File level Anti-Virus Exclusions for Exchange Server 2013

Many of you might have called Microsoft PSS in past and would have heard them asking you to set the AV exclusions on the exchange server. Several customers get alarmed with an idea of excluding folders and files from AV scanning. Although your company’s security officer may not like the idea, it is essential that you exclude some files and folders from AV scanning when running an exchange server installation on Windows to avoid lot of unforeseen performance and content conversion related issues.

You may ask, why  is it important to set exclusions? As a general practice several organizations deploy file level scanning on the server systems where exchange is installed. To perform a scan of a file an AV software definitely needs to put an handle on the target file. Imagine a case when an AV software has locked a huge database file that is also required to be used by information store. In this case, the amount of time taken by AV to perform a full scan of the file is certainly higher than what an information store thread can wait for. In another case processes are also sometimes locked by file level scanners. Executable files being one of the most common medium for viruses to spread across, AV pays a special attention to the .exe file types. If an executable that is supposed to work as an image for a service is locked by AV, the relevant service may also fail to start causing downtime of that service component on the server. It becomes extremely important to configure exclusion in the file level antivirus software to avoid any known or unknown issues in future.

Although exclusions are good for the health and stability of exchange servers, I have seem some people excluding entire exchange installation directory. Which is not a good practice. When you configure exclusions, you should configure them correctly.

Alright, so what folders and files should I exclude from file level scanning? Great! Seems like you were able to make your security officer happy and get an approval for setting up exclusions on server systems. I personally had to struggle to get it approved by CISOs so far :-). If you were one of those lucky guys who got an approval immediately then below is the list of files and folders to be excluded.

On a Mailbox Role

File Extensions to be excluded:

.config
.dia
.wsb
.chk
.edb
.jrs
.jsl
.log
.que
.lzx
.ci
.dir
.wid
.000
.001
.002
.cfg
.grxml
.dsc
.txt

Folder Exclusions

Type Default Location
Mailbox Database Folder %ExchangeInstallPath%\Mailbox
Log Files Folder %ExchangeInstallPath%\Mailbox
Checkpoint Files Folder %ExchangeInstallPath%\Mailbox
OAB Folder %ExchangeInstallPath%\ClientAccess\OAB
Group Metrics Folder Under %ExchangeInstallPath%\GroupMetrics
IIS System Files %SystemRoot%\System32\Inetsrv
Mailbox Database Temp Folder %ExchangeInstallPath%Mailbox\MDBTEMP
DAG FSW Folder %SystemDrive%:\DAGFileShareWitnesses\<DAGFQDN> (This folder is not hosted on the DAG members)
Cluster Quorum Database %Windir%\Cluster
Message Tracking Logs %ExchangeInstallPath%\TransportRoles\Logs
Tracing Logs %ExchangeInstallPath%\TransportRoles\Logs
Pickup and Directory %ExchangeInstallPath%\TransportRoles
Queue databases and Logs %ExchangeInstallPath%\TransportRoles\Data\Queue
Sender Reputation Files %ExchangeInstallPath%\TransportRoles\Data\SenderReputation
Content Conversion Temp Files %SystemRoot%\TEMP
OLE Content conversion folder %ExchangeInstallPath\%Working\OleConverter
Content Scanning folder %ExchangeInstallPath%\FIP-FS
Connectivity Logs %ExchangeInstallPath%\TransportRoles\Logs\Mailbox
Grammer Files %ExchangeInstallPath%\UnifiedMessaging\grammars
Voice Promots folder %ExchangeInstallPath%\UnifiedMessaging\Prompts
Voicemail files location %ExchangeInstallPath%\UnifiedMessaging\voicemail
Temp files for UM %ExchangeInstallPath%\UnifiedMessaging\temp

On a CAS Server

Folders Exclusion

Type Default Location
IIS File System %SystemRoot%\System32\Inetsrv
IIS Logs Inetpub\logs\logfiles\w3svc
IMAP4 Protocol Logs %ExchangeInstallPath%\Logging\POP3
POP3 Protocol Logs %ExchangeInstallPath%\Logging\POP4
Front End Transport Logs %ExchangeInstallPath%\TransportRoles\Logs\FrontEnd

In addition to above exclusions you should also exclude below process from scanning depending upon what server role you are excluding them on. Although it is not a mandate to do exclude the processes from scanning, some file level antivirus programs support process scanning as well. If your AV program is one them, it can cause adverse effects on exchange services.

Cdb.exe Microsoft.Exchange.Pop3service.exe MSExchangeRepl.exe
Cidaemon.exe Microsoft.Exchange.ProtectedServiceHost.exe MSExchangeSubmission.exe
Clussvc.exe Microsoft.Exchange.RPCClientAccess.Service.exe MSExchangeTransport.exe
Dsamain.exe Microsoft.Exchange.Search.Service.exe MSExchangeTransportLogSearch.exe
EdgeCredentialSvc.exe Microsoft.Exchange.Servicehost.exe MSExchangeThrottling.exe
EdgeTransport.exe Microsoft.Exchange.Store.Service.exe Msftefd.exe
ExFBA.exe Microsoft.Exchange.Store.Worker.exe Msftesql.exe
hostcontrollerservice.exe Microsoft.Exchange.TransportSyncManagerSvc.exe OleConverter.exe
Inetinfo.exe Microsoft.Exchange.UM.CallRouter.exe Powershell.exe
Microsoft.Exchange.AntispamUpdateSvc.exe MSExchangeDagMgmt.exe ScanEngineTest.exe
Microsoft.Exchange.ContentFilter.Wrapper.exe MSExchangeDelivery.exe ScanningProcess.exe
Microsoft.Exchange.Diagnostics.Service.exe MSExchangeFrontendTransport.exe TranscodingService.exe
Microsoft.Exchange.Directory.TopologyService.exe MSExchangeHMHost.exe UmService.exe
Microsoft.Exchange.EdgeSyncSvc.exe MSExchangeHMWorker.exe UmWorkerProcess.exe
Microsoft.Exchange.Imap4.exe MSExchangeLESearchWorker.exe UpdateService.exe
Microsoft.Exchange.Imap4service.exe MSExchangeMailboxAssistants.exe W3wp.exe
Microsoft.Exchange.Monitoring.exe MSExchangeMailboxReplication.exe  
Microsoft.Exchange.Pop3.exe MSExchangeMigrationWorkflow.exe  

Most of these processes can be found under the Bin directory of exchange server installation folder and some of them reside inside the sub folders. If you are not sure of what path is set for the folders to be excluded in the folder exclusion table above, a quick run Get-TransportService, Get-MailboxDatabase,  Get-UMService can give you the paths you are looking for.

One thought on “File level Anti-Virus Exclusions for Exchange Server 2013”

Comments are closed.