Exchange Server Recommendations for File-Level Antivirus Scanners

Written by Cheng Pei Koay, Premier Field Engineer.

Antivirus ProtectionIf you are deploying file-level antivirus scanners on Exchange servers, make sure that the appropriate exclusions, such as directory exclusions, process exclusions, and file name extension exclusions are in place for both scheduled and real-time scanning. This post describes some recommended exclusions for each server or server role.

The following links provide some good background information the topic: File-Level Antivirus Scanning on Exchange Server 2007 and File-Level Antivirus Scanning on Exchange Server 2010.

File-Level Antivirus Scanner

You must exclude specific directories for each Exchange server or server role on which you run a file-level antivirus scanner. This section describes the directories that you should exclude from file-level scanning for each server or server role.

Mailbox server role

  • Exchange databases, checkpoint files, and log files across all storage groups.
  • The location of a transaction log and checkpoint file
  • The location of a mailbox database
  • The location of a public folder database
  • Database content indexes.
  • General log files, such as message tracking log files.
  • The Offline Address Book files
  • IIS system files
  • The temporary folder that is used with offline maintenance utilities
  • The temporary folders that are used to perform conversions:
  • Content conversions
  • OLE conversions
  • The Mailbox database temporary folder
  • Any Exchange-aware antivirus program folders

Clustered Mailbox server

All the items listed in the Mailbox server role list, and the following:

  • The quorum disk and the %Winnt%\Cluster folder
  • The file share witness.

Hub Transport server role

  • General log files, for example, message tracking.
  • The message folders
  • The transport server role queue database, checkpoint, and log files.
  • The transport server role Sender Reputation database, checkpoint, and log
  • The transport server role IP filter database, checkpoint, and log r
  • The temporary folders that are used to perform conversions:
  • Content conversions are performed in the server’s TMP folder.
  • OLE conversions are performed
  • Any Exchange-aware antivirus program folders

Client Access server role

  • The Internet Information Services (IIS) 6.0 compression folder that is used with Microsoft Outlook Web Access.
  • IIS system files
  • The Internet-related files
  • The temporary folder that is used to perform content conversion

Note: If you use Volume Mount Points, you need to also exclude them. This article written by Tim McMichaels explains this very clearly. If you need to configure all mount points you can set it as “\Device\HarddiskVolume*\”

File-Level Antivirus Scanner Process Exclusions

Many file-level scanners now support the scanning of processes. This too can adversely affect Microsoft Exchange if the incorrect processes are scanned. Therefore, you should exclude the following processes from file-level scanners.

Cdb.exe Microsoft.Exchange.Search.Exsearch.exe
Cidaemon.exe Microsoft.Exchange.Servicehost.exe
Clussvc.exe MSExchangeADTopologyService.exe
Dsamain.exe MSExchangeFDS.exe
EdgeCredentialSvc.exe MSExchangeMailboxAssistants.exe
EdgeTransport.exe MSExchangeMailboxReplication.exe
ExFBA.exe MSExchangeMailSubmission.exe
GalGrammarGenerator.exe MSExchangeRepl.exe
Inetinfo.exe MSExchangeTransport.exe
Mad.exe MSExchangeTransportLogSearch.exe
Microsoft.Exchange.AddressBook.Service.exe MSExchangeThrottling.exe
Microsoft.Exchange.AntispamUpdateSvc.exe Msftefd.exe
Microsoft.Exchange.ContentFilter.Wrapper.exe Msftesql.exe
Microsoft.Exchange.EdgeSyncSvc.exe OleConverter.exe
Microsoft.Exchange.Imap4.exe Powershell.exe
Microsoft.Exchange.Imap4service.exe SESWorker.exe
Microsoft.Exchange.Infoworker.Assistants.exe SpeechService.exe
Microsoft.Exchange.Monitoring.exe Store.exe
Microsoft.Exchange.Pop3.exe TranscodingService.exe
Microsoft.Exchange.Pop3service.exe UmService.exe
Microsoft.Exchange.ProtectedServiceHost.exe UmWorkerProcess.exe
Microsoft.Exchange.RPCClientAccess.Service.exe W3wp.exe

File-Level Antivirus Scanner File Name Extension Exclusions

In addition to excluding specific directories and processes, as a secondary measure, in case directory exclusions fail or files are moved, you should exclude the following Exchange-specific file name extensions.

Application-related extensions:

  • .config
  • .dia
  • .wsb

Database-related extensions:

  • .chk
  • .log
  • .edb
  • .jrs
  • .que

Offline address book-related extensions:

  • .lzx