My best advise is:

Don't run AV on a database server but rather reconfigure the local/a firewall so that only those ports are open which are necessary to run the SAP application.

Excluding files may help a bit but neverless, as soon as the AV scanner is installed it will hook up to the filesystem layer and slowing down (maybe not significantly) I/O. I've seen weird side effects in upgrades and patch installations due to an enabled scanner although the database files and executables were excluded from scanning.

If you're urged to run Windows servers then I would put them in a separate network segment with a firewall in front and enable only the necessary SAP ports (and printing ports). This has a number of advantages:

- nasty RPC bugs can't be exploited because RPC to the SAP system should be disabled

- there's no need to reboot the Windows machines on every "Microsoft patch day"

A virus scanner adds, especially for production database systems, an indeterministic risc to the business.

Markus