Antivirus exclusions for Exchange 2016 servers

0
45
views

Antivirus exclusions for Exchange 2016 servers

In this post, we will look at the Antivirus exclusions for Windows in order to run a successful Exchange 2016 environment.

It is not uncommon to run antivirus programs on your Exchange 2016 servers, however if the configuration is not done correctly it could have some negative effects on your servers.

There are two basic components of any Windows antivirus program:

  • Memory-resident scanning or real-time protection monitors all files and processes that are loaded and running in a computer’s active memory.
  • File-level scanning refers to checking files on the hard disk for viruses manually or on a regular schedule. Some antivirus programs start an on-demand scan automatically after the virus signatures are updated to make sure that all files are scanned with the latest signatures.

“The biggest potential problem is a Windows antivirus program might lock or quarantine an open log file or database file that Exchange needs to modify. This can cause severe failures in Exchange 2016, and it might also generate 1018 event log errors. Therefore, excluding these files from being scanned by the Windows antivirus program is very important.

Another issue to consider is that Windows antivirus programs can’t replace email-based antispam and antimalware solutions because Windows antivirus programs that run on Windows servers can’t detect viruses, malware, and spam that are distributed only through email.”

Recommended Windows antivirus exclusions for Exchange 2016 servers.

When you deploy a Windows antivirus program on an Exchange 2016 server, make sure that the folder exclusions, process exclusions, and file name extension exclusions that are described in these sections are configured for both memory-resident and file-level scanning.

oteNote:
The %ExchangeInstallPath% value is typically C:\Program Files\Microsoft\Exchange Server\V15\ (includes a trailing “\”), the %SystemRoot% value is typically C:\Windows (doesn’t include a trailing “\”), and the %SystemDrive% value is typically C: (doesn’t include a trailing “\”).
The locations of many of these Exchange folders are configurable in the Exchange Management Shell. To learn how to open the Exchange Management Shell in your on-premises Exchange organization, see Open the Exchange Management Shell.

 

Folder exclusions

Exclude the following folders from file-level scanning and memory-resident scanning on Exchange 2016 servers.

Folder Category Servers
%SystemRoot%\Cluster DAGs Mailbox servers
%SystemDrive%\DAGFileShareWitnesses\<DAGFQDN> DAGs Any
%ExchangeInstallPath%ClientAccess\OAB Offline Address Books Mailbox servers
%ExchangeInstallPath%FIP-FS Antimalware and DLP Mailbox servers
%ExchangeInstallPath%GroupMetrics MailTips Mailbox servers
%ExchangeInstallPath%Logging Exchange process logs
%ExchangeInstallPath%Mailbox Mailbox databases Mailbox servers
%ExchangeInstallPath%TransportRoles\Data\Adam EdgeSync Edge Transport servers
%ExchangeInstallPath%TransportRoles\Data\IpFilter Connection filtering Edge Transport servers
%ExchangeInstallPath%TransportRoles\Data\Queue Queues Mailbox servers

Edge Transport servers

%ExchangeInstallPath%TransportRoles\Data\SenderReputation Sender reputation Edge Transport servers

Mailbox servers

%ExchangeInstallPath%TransportRoles\Data\Temp Content conversion Mailbox servers

Edge Transport servers

%ExchangeInstallPath%TransportRoles\Logs Transport logs Mailbox servers

Edge Transport servers (Transport service only)

%ExchangeInstallPath%TransportRoles\Pickup Pickup directory Mailbox servers

Edge Transport servers

%ExchangeInstallPath%TransportRoles\Replay Replay directory Mailbox servers

Edge Transport servers

%ExchangeInstallPath%UnifiedMessaging\Grammars Unified Messaging Mailbox servers
%ExchangeInstallPath%UnifiedMessaging\Prompts Unified Messaging Mailbox servers
%ExchangeInstallPath%UnifiedMessaging\Temp Unified Messaging Mailbox servers
%ExchangeInstallPath%UnifiedMessaging\Voicemail Unified Messaging Mailbox servers
%ExchangeInstallPath%Working\OleConverter Content conversion Mailbox servers

Edge Transport servers

%SystemDrive%\inetpub\temp\IIS Temporary Compressed Files Web components Mailbox servers
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files Web components Mailbox servers
%SystemRoot%\System32\Inetsrv Web components Mailbox servers
%SystemRoot%\Temp\OICE_<GUID>\ Exchange Search Mailbox servers

 

Process exclusions

Many antivirus programs support the scanning of processes, which can adversely affect Microsoft Exchange if the incorrect processes are scanned. Therefore, you should exclude the following Exchange or related processes from process scanning.

 

Process Path Servers
ComplianceAuditService.exe %ExchangeInstallPath%Bin Mailbox servers
Dsamain.exe %SystemRoot%\System32 Edge Transport servers
EdgeTransport.exe %ExchangeInstallPath%Bin Mailbox servers

Edge Transport servers

fms.exe %ExchangeInstallPath%FIP-FS\Bin Mailbox servers
hostcontrollerservice.exe %ExchangeInstallPath%Bin\Search\Ceres\HostController Mailbox servers
inetinfo.exe %SystemRoot%\System32\inetsrv Mailbox servers
Microsoft.Exchange.AntispamUpdateSvc.exe %ExchangeInstallPath%Bin Mailbox servers

Edge Transport servers

Microsoft.Exchange.ContentFilter.Wrapper.exe %ExchangeInstallPath%TransportRoles\agents\Hygiene Mailbox servers

Edge Transport servers

Microsoft.Exchange.Diagnostics.Service.exe %ExchangeInstallPath%Bin Mailbox servers

Edge Transport servers

Microsoft.Exchange.Directory.TopologyService.exe %ExchangeInstallPath%Bin Mailbox servers
Microsoft.Exchange.EdgeCredentialSvc.exe %ExchangeInstallPath%Bin Edge Transport servers
Microsoft.Exchange.EdgeSyncSvc.exe %ExchangeInstallPath%Bin Mailbox servers
Microsoft.Exchange.Imap4.exe ExchangeInstallPath%FrontEnd\PopImap Mailbox servers
Microsoft.Exchange.Imap4service.exe %ExchangeInstallPath%ClientAccess\PopImap Mailbox servers
Microsoft.Exchange.Notifications.Broker.exe %ExchangeInstallPath%Bin Mailbox servers
Microsoft.Exchange.Pop3.exe %ExchangeInstallPath%FrontEnd\PopImap Mailbox servers
Microsoft.Exchange.Pop3service.exe %ExchangeInstallPath%ClientAccess\PopImap Mailbox servers
Microsoft.Exchange.ProtectedServiceHost.exe %ExchangeInstallPath%Bin Mailbox servers

Edge Transport servers

Microsoft.Exchange.RPCClientAccess.Service.exe %ExchangeInstallPath%Bin Mailbox servers
Microsoft.Exchange.Search.Service.exe %ExchangeInstallPath%Bin Mailbox servers
Microsoft.Exchange.Servicehost.exe %ExchangeInstallPath%Bin Mailbox servers

Edge Transport servers

Microsoft.Exchange.Store.Service.exe %ExchangeInstallPath%Bin Mailbox servers
Microsoft.Exchange.Store.Worker.exe %ExchangeInstallPath%Bin Mailbox servers
Microsoft.Exchange.UM.CallRouter.exe %ExchangeInstallPath%FrontEnd\CallRouter Mailbox servers
MSExchangeCompliance.exe %ExchangeInstallPath%Bin Mailbox servers
MSExchangeDagMgmt.exe %ExchangeInstallPath%Bin Mailbox servers
MSExchangeDelivery.exe %ExchangeInstallPath%Bin Mailbox servers
MSExchangeFrontendTransport.exe %ExchangeInstallPath%Bin Mailbox servers
MSExchangeHMHost.exe %ExchangeInstallPath%Bin Mailbox servers

Mailbox servers

Edge Transport servers

MSExchangeHMWorker.exe %ExchangeInstallPath%Bin Mailbox servers

Mailbox servers

Edge Transport servers

MSExchangeMailboxAssistants.exe %ExchangeInstallPath%Bin Mailbox servers
MSExchangeMailboxReplication.exe %ExchangeInstallPath%Bin Mailbox servers
MSExchangeRepl.exe %ExchangeInstallPath%Bin Mailbox servers
MSExchangeSubmission.exe %ExchangeInstallPath%Bin Mailbox servers
MSExchangeTransport.exe %ExchangeInstallPath%Bin Mailbox servers

Edge Transport servers

MSExchangeTransportLogSearch.exe %ExchangeInstallPath%Bin Mailbox servers

Edge Transport servers

MSExchangeThrottling.exe %ExchangeInstallPath%Bin Mailbox servers
Noderunner.exe %ExchangeInstallPath%Bin\Search\Ceres\Runtime\1.0 Mailbox servers
OleConverter.exe %ExchangeInstallPath%Bin Mailbox servers
ParserServer.exe %ExchangeInstallPath%Bin\Search\Ceres\ParserServer Mailbox servers
Powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0 Mailbox servers

Edge Transport servers

ScanEngineTest.exe %ExchangeInstallPath%FIP-FS\Bin Mailbox servers
ScanningProcess.exe %ExchangeInstallPath%FIP-FS\Bin Mailbox servers
UmService.exe %ExchangeInstallPath%Bin Mailbox servers
UmWorkerProcess.exe %ExchangeInstallPath%Bin Mailbox servers
UpdateService.exe %ExchangeInstallPath%FIP-FS\Bin Mailbox servers
W3wp.exe %SystemRoot%\System32\inetsrv Mailbox servers
wsbexchange.exe %ExchangeInstallPath%Bin Mailbox servers

 

File name extension exclusions

In addition to excluding specific folders and processes, you should exclude the following Exchange-specific file name extensions in case folder exclusions fail or files are moved from their default locations.

 

Extensions Description Servers
  • .config
Application-related extensions Mailbox servers

Edge Transport servers

  • .chk
  • .edb
  • .jfm
  • .jrs
  • .log
  • .que
Database-related extensions Mailbox servers

Edge Transport servers

  • .dsc
  • .txt
Group Metrics-related extensions Mailbox servers
  • .cfg
  • .grxml
Unified Messaging-related extensions Mailbox servers
  • .lzx
Offline address book-related extensions Mailbox servers

 

#ThatLazyAdmin

 

Sharing is caring!

Previous articleAzure security Center – Overview
Next articleMicrosoft Released Technical Preview of Project “Honolulu”
About Me ? I Guess i would start by saying i am a family guys and full time SysAdmin and Tech Junky. This Blog is my first attempt to share information about daily issues i come across as a SysAdmin as well as some new deployments i am part of. Topics that i will cover will mostly be about Office 365,Windows,Exchange as well as Active Directory. I hope some of my Blog posts helps someone #LiveLongAndBeLazy #Exchange #Office 365 #ActiveDirectory #Hyper-V
SHARE

LEAVE A REPLY

Please enter your comment!
Please enter your name here