Exchange Server 2010 and Antivirus exclusions
By now, everyone is painfully aware of the problems you can have without setting proper Antivirus exclusions for an Exchange server. Thankfully, antivirus (and Exchange Server) products have come a long ways since the days of when I had a shirt that said “Friends don’t let friends scan the M: drive”, but excluding the files, file types, and processes are still necessary.
I recently performed an engagement for a customer where we stood up an Exchange Server 2010 server in a lab environment and installed Forefront Endpoint Protection 2010 on the server. After installing FEP, we then needed to configured the antivirus exclusions per TechNet guidance. In doing so, it was a little tedious as the TechNet guidance is great at listing each exclusion necessary, but not great at listing them in an easy way that can be cut and paste.
For current versions of Microsoft Exchange server, you can find the proper antivirus exclusions at these locations on TechNet:
While having these links is AWESOME for helping engineers to configure the product, it’s a little time consuming to go through and setup these exclusions as they are listed from the TechNet articles. The intention of this blog is to make life easier for the administrator configuring antivirus exclusions for Exchange Server, so what I have done below is take the Antivirus exclusions for Exchange Server 2010 and put them into a friendly manner for cut and paste.
One quick note about the exclusions is that I have also included the processes and executables as well. I can’t stress how important it is to exclude the processes when setting up your antivirus exclusions for Exchange. If you have not done so, or do not plan to exclude Exchange related processes, I would ask that you reconsider as it is extremely beneficial for the health of the system. You do not want file system antivirus to scan in memory processes because it can and will quarantine certain items.
I am not going to list any file paths below because the various TechNet articles above list those file paths very well, and also provide a means to discover those file paths easily via the Exchange Management Shell / PowerShell or other means. Do not overlook adding the file paths to your list of exclusions! I am only going to list the individual files and extensions below in the cut and paste friendly manner for those running Exchange Server 2010.
Processes to be Excluded:
Cdb.exe
Microsoft.Exchange.Search.Exsearch.exe
Cidaemon.exe
Microsoft.Exchange.Servicehost.exe
Clussvc.exe
MSExchangeADTopologyService.exe
Dsamain.exe
MSExchangeFDS.exe
EdgeCredentialSvc.exe
MSExchangeMailboxAssistants.exe
EdgeTransport.exe
MSExchangeMailboxReplication.exe
ExFBA.exe
MSExchangeMailSubmission.exe
GalGrammarGenerator.exe
MSExchangeRepl.exe
Inetinfo.exe
MSExchangeTransport.exe
Mad.exe
MSExchangeTransportLogSearch.exe
Microsoft.Exchange.AddressBook.Service.exe
MSExchangeThrottling.exe
Microsoft.Exchange.AntispamUpdateSvc.exe
Msftefd.exe
Microsoft.Exchange.ContentFilter.Wrapper.exe
Msftesql.exe
Microsoft.Exchange.EdgeSyncSvc.exe
OleConverter.exe
Microsoft.Exchange.Imap4.exe
Powershell.exe
Microsoft.Exchange.Imap4service.exe
SESWorker.exe
Microsoft.Exchange.Infoworker.Assistants.exe
SpeechService.exe
Microsoft.Exchange.Monitoring.exe
Store.exe
Microsoft.Exchange.Pop3.exe
TranscodingService.exe
Microsoft.Exchange.Pop3service.exe
UmService.exe
Microsoft.Exchange.ProtectedServiceHost.exe
UmWorkerProcess.exe
Microsoft.Exchange.RPCClientAccess.Service.exe
W3wp.exe
If you are also running Forefront Security for Exchange, you should also exclude the following processes:
Adonavsvc.exe
FscStatsServ.exe
FscController.exe
FscTransportScanner.exe
FscDiag.exe
FscUtility.exe
FscExec.exe
FsEmailPickup.exe
FscImc.exe
FssaClient.exe
FscManualScanner.exe
GetEngineFiles.exe
FscMonitor.exe
PerfmonitorSetup.exe
FscRealtimeScanner.exe
ScanEngineTest.exe
FscStarter.exe
SemSetup.exe
File name/type related exclusions:
.config
.dia
.wsb
.chk
.jrs
.log
.edb
.jsl
.que
.lzx
.ci
.wid
.001
.dir
.000
.002
.cfg
.grxml
.dsc
.bin
.xml
.avc
.dt
.lst
.cab
.fdb
.mdb
.fdm
.ppl
.ide
.set
.da1
.key
.v3d
.dat
.klb
.vdb
.def
.kli
.vdm
Hopefully anyone who needs to configure their Antivirus software manually will find this beneficial. If you are using Forefront Endpoint Protection on the server, you can apply custom policy templates for Group Policy to your Exchange Servers to configure FEP to exclude files for Exchange as well as a wide variety of other applications. You can download information on the policy templates here.
And one last note – for all those companies out there that don’t run file level Antivirus on your Exchange Servers, please reconsider! I dread the day that a virus will come along and ruin your day, and a whole lot of PFE’s days as well.
Comments
Anonymous
January 01, 2003
Great article. I don't have to worry about Exchange yet, but I'm sure that only too soon, my day will come.Anonymous
January 01, 2003
Thanks @cron22! I read your bio on your profile - keep plugging away at it. Exchange is the fun stuff! :)Anonymous
March 20, 2014
Daya Patil , who works as a Premier Field Engineer at Microsoft India, focused on Exchange and ActiveAnonymous
September 16, 2014
Hi,
The link to Exch2010 doesn't work so we have no file path for exclusions.Anonymous
July 09, 2015
Refer below link for File-Level Antivirus Scanning on Exchange 2010
https://technet.microsoft.com/en-us/library/bb332342(v=exchg.141).aspx