M-Files and Virus Scanning

M-Files is compatible with all commonly used virus scanning products.

Make sure that the virus scanners on the users' computers do not do scheduled scanning for the virtual M-Files drive (the M: drive by default). A scheduled scan for the M-Files drive loads all the content from the M-Files server to the user's client and unnecessarily puts strain on the network and the server.

For best performance, disable real-time scanning for the M-Files drive and the M-Files installation folder (C:\Program Files\M-Files\ by default) on the server and clients computers. This prevents unnecessary system load and possible conflicts between M-Files and the anti-virus software.

Excluding the M-Files drive and installation folder from virus scanning

To exclude the M-Files drive and the installation folder from virus scanning, add their paths to the correct exclusion lists or exception lists in the anti-virus software. For example, with Symantec Endpoint Protection Manager (SEPM), this is done with an "exceptions policy". Other commonly used anti-virus software products can use terminology such as "excluded items list", "exclude objects", or "exclude from scanning". There are usually separate exclusion lists for scheduled scanning and real-time scanning.

If you cannot exclude the M-Files drive in the anti-virus software, use M-Files Admin to set the antivirus scanning processes not to have access to scan the drive. To do this, in the Advanced Vault Settings section of M-Files Admin, go to Client > Desktop > Excluded Antivirus Scanning Processes. To get access to this setting, the Manage Client Settings Centrally setting must be set to Yes. Before you set it to Yes, read the setting description on the Info tab.

Click Add Process and enter the name of the antivirus scanning process. For example, scan64.exe. Add as many processes as is necessary. Finally, click Save.

You can use Microsoft's Process Monitor to make sure that the M-Files drive and installation folder are excluded from virus scanning. For instructions, refer to this article.

Excluding the M-Files Client process from virus scanning

If your anti-virus software lets you exclude processes by name, it can be a good idea to exclude MFClient.exe from real-time scanning on the client computers. It can improve performance because it makes sure that the virus scanner does not scan the same files twice: once when the application opens the file and a second time when MFClient.exe does an internal Open operation on the same file.

The default path to MFClient.exe is C:\Program Files\M-Files\<version>\Bin\x64\MFClient.exe.

If you use Microsoft Windows Defender, refer to the support article Excluding M-Files Client from Windows Defender.
If you use SEPM, refer to the Symantec knowledge base article Exceptions: User-defined Exceptions.

Excluding M-Files server processes and vault data from virus scanning

Note: If the processes and folders given in this section are not excluded from virus scanning on the M-Files server machine, users can experience poor vault performance. This can also cause faulty backups of vault data.

On the M-Files server machine, make sure that these processes are excluded from real-time virus scanning:


Process name	Default location
MFServer.exe	C:\Program Files\M-Files\`<version>`\Bin\x64\
MFServerAux.exe	C:\Program Files\M-Files\`<version>`\Bin\x86\
MFIndexer.exe	C:\Program Files\M-Files\`<version>`\Bin\x64\
MFIndexingManager.exe	C:\Program Files\M-Files\`<version>`\Bin\x64\
MFDataExport.exe	C:\Program Files\M-Files\`<version>`\Bin\x64\
mf-grpc-web-server.exe	C:\Program Files\M-Files\`<version>`\Server\Web\GRPC\

Make also sure that these folders are excluded:

The M-Files installation folder (C:\Program Files\M-Files\ by default)
The vault data folder (C:\Program Files\M-Files\Server Vaults\ by default)

Excluding other processes

The exclusion of the pdfSaver.exe process from real-time virus scanning can improve performance when the user converts documents to PDF. Its default location is C:\Program Files\PDF-XChange\PDF-XChange Standard.

Antimalware support

M-Files Server supports antimalware checks on Microsoft Windows Server 2016 and later. Files uploaded to the M-Files server can be scanned for viruses and malware before they are saved in the repository. To do this, you must use an anti-virus software that is compatible with Windows Antimalware Scan Interface (AMSI). For example, Microsoft Windows Defender. Real-time scanning must also be enabled.

To take the antimalware checks into use, add these Microsoft Windows registry settings on the M-Files Server computer:


Key	HKEY_LOCAL_MACHINE\SOFTWARE\Motive\M-Files\`<version>`\Server\MFServer
Value name	EnableAntimalwareScanner
Value type	REG_DWORD
Value	1
Description	Enables antimalware scanning on Microsoft Windows 10, Microsoft Windows Server 2016, and later.


Key	HKEY_LOCAL_MACHINE\SOFTWARE\Motive\M-Files\`<version>`\Server\MFServer
Value name	TreatAntimalwareScannerErrorsAsTransferBlockingErrors
Value type	REG_DWORD
Description	Specifies whether file transfers to M-Files Server are blocked if the antimalware software is not available or has not been correctly configured. The default value is 0.
Value	0	Do not block file transfers if antimalware software is not available or is misconfigured.
Value	1	Block file transfers if antimalware software is not available or is misconfigured.

For the changes to take effect, you must restart the M-Files Server service.