Security Best Practices Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted Release 9.0
General antivirus guidelines and recommendations
Downloads: This chapterpdf (PDF - 388.0 KB) The complete bookPDF (PDF - 3.48 MB) | Feedback

General antivirus guidelines and recommendations

General antivirus guidelines and recommendations

Cisco recommends that you only use the approved Anti-Virus (AV) software products with Unified ICM/ Unified CCE, as described in this part.


Often, the default AV configuration settings increase CPU load and memory and disk usage, adversely affecting software performance. Therefore it is critical that you follow the guidelines in this part when using AV software with Unified ICM/ Unified CCE. See the Hardware & System Software Specification (Bill of Materials) for Cisco Unified ICM/Contact Center Enterprise & Hosted, Release 9.0(1) at:

Viruses are unpredictable and Cisco cannot assume responsibility for the consequences of virus attacks on mission-critical applications. Take particular care for systems that use Microsoft Internet Information Server (IIS).


  • Ensure that your corporate Anti-Virus strategy includes specific provisions for any server positioned outside the corporate firewall or subject to frequent connections to the public Internet.
  • Refer to the Hardware & System Software Specification (Bill of Materials) for Cisco Unified ICM/Contact Center Enterprise & Hosted, Release 9.0(1) for the application and version qualified and approved for your release of Unified ICM/ Unified CCE.

Many of the default AV configuration settings can adversely affect product performance as a result of increased CPU load, memory, and disk usage by the Anti-Virus software program. Cisco tests specific configurations to maximize product performance.

Guidelines and recommendations

Anti-virus applications have numerous configuration options that allow very granular control of what data is scanned, and how the data is scanned on a server.

With any anti-virus product, configuration is a balance of scanning versus the performance of the server. The more you choose to scan, the greater the potential performance overhead. The role of the system administrator is to determine what the optimal configuration requirements will be for installing an anti-virus application within a particular environment. Refer to your particular anti-virus product documentation for more detailed configuration information.

The following list highlights some general best practices:

  • Update AV software scanning engines and definition files on a regular basis, following your organization's current policies.
  • Upgrade to the latest supported version of the third-party anti-virus application. Newer versions improve scanning speed over previous versions, resulting in lower overhead on servers.
  • Avoid scanning of any files accessed from remote drives (such as network mappings or UNC connections). Where possible, ensure that each of these remote machines has its own anti-virus software installed, thus keeping all scanning local. With a multitiered antivirus strategy, scanning across the network and adding to the network load should not be required.
  • Schedule full scans of systems by AV software only during scheduled maintenance windows, and when the AV scan will not interrupt other Unified ICM maintenance activities.
  • Do not set AV software to run in an automatic or background mode for which all incoming data or modified files are scanned in real time.
  • Due to the higher scanning overhead of heuristics scanning over traditional anti-virus scanning, use this advanced scanning option only at key points of data entry from untrusted networks (such as email and Internet gateways).
  • Real-time or on-access scanning can be enabled, but only on incoming files (when writing to disk). This is the default setting for most anti-virus applications. Implementing on-access scanning on file reads will yield a higher impact on system resources than necessary in a high-performance application environment.
  • While on-demand and real-time scanning of all files gives optimum protection, this configuration does have the overhead of scanning those files that cannot support malicious code (for example, ASCII text files). Cisco recommends excluding files or directories of files, in all scanning modes, that are known to present no risk to the system.
  • Schedule regular disk scans only during low-usage times and at times when application activity is lowest.
  • Disable the email scanner if the server does not use email.
  • Additionally, set the AV software to block port 25 to block any outgoing email.
  • Block IRC ports.
  • If your AV software has spyware detection and removal, then enable this feature. Clean infected files, or delete them (if these files cannot be cleaned).
  • Enable logging in your AV application. Limit the log size to 2 MB.
  • Set your AV software to scan compressed files.
  • Set your AV software to not use more than 20% CPU utilization at any time.
  • When a virus is found, the first action is to clean the file, the second to delete or quarantine the file.
  • If it is available in your AV software, enable buffer overflow protection.
  • Set your AV software to start on system startup.

Unified ICM/Unified CCE maintenance parameters

Before scheduling AV software activity on Unified ICM/ Unified CCE Servers, note that a few parameters control the application activity at specific times. Ensure that Anti-Virus software configuration settings do not schedule "Daily Scans," "Automatic DAT Updates," and "Automatic Product Upgrades" during the times specified below.

Logger recommendations

Do not schedule AV software activity to coincide with the time specified in the following Logger registry keys:

  • HKLM\SOFTWARE\Cisco Systems, Inc.\ICM\<inst>\ Logger<A/B>\Recovery\CurrentVersion\Purge\Schedule\Schedule Value Name: Schedule
  • HKLM\SOFTWARE\Cisco Systems, Inc.\ICM\<inst>\ Logger<A/B>\Recovery\CurrentVersion\UpdateStatistics\Schedule Value Name: Schedule

Distributor recommendations

Do not schedule AV software activity to coincide with the time specified in the following Distributor registry keys:

  • HKLM\SOFTWARE\Cisco Systems, Inc. \ICM\<inst>\Distributor\RealTimeDistributor\ CurrentVersion\Recovery\CurrentVersion\Purge\Schedule Value Name: Schedule
  • HKLM\SOFTWARE\Cisco Systems, Inc. \ICM\<inst>\Distributor\RealTimeDistributor\ CurrentVersion\Recovery\CurrentVersion\UpdateStatistics\Schedule Value Name: Schedule

CallRouter and PG recommendations

On the CallRouter and Peripheral Gateway (PG), do not schedule AV program tasks:

  • During times of heavy or peak call load.
  • At the half hour and hour marks, because Unified ICM processes increase during those times.

Other scheduled tasks recommendations

You can find other scheduled Unified ICM process activities on Windows by inspecting the Scheduled Tasks Folder. Try to ensure that scheduled AV program activity does not conflict with those Unified ICM scheduled activities.

File type exclusion recommendations

There are a number of binary files that are written to during the operation of Unified ICM processes that have little risk of virus infection.

Omit files with the following file extensions from the drive and on-access scanning configuration of the AV program:

  • *.hst applies to PG
  • *.ems applies to ALL