OnBase Antivirus Exclusions

A woman with long red hair, wearing glasses and a black sweater, smiles at the camera against a plain white background.

Jennifer Siegel

Can OnBase be used with antivirus? Absolutely, with the proper exclusions.

While Hyland has stated that they don’t have any official documentation regarding recommended antivirus software exclusions, it’s generally recommended that the OnBase files, executables, and folders should be excluded from the antivirus scans, along with other files/folders that OnBase users. This list would include the Thick Client’s temporary path (C:Users[UserName]AppDataLocalTemp) and the file location you are attempting to import documents from.

DISK GROUP FOLDERS

Disk group folders can be scanned, but it isn’t recommended because it impacts performance if every document is scanned every time it is opened by OnBase. Best practice is to make sure the virus scanning is performed prior to ingesting the documents into OnBase and exclude scans on the disk group folders. Also, it’s worth noting that the majority of documents in OnBase are generally image files that don’t get modified, so the chances of them developing a virus after ingestion are rather low.

If you really feel you need to perform virus scans on the disk group files, I recommend scheduling it to occur outside of business hours. Be prepared to restore any files it quarantines from backups to avoid having users receive errors that they cannot access the file they are trying to retrieve.

EXECUTABLES

Ensure that the directories where the executables are installed are added to the virus scanner white list. The ClickOnce directory varies for each user and workstation, because the client gets installed in the User’s profile directory. A typical ClickOnce deployment will install to a location that looks something like this:

  • C:Users[UserName]AppDataLocalApps2.0PNB0P3WV.R82WGZV8A5.40X

WEB APPLICATIONS

The latest Web Server module reference guide actually has a lot to say about antivirus.

Modifying the contents of the Web Server, Application Server, or Mobile Applications Broker Server virtual directories will cause the applications to restart. When this occurs, connected users will lose their sessions and their applications will become unresponsive. This behavior occurs because the OnBase Web Server, Application Server, and Mobile Applications Broker Servers are ASP.NET Web Applications. ASP.NET detects file changes, including changes to file system attributes and time stamps, and restarts the application if a change is detected. Unintended application restarts can occur when virus scanning software, backup software, or indexing services access the contents of an application’s virtual directory. These processes don’t modify the contents of an application’s files, but they can modify the files’ attributes, which is enough for ASP.NET to restart the application.

To properly configure virus scanning, backup software, or indexing service software, follow these guidelines:

  • Exclude the virtual directories for the OnBase Web Server, Application Server, and Mobile Applications Broker Server and the ASP.NET Temporary Files directory from antivirus, backup, or indexing service scanning.
  • The ASP.NET Temporary Files directory is below:
    • (32-bit) C:WINDOWSMicrosoft.NETFrameworkv4.0.30319Temporary ASP.NET Files
    • (64-bit) C:WINDOWSMicrosoft.NETFramework64v4.0.30319Temporary ASP.NET Files
  • Real-time scanning of script execution, which is available in some antivirus software, should only be engaged according to the software manufacturer’s instructions. Some manufacturers do not intend this functionality to be used on servers.

Consult your antivirus software’s documentation for other recommended settings for Web servers. Ensure that any virus scanning changes will not be overwritten by the automatic policy settings configured for your network.

Loss of Session Context:

When antivirus software scans the virtual directory of a web application and causes the application to restart, the OnBase Event Log records the “Application End” and “Application Start” events, which are followed by a series of errors. The Diagnostics Console logs the message, “Failed to get session for session id.”

The Microsoft Knowledge Base describes this issue in greater detail. For more information, refer to the following article:

Decreased Performance and Scalability:

Antivirus software running on a Web server or client workstation may have adverse effects on system performance. Two known issues regarding McAfee® VirusScan® with ScriptScan are described below.

  • The following recommendation is for:
    • Performance Issues on Servers Running McAfee VirusScan
    • Performance Issues on Client Workstations Running McAfee VirusScan

Recommendation for Performance Issues on Servers and Client Workstations:

Servers running any OnBase server application, and workstations running the OnBase Web Client or Medical Records Management Solution will exhibit decreased performance when running McAfee VirusScan with ScriptScan enabled.

The recommended solution from McAfee is to first test whether whitelisting solves any problems. If it does not, then you will need to disable ScriptScan.

The McAfee Knowledge Base describes this issue in greater detail. For more information, refer to the following article:

Antivirus Software and Client-Side ActiveX Controls

If antivirus software is used on a client workstation running the ActiveX Web Client, the downloaded ActiveX controls on the client workstation should be excluded from virus scanning. Otherwise, the virus scan process can modify the ActiveX controls’ file attributes in a way that can result in unresponsiveness or unintended application restarts.
The following ActiveX controls located in the C:WindowsSysWOW64 directory are involved, where *** represents the major version of the OnBase Web Server (for example, OBXWebControls180.ocx for version 18):

  • OBXWebControls***.ocx
  • dmimage_web***.dll
  • dmlocale_web***.dll
  • dmmailsvc_web***.dll
  • dmtrace_web***.dll

You must whitelist these files every time you upgrade to a new major version of the OnBase Web Server, since the file names change with each version.

Note: It is not necessary to whitelist ActiveX controls that have been installed to the client workstation using the Web ActiveX Controls installer. Only the ActiveX controls downloaded from the web browser are affected.

ANYDOC

For performance considerations, it is recommended that the following folders/files be excluded from real time (on-access) antivirus/anti-malware scanning.

All Products:

  • “C:ProgramDataAnyDoc” folder and all of its subfolders and files (Windows 7)
  • “C:Documents and SettingsAll UsersApplication DataAnyDoc” folder and all of its subfolders and files (Windows XP/2003 Server)

OCR for AnyDoc:

  • The configured control, data, import*, jobs, master, and VBScripts folders, along with all of their subfolders and files
  • The configured Temporary Location Path folder
  • These paths are found under the following locations:
    • Settings > System Configuration > General
    • Form Family Management > Directories/Output > Directory Settings
    • Form Family Management > Import > General
  • *If the configured import folder is being populated by an outside source (e.g., an FTP folder) rather than a scanner, real time antivirus/anti-malware scanning may (and should) be enabled for the import folder

CAPTUREit:

  • The configured CAPTUREit destination folder (if applicable)
  • The configured CAPTUREit Control folder (if different than the default of C:ProgramDataAnyDocCAPTUREit)

EXCHANGEit:

  • The configured Source and Destination folders (if applicable)

Infiniworx:

  • The configured DataStore folder

More from The Naviant Blog

Business Process and Automation Insights

Two people wearing lanyards smile and talk in an office setting; one man is holding a laptop and sticky notes are visible in the foreground.
Modern cityscape at sunset showing glass office buildings, busy highways with light trails from cars, and clear sky in the background.