I hate running antivirus on SQL Servers. I agree antivirus is a necessary evil on most systems, but I don't like running standard antivirus on Exchange, SQL Server, or Active Directory domain controllers. My SharePoint admin friends have made good arguments to avoid it there, too. But a lot of corporate policies say you have to have it. Fine, if that's the case, here are the exclusions I would ensure are enforced:
Any others folks can think of?
As to my preferences, I would rather an external scan be conducted against the drives of the SQL Server, which is possible in most enterprise antivirus products. This keeps the AV load off the SQL Server and keeps AV from filtering at both the disk and network interfaces.