%\Microsoft SQL Server\MSSQL<NN>.<InstanceName>\MSSQL\Backup`

Step 3: Configure Full-Text and Extended Features Exclusions

Full-Text Catalog Files

%ProgramFiles%\Microsoft SQL Server\MSSQL<NN>.MSSQLSERVER\MSSQL\FTDATA\*
%ProgramFiles%\Microsoft SQL Server\MSSQL<NN>.<InstanceName>\MSSQL\FTDATA\*

Extended Event and Trace Files

*.trc (Trace files)
*.xel (Extended Event files)
*.xem (Extended Event metadata)

SQL Audit Files

*.sqlaudit

FILESTREAM Data

Exclude the FILESTREAM directory structure:

<drive>:\<FileStreamDirectory>\*

In-Memory OLTP Files

Exclude the xtp subfolder and related files:

%ProgramFiles%\Microsoft SQL Server\MSSQL<NN>.<Instance>\MSSQL\DATA\xtp\*

File formats to exclude:

xtp_t_*.c
xtp_t_*.dll
xtp_t_*.obj
xtp_p_*.c
xtp_p_*.dll
xtp_p_*.obj

Step 4: Configure Replication Exclusions

Replication Executables and COM Objects

x86 systems:

C:\Program Files (x86)\Microsoft SQL Server\<NNN>\COM\*

x64 systems:

C:\Program Files\Microsoft SQL Server\<NNN>\COM\*

Replication Snapshot Folder

%ProgramFiles%\Microsoft SQL Server\MSSQL<NN>.MSSQLSERVER\MSSQL\ReplData\*

File extensions in snapshot folder:

*.sch, *.idx, *.bcp, *.pre, *.cft, *.dri, *.trg, *.prc

Distribution Agent Temporary Files (SQL 2017 CU22+)

C:\Users\<DistributionAgentAccount>\AppData\Temp\*.lob

Step 5: Configure Analysis Services (SSAS) Exclusions

SSAS Process Exclusions

%ProgramFiles%\Microsoft SQL Server\MSAS<ID>.MSSQLSERVER\OLAP\bin\MSMDSrv.exe
%ProgramFiles%\Microsoft SQL Server\MSAS<ID>.<InstanceName>\OLAP\bin\MSMDSrv.exe

SSAS Directory Exclusions

Component	Directory
Data Directory	`C:\Program Files\Microsoft SQL Server\MSAS<ID>.<Instance>\OLAP\Data`
Temp Directory	`C:\Program Files\Microsoft SQL Server\MSAS<ID>.<Instance>\OLAP\Temp`
Backup Directory	`C:\Program Files\Microsoft SQL Server\MSAS<ID>.<Instance>\OLAP\Backup`
Log Directory	`C:\Program Files\Microsoft SQL Server\MSAS<ID>.<Instance>\OLAP\Log`

Step 6: Configure Integration Services (SSIS) Exclusions

SSIS Process Exclusions

%Program Files%\Microsoft SQL Server\<VersionNum>\DTS\Binn\ISServerExec.exe
%Program Files%\Microsoft SQL Server\<VersionNum>\DTS\Binn\DTExec.exe

SSIS Directory Exclusions

%Program Files%\Microsoft SQL Server\<VersionNum>\DTS\*

Step 7: Configure Reporting Services (SSRS) Exclusions

SSRS Process Exclusions by Version

SSRS 2016 and earlier:

%ProgramFiles%\Microsoft SQL Server\<InstanceID>.<InstanceName>\Reporting Services\ReportServer\Bin\ReportingServicesService.exe

SSRS 2017 and later:

%ProgramFiles%\Microsoft SQL Server Reporting Services\SSRS\Management\RSManagement.exe
%ProgramFiles%\Microsoft SQL Server Reporting Services\SSRS\Portal\RSPortal.exe
%ProgramFiles%\Microsoft SQL Server Reporting Services\SSRS\ReportServer\bin\ReportingServicesService.exe
%ProgramFiles%\Microsoft SQL Server Reporting Services\SSRS\RSHostingService\RSHostingService.exe

Step 8: Configure Failover Cluster Instance (FCI) Exclusions

For SQL Server clusters, add these additional exclusions:

Q:\ (Quorum drive)
C:\Windows\Cluster\*
<MSDTC_Drive>\MSDTC\*

Important: Ensure your antivirus software is cluster-aware. Contact your antivirus vendor for cluster-aware versions.

Step 9: Configure PolyBase Exclusions (if applicable)

PolyBase Process Exclusions

%ProgramFiles%\Microsoft SQL Server\<InstanceID>.<InstanceName>\MSSQL\Binn\Polybase\mpdwsvc.exe

PolyBase Directory Exclusions

%ProgramFiles%\Microsoft SQL Server\<InstanceID>.<InstanceName>\MSSQL\Log\Polybase\*

Step 10: Configure Arc-enabled SQL Server Exclusions (if applicable)

For Arc-enabled SQL Server instances, exclude:

Azure Arc machine managed identity token folder
Arc extension binaries and configuration files

Refer to Configure a managed identity for Arc-enabled SQL Server for specific paths.

Step 11: Apply and Test Exclusions

After creating all exclusions, click Save in the CrowdStrike Console
Allow 5-10 minutes for policies to propagate
Critical Testing Phase:
- Test in non-production first
- Run full load testing
- Monitor for performance changes
- Test backup and restore operations
- Verify replication (if applicable)
- Test failover scenarios (if clustered)
Use fltmc instances command to verify exclusions are applied:

# Run in elevated PowerShell or Command Prompt
fltmc instances

Review the output to confirm volumes are properly excluded
Gradually roll out to production after successful testing

Performance Impact Considerations

Testing Recommendations

Before and after implementing exclusions:

1. Baseline Performance Metrics:

Query response times
Disk I/O latency
CPU utilization
Memory usage
Backup/restore duration

2. Load Testing:

Run typical workload scenarios
Test peak load conditions
Verify transaction throughput
Monitor for blocking/deadlocks

3. Service Operations:

Test service restarts
Verify database recovery times
Check log file growth
Validate maintenance jobs

Security Best Practices

Compensating Controls

Network Security:
- Implement proper firewall rules
- Use SQL Server Configuration Manager for network protocols
- Enable encrypted connections
Access Control:
- Use Windows Authentication when possible
- Implement least privilege principle
- Regular security audits
Monitoring:
- Enable SQL Server Audit
- Monitor excluded directories with SIEM
- Set up alerts for suspicious activities
- Regular review of SQL Server error logs
Data Protection:
- Implement Transparent Data Encryption (TDE)
- Use backup encryption
- Regular security patching

Risk vs. Performance Matrix

Component	Performance Impact if Scanned	Security Risk if Excluded	Recommendation
Data files (.mdf, .ldf, .ndf)	Critical	Medium	Required exclusion
Backup files (.bak, .trn)	High	Low-Medium	Recommended
TempDB files	Critical	Low	Required exclusion
Process executables	High	High	Use carefully
Log directories	Low	Low	Optional
FILESTREAM data	High	Medium	Required if used
In-Memory OLTP	Critical	Medium	Required if used

Troubleshooting

Common Issues and Solutions

Database marked as suspect:
- Verify all data and log files are excluded
- Check for file locks using Process Explorer
- Review SQL Server error log
Slow backup/restore operations:
- Ensure backup directories are excluded
- Verify network paths are excluded if using network backups
- Check antivirus logs for scanning activity
Replication failures:
- Confirm snapshot folder is excluded
- Verify distribution agent account temp folder is excluded
- Check COM folder exclusions
Performance degradation after exclusions:
- Review fltmc instances output
- Verify exclusions syntax is correct
- Check both ML and Sensor Visibility tabs in CrowdStrike

Diagnostic Commands

-- Check for loaded modules (potential interference)
SELECT * FROM sys.dm_os_loaded_modules
WHERE description NOT LIKE 'Microsoft%';

-- Review wait statistics
SELECT TOP 10 *
FROM sys.dm_os_wait_stats
ORDER BY wait_time_ms DESC;

-- Check for file I/O stalls
SELECT * FROM sys.dm_io_virtual_file_stats(NULL, NULL)
WHERE io_stall > 0
ORDER BY io_stall DESC;

Maintenance and Review

Regular Review Schedule

Monthly: Review performance metrics
Quarterly: Audit exclusion list
After Updates:
SQL Server cumulative updates
CrowdStrike sensor updates
Windows updates
Annually: Complete security assessment

Documentation Requirements

Maintain documentation of:

All configured exclusions
Business justification for each exclusion
Risk acceptance from security team
Performance baseline metrics
Testing results
Incident history related to antivirus

Additional Resources

Disclaimer

⚠️ Security Warning: Implementing these exclusions reduces CrowdStrike Falcon’s ability to detect and prevent threats in excluded locations. This creates potential security vulnerabilities that could be exploited by malicious actors.

Organizations should:

Perform thorough security risk assessment
Test extensively under full load before production deployment
Implement compensating security controls
Maintain detailed audit trails
Obtain formal risk acceptance from stakeholders
Regularly review and validate exclusions

The exclusions in this guide are based on Microsoft’s recommendations and common SQL Server deployment scenarios. Your specific environment may require different or additional exclusions. Always test thoroughly in a non-production environment before implementing in production.

Last reviewed: February 2025
Applies to: SQL Server 2016 and later, CrowdStrike Falcon