Last updated on Jun 4, 2018
Antivirus exclusions for Exchange 2016 servers
In this post, we will look at the Antivirus exclusions for Windows in order to run a successful Exchange 2016 environment.
It is not uncommon to run antivirus programs on your Exchange 2016 servers, however if the configuration is not done correctly it could have some negative effects on your servers.
There are two basic components of any Windows antivirus program:
- Memory-resident scanning or real-time protection monitors all files and processes that are loaded and running in a computer’s active memory.
- File-level scanning refers to checking files on the hard disk for viruses manually or on a regular schedule. Some antivirus programs start an on-demand scan automatically after the virus signatures are updated to make sure that all files are scanned with the latest signatures.
“The biggest potential problem is a Windows antivirus program might lock or quarantine an open log file or database file that Exchange needs to modify. This can cause severe failures in Exchange 2016, and it might also generate 1018 event log errors. Therefore, excluding these files from being scanned by the Windows antivirus program is very important.
Another issue to consider is that Windows antivirus programs can’t replace email-based antispam and antimalware solutions because Windows antivirus programs that run on Windows servers can’t detect viruses, malware, and spam that are distributed only through email.”
Recommended Windows antivirus exclusions for Exchange 2016 servers.
When you deploy a Windows antivirus program on an Exchange 2016 server, make sure that the folder exclusions, process exclusions, and file name extension exclusions that are described in these sections are configured for both memory-resident and file-level scanning.
Note: |
The %ExchangeInstallPath% value is typically C:\Program Files\Microsoft\Exchange Server\V15\ (includes a trailing “\”), the %SystemRoot% value is typically C:\Windows (doesn’t include a trailing “\”), and the %SystemDrive% value is typically C: (doesn’t include a trailing “\”). The locations of many of these Exchange folders are configurable in the Exchange Management Shell. To learn how to open the Exchange Management Shell in your on-premises Exchange organization, see Open the Exchange Management Shell. |
Folder exclusions
Exclude the following folders from file-level scanning and memory-resident scanning on Exchange 2016 servers.
Folder | Category | Servers |
%SystemRoot%\Cluster | DAGs | Mailbox servers |
%SystemDrive%\DAGFileShareWitnesses\<DAGFQDN> | DAGs | Any |
%ExchangeInstallPath%ClientAccess\OAB | Offline Address Books | Mailbox servers |
%ExchangeInstallPath%FIP-FS | Antimalware and DLP | Mailbox servers |
%ExchangeInstallPath%GroupMetrics | MailTips | Mailbox servers |
%ExchangeInstallPath%Logging | Exchange process logs | |
%ExchangeInstallPath%Mailbox | Mailbox databases | Mailbox servers |
%ExchangeInstallPath%TransportRoles\Data\Adam | EdgeSync | Edge Transport servers |
%ExchangeInstallPath%TransportRoles\Data\IpFilter | Connection filtering | Edge Transport servers |
%ExchangeInstallPath%TransportRoles\Data\Queue | Queues | Mailbox servers
Edge Transport servers |
%ExchangeInstallPath%TransportRoles\Data\SenderReputation | Sender reputation | Edge Transport servers
Mailbox servers |
%ExchangeInstallPath%TransportRoles\Data\Temp | Content conversion | Mailbox servers
Edge Transport servers |
%ExchangeInstallPath%TransportRoles\Logs | Transport logs | Mailbox servers
Edge Transport servers (Transport service only) |
%ExchangeInstallPath%TransportRoles\Pickup | Pickup directory | Mailbox servers
Edge Transport servers |
%ExchangeInstallPath%TransportRoles\Replay | Replay directory | Mailbox servers
Edge Transport servers |
%ExchangeInstallPath%UnifiedMessaging\Grammars | Unified Messaging | Mailbox servers |
%ExchangeInstallPath%UnifiedMessaging\Prompts | Unified Messaging | Mailbox servers |
%ExchangeInstallPath%UnifiedMessaging\Temp | Unified Messaging | Mailbox servers |
%ExchangeInstallPath%UnifiedMessaging\Voicemail | Unified Messaging | Mailbox servers |
%ExchangeInstallPath%Working\OleConverter | Content conversion | Mailbox servers
Edge Transport servers |
%SystemDrive%\inetpub\temp\IIS Temporary Compressed Files | Web components | Mailbox servers |
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files | Web components | Mailbox servers |
%SystemRoot%\System32\Inetsrv | Web components | Mailbox servers |
%SystemRoot%\Temp\OICE_<GUID>\ | Exchange Search | Mailbox servers |
Process exclusions
Many antivirus programs support the scanning of processes, which can adversely affect Microsoft Exchange if the incorrect processes are scanned. Therefore, you should exclude the following Exchange or related processes from process scanning.
Process | Path | Servers |
ComplianceAuditService.exe | %ExchangeInstallPath%Bin | Mailbox servers |
Dsamain.exe | %SystemRoot%\System32 | Edge Transport servers |
EdgeTransport.exe | %ExchangeInstallPath%Bin | Mailbox servers
Edge Transport servers |
fms.exe | %ExchangeInstallPath%FIP-FS\Bin | Mailbox servers |
hostcontrollerservice.exe | %ExchangeInstallPath%Bin\Search\Ceres\HostController | Mailbox servers |
inetinfo.exe | %SystemRoot%\System32\inetsrv | Mailbox servers |
Microsoft.Exchange.AntispamUpdateSvc.exe | %ExchangeInstallPath%Bin | Mailbox servers
Edge Transport servers |
Microsoft.Exchange.ContentFilter.Wrapper.exe | %ExchangeInstallPath%TransportRoles\agents\Hygiene | Mailbox servers
Edge Transport servers |
Microsoft.Exchange.Diagnostics.Service.exe | %ExchangeInstallPath%Bin | Mailbox servers
Edge Transport servers |
Microsoft.Exchange.Directory.TopologyService.exe | %ExchangeInstallPath%Bin | Mailbox servers |
Microsoft.Exchange.EdgeCredentialSvc.exe | %ExchangeInstallPath%Bin | Edge Transport servers |
Microsoft.Exchange.EdgeSyncSvc.exe | %ExchangeInstallPath%Bin | Mailbox servers |
Microsoft.Exchange.Imap4.exe | ExchangeInstallPath%FrontEnd\PopImap | Mailbox servers |
Microsoft.Exchange.Imap4service.exe | %ExchangeInstallPath%ClientAccess\PopImap | Mailbox servers |
Microsoft.Exchange.Notifications.Broker.exe | %ExchangeInstallPath%Bin | Mailbox servers |
Microsoft.Exchange.Pop3.exe | %ExchangeInstallPath%FrontEnd\PopImap | Mailbox servers |
Microsoft.Exchange.Pop3service.exe | %ExchangeInstallPath%ClientAccess\PopImap | Mailbox servers |
Microsoft.Exchange.ProtectedServiceHost.exe | %ExchangeInstallPath%Bin | Mailbox servers
Edge Transport servers |
Microsoft.Exchange.RPCClientAccess.Service.exe | %ExchangeInstallPath%Bin | Mailbox servers |
Microsoft.Exchange.Search.Service.exe | %ExchangeInstallPath%Bin | Mailbox servers |
Microsoft.Exchange.Servicehost.exe | %ExchangeInstallPath%Bin | Mailbox servers
Edge Transport servers |
Microsoft.Exchange.Store.Service.exe | %ExchangeInstallPath%Bin | Mailbox servers |
Microsoft.Exchange.Store.Worker.exe | %ExchangeInstallPath%Bin | Mailbox servers |
Microsoft.Exchange.UM.CallRouter.exe | %ExchangeInstallPath%FrontEnd\CallRouter | Mailbox servers |
MSExchangeCompliance.exe | %ExchangeInstallPath%Bin | Mailbox servers |
MSExchangeDagMgmt.exe | %ExchangeInstallPath%Bin | Mailbox servers |
MSExchangeDelivery.exe | %ExchangeInstallPath%Bin | Mailbox servers |
MSExchangeFrontendTransport.exe | %ExchangeInstallPath%Bin | Mailbox servers |
MSExchangeHMHost.exe | %ExchangeInstallPath%Bin | Mailbox servers
Mailbox servers Edge Transport servers |
MSExchangeHMWorker.exe | %ExchangeInstallPath%Bin | Mailbox servers
Mailbox servers Edge Transport servers |
MSExchangeMailboxAssistants.exe | %ExchangeInstallPath%Bin | Mailbox servers |
MSExchangeMailboxReplication.exe | %ExchangeInstallPath%Bin | Mailbox servers |
MSExchangeRepl.exe | %ExchangeInstallPath%Bin | Mailbox servers |
MSExchangeSubmission.exe | %ExchangeInstallPath%Bin | Mailbox servers |
MSExchangeTransport.exe | %ExchangeInstallPath%Bin | Mailbox servers
Edge Transport servers |
MSExchangeTransportLogSearch.exe | %ExchangeInstallPath%Bin | Mailbox servers
Edge Transport servers |
MSExchangeThrottling.exe | %ExchangeInstallPath%Bin | Mailbox servers |
Noderunner.exe | %ExchangeInstallPath%Bin\Search\Ceres\Runtime\1.0 | Mailbox servers |
OleConverter.exe | %ExchangeInstallPath%Bin | Mailbox servers |
ParserServer.exe | %ExchangeInstallPath%Bin\Search\Ceres\ParserServer | Mailbox servers |
Powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0 | Mailbox servers
Edge Transport servers |
ScanEngineTest.exe | %ExchangeInstallPath%FIP-FS\Bin | Mailbox servers |
ScanningProcess.exe | %ExchangeInstallPath%FIP-FS\Bin | Mailbox servers |
UmService.exe | %ExchangeInstallPath%Bin | Mailbox servers |
UmWorkerProcess.exe | %ExchangeInstallPath%Bin | Mailbox servers |
UpdateService.exe | %ExchangeInstallPath%FIP-FS\Bin | Mailbox servers |
W3wp.exe | %SystemRoot%\System32\inetsrv | Mailbox servers |
wsbexchange.exe | %ExchangeInstallPath%Bin | Mailbox servers |
File name extension exclusions
In addition to excluding specific folders and processes, you should exclude the following Exchange-specific file name extensions in case folder exclusions fail or files are moved from their default locations.
Extensions | Description | Servers |
|
Application-related extensions | Mailbox servers
Edge Transport servers |
|
Database-related extensions | Mailbox servers
Edge Transport servers |
|
Group Metrics-related extensions | Mailbox servers |
|
Unified Messaging-related extensions | Mailbox servers |
|
Offline address book-related extensions | Mailbox servers |
#ThatLazyAdmin
Thanks for providing this information! It has proven beneficial as we upgrade to Exchange 2016.