I want to keep antivirus software from affecting performance on a TFS installation -- what should be excluded from antivirus scanning? IIS? MSSQL? Am I opening myself up for possible attacks by excluding these? I've seen some recommendations that say antivirus software can interfere with the ability of MSSQL Server to open its database files.
There is a pretty good knowledge base article about antivirus software and MSSQL Server here:
http://support.microsoft.com/kb/309422
There is a non-Microsoft discussion of this topic for lots of different Microsoft server software here:
http://myitforum.com/cs2/blogs/scassells/archive/2007/05/14/what-anti-virus-scanning-exclusions-should-be-considered-for-system-and-servers.aspx
McAfee KB article regarding VirusScan Enterprise and MSSQL Server:
https://kc.mcafee.com/corporate/index?page=content&id=KB51009&actp=search&searchid=1249063803684
Usually your antivirus manufacturer will have documentation available on their site detailing what to exclude for various applications and how to exclude it. I'd begin looking there.
Take a look at the following blog post about Virus Scanning with TFS:
Also it is worth noting that Antivirus software can cause performance issues down at the TFS client for similar reasons that it does on the server. When a file is downloaded, behind the scenes the file is first placed into a temporary directory and is then moved from the temp directory into the real location.
You can diagnose if Anti-virus is affecting the performance in this way by temporarily disabling it, performing a large Get operation and then comparing the time taken to download the files with the time taken when the AV is enabled.
You can find a post on what folders to exclude from Antivirus software on a Team Foundation server here: http://blog.ozzie.eu/2012/03/microsoft-team-foundation-server.html
One way to tell for sure would be to use SysInternal's ProcMon to capture all of the file IO that happens on a regular basis.
Start ProcMon up and let it capture for a while. By default it stores the capture in the swap file and records more than just drive IO. So if you are going to capture for too long, you will want change the backing file and only capture drive access. After stopping the capture, click on Tools then File Summary. This will give you a list of files that were accessed, sorted by most to least accessed.
Run Process Monitor now from Live.Sysinternals.com
I used to see problems with some anti-virus programs when scanning ASP.NET web sites. They could lock files that needed to be writable, especially in the case of files that are built and/or compiled on the fly.
I have had concerns about anti-virus "touching" files that cause an ASP.NET application to restart - anything in the bin folder, web.config, etc. I do not have specific cases beyond "concern", however.
This site might help: http://www.av-comparatives.org/comparativesreviews/performance-tests
Microsoft has published their own guidelines in KB 2636507: Antivirus exclusions for Microsoft Team Foundation Server.