Exchange Server Recommendations for File-Level Antivirus Scanners
Written by Cheng Pei Koay, Premier Field Engineer.
If you are deploying file-level antivirus scanners on Exchange servers, make sure that the appropriate exclusions, such as directory exclusions, process exclusions, and file name extension exclusions are in place for both scheduled and real-time scanning. This post describes some recommended exclusions for each server or server role.
The following links provide some good background information the topic: File-Level Antivirus Scanning on Exchange Server 2007 and File-Level Antivirus Scanning on Exchange Server 2010.
File-Level Antivirus Scanner
You must exclude specific directories for each Exchange server or server role on which you run a file-level antivirus scanner. This section describes the directories that you should exclude from file-level scanning for each server or server role.
Mailbox server role
- Exchange databases, checkpoint files, and log files across all storage groups.
- The location of a transaction log and checkpoint file
- The location of a mailbox database
- The location of a public folder database
- Database content indexes.
- General log files, such as message tracking log files.
- The Offline Address Book files
- IIS system files
- The temporary folder that is used with offline maintenance utilities
- The temporary folders that are used to perform conversions:
- Content conversions
- OLE conversions
- The Mailbox database temporary folder
- Any Exchange-aware antivirus program folders
Clustered Mailbox server
All the items listed in the Mailbox server role list, and the following:
- The quorum disk and the %Winnt%\Cluster folder
- The file share witness.
Hub Transport server role
- General log files, for example, message tracking.
- The message folders
- The transport server role queue database, checkpoint, and log files.
- The transport server role Sender Reputation database, checkpoint, and log
- The transport server role IP filter database, checkpoint, and log r
- The temporary folders that are used to perform conversions:
- Content conversions are performed in the server’s TMP folder.
- OLE conversions are performed
- Any Exchange-aware antivirus program folders
Client Access server role
- The Internet Information Services (IIS) 6.0 compression folder that is used with Microsoft Outlook Web Access.
- IIS system files
- The Internet-related files
- The temporary folder that is used to perform content conversion
Note: If you use Volume Mount Points, you need to also exclude them. This article written by Tim McMichaels explains this very clearly. If you need to configure all mount points you can set it as “\Device\HarddiskVolume*\”
File-Level Antivirus Scanner Process Exclusions
Many file-level scanners now support the scanning of processes. This too can adversely affect Microsoft Exchange if the incorrect processes are scanned. Therefore, you should exclude the following processes from file-level scanners.
| Cdb.exe | Microsoft.Exchange.Search.Exsearch.exe |
| Cidaemon.exe | Microsoft.Exchange.Servicehost.exe |
| Clussvc.exe | MSExchangeADTopologyService.exe |
| Dsamain.exe | MSExchangeFDS.exe |
| EdgeCredentialSvc.exe | MSExchangeMailboxAssistants.exe |
| EdgeTransport.exe | MSExchangeMailboxReplication.exe |
| ExFBA.exe | MSExchangeMailSubmission.exe |
| GalGrammarGenerator.exe | MSExchangeRepl.exe |
| Inetinfo.exe | MSExchangeTransport.exe |
| Mad.exe | MSExchangeTransportLogSearch.exe |
| Microsoft.Exchange.AddressBook.Service.exe | MSExchangeThrottling.exe |
| Microsoft.Exchange.AntispamUpdateSvc.exe | Msftefd.exe |
| Microsoft.Exchange.ContentFilter.Wrapper.exe | Msftesql.exe |
| Microsoft.Exchange.EdgeSyncSvc.exe | OleConverter.exe |
| Microsoft.Exchange.Imap4.exe | Powershell.exe |
| Microsoft.Exchange.Imap4service.exe | SESWorker.exe |
| Microsoft.Exchange.Infoworker.Assistants.exe | SpeechService.exe |
| Microsoft.Exchange.Monitoring.exe | Store.exe |
| Microsoft.Exchange.Pop3.exe | TranscodingService.exe |
| Microsoft.Exchange.Pop3service.exe | UmService.exe |
| Microsoft.Exchange.ProtectedServiceHost.exe | UmWorkerProcess.exe |
| Microsoft.Exchange.RPCClientAccess.Service.exe | W3wp.exe |
File-Level Antivirus Scanner File Name Extension Exclusions
In addition to excluding specific directories and processes, as a secondary measure, in case directory exclusions fail or files are moved, you should exclude the following Exchange-specific file name extensions.
Application-related extensions:
- .config
- .dia
- .wsb
Database-related extensions:
- .chk
- .log
- .edb
- .jrs
- .que
Offline address book-related extensions:
- .lzx