Many of you might have called Microsoft PSS in past and would have heard them asking you to set the AV exclusions on the exchange server. Several customers get alarmed with an idea of excluding folders and files from AV scanning. Although your company’s security officer may not like the idea, it is essential that you exclude some files and folders from AV scanning when running an exchange server installation on Windows to avoid lot of unforeseen performance and content conversion related issues.
You may ask, why is it important to set exclusions? As a general practice several organizations deploy file level scanning on the server systems where exchange is installed. To perform a scan of a file an AV software definitely needs to put an handle on the target file. Imagine a case when an AV software has locked a huge database file that is also required to be used by information store. In this case, the amount of time taken by AV to perform a full scan of the file is certainly higher than what an information store thread can wait for. In another case processes are also sometimes locked by file level scanners. Executable files being one of the most common medium for viruses to spread across, AV pays a special attention to the .exe file types. If an executable that is supposed to work as an image for a service is locked by AV, the relevant service may also fail to start causing downtime of that service component on the server. It becomes extremely important to configure exclusion in the file level antivirus software to avoid any known or unknown issues in future.
Although exclusions are good for the health and stability of exchange servers, I have seem some people excluding entire exchange installation directory. Which is not a good practice. When you configure exclusions, you should configure them correctly.
Alright, so what folders and files should I exclude from file level scanning? Great! Seems like you were able to make your security officer happy and get an approval for setting up exclusions on server systems. I personally had to struggle to get it approved by CISOs so far :-). If you were one of those lucky guys who got an approval immediately then below is the list of files and folders to be excluded.
On a Mailbox Role
File Extensions to be excluded:
|Mailbox Database Folder||%ExchangeInstallPath%\Mailbox|
|Log Files Folder||%ExchangeInstallPath%\Mailbox|
|Checkpoint Files Folder||%ExchangeInstallPath%\Mailbox|
|Group Metrics Folder||Under %ExchangeInstallPath%\GroupMetrics|
|IIS System Files||%SystemRoot%\System32\Inetsrv|
|Mailbox Database Temp Folder||%ExchangeInstallPath%Mailbox\MDBTEMP|
|DAG FSW Folder||%SystemDrive%:\DAGFileShareWitnesses\<DAGFQDN> (This folder is not hosted on the DAG members)|
|Cluster Quorum Database||%Windir%\Cluster|
|Message Tracking Logs||%ExchangeInstallPath%\TransportRoles\Logs|
|Pickup and Directory||%ExchangeInstallPath%\TransportRoles|
|Queue databases and Logs||%ExchangeInstallPath%\TransportRoles\Data\Queue|
|Sender Reputation Files||%ExchangeInstallPath%\TransportRoles\Data\SenderReputation|
|Content Conversion Temp Files||%SystemRoot%\TEMP|
|OLE Content conversion folder||%ExchangeInstallPath\%Working\OleConverter|
|Content Scanning folder||%ExchangeInstallPath%\FIP-FS|
|Voice Promots folder||%ExchangeInstallPath%\UnifiedMessaging\Prompts|
|Voicemail files location||%ExchangeInstallPath%\UnifiedMessaging\voicemail|
|Temp files for UM||%ExchangeInstallPath%\UnifiedMessaging\temp|
On a CAS Server
|IIS File System||%SystemRoot%\System32\Inetsrv|
|IMAP4 Protocol Logs||%ExchangeInstallPath%\Logging\POP3|
|POP3 Protocol Logs||%ExchangeInstallPath%\Logging\POP4|
|Front End Transport Logs||%ExchangeInstallPath%\TransportRoles\Logs\FrontEnd|
In addition to above exclusions you should also exclude below process from scanning depending upon what server role you are excluding them on. Although it is not a mandate to do exclude the processes from scanning, some file level antivirus programs support process scanning as well. If your AV program is one them, it can cause adverse effects on exchange services.
Most of these processes can be found under the Bin directory of exchange server installation folder and some of them reside inside the sub folders. If you are not sure of what path is set for the folders to be excluded in the folder exclusion table above, a quick run Get-TransportService, Get-MailboxDatabase, Get-UMService can give you the paths you are looking for.