File-Level Antivirus Scanning on Exchange 2010

 

Applies to: Exchange Server 2010 SP2, Exchange Server 2010 SP3

This topic describes the effects of file-level antivirus programs on computers that are running Microsoft Exchange Server 2010. If you implement the recommendations described in this topic, you can help enhance the security and health of your Exchange organization.

File-level scanners are frequently used. However, if they are configured incorrectly, they can cause problems in Exchange 2010. There are two types of file-level scanners:

  • Memory-resident file-level scanning refers to a part of file-level antivirus software that is loaded in memory at all times. It checks all the files that are used on the hard disk and in computer memory.

  • On-demand file-level scanning refers to a part of file-level antivirus software that you can configure to scan files on the hard disk manually or on a schedule. Some versions of antivirus software start the on-demand scan automatically after virus signatures are updated to make sure that all files are scanned with the latest signatures.

The following problems may occur when you use file-level scanners with Exchange 2010:

  • File-level scanners may scan a file when the file is being used or at a scheduled interval. This can cause the scanners to lock or quarantine an Exchange log or a database file while Microsoft Exchange tries to use the file. This behavior may cause a severe failure in Microsoft Exchange and may also cause -1018 errors.

  • File-level scanners don't provide protection against e-mail viruses, such as the Storm Worm. Storm Worm was a backdoor Trojan horse virus that propagated itself through e-mail messages. The worm joined the infected computer to a botnet, where the computer was used to send spam e-mail messages in periodic bursts. Such viruses can affect the performance of the computer and the network that it is attached to.

Recommendations for Using File-Level Scanning with Exchange 2010

If you're deploying file-level scanners on Exchange 2010 servers, make sure that the appropriate exclusions, such as directory exclusions, process exclusions, and file name extension exclusions, are in place for both memory-resident and file-level scanning. This section describes directory exclusions, process exclusions, and file name extension exclusions for each server or server role.

Directory Exclusions

You must exclude specific directories for each Exchange server or server role on which you run a file-level antivirus scanner. This section describes the directories that you should exclude from file-level scanning for each server or server role.

  • Mailbox server role

    • Exchange databases, checkpoint files, and log files. By default, these are located in sub-folders under the %ExchangeInstallPath%\Mailbox folder. You can obtain the directory location by running the following commands in the Exchange Management Shell:

      • To determine the location of a mailbox database, transaction log, and checkpoint file, run the following command: Get-MailboxDatabase -server <servername>| format-list *path*
    • Database content indexes. By default, these are located in the same folder as the database file.

    • Group Metrics files. By default, these files are located in the %ExchangeInstallPath%\GroupMetrics folder.

    • General log files, such as message tracking and calendar repair log files. By default, these files are located in subfolders under the %ExchangeInstallPath%\TransportRoles\Logs folder and %ExchangeInstallPath%\Logging folder. To determine the log paths being used, run the following command in the Exchange Management Shell: Get-MailboxServer <servername> | format-list *path*

    • The Offline Address Book files. By default, these are located in subfolders under the %ExchangeInstallPath%\ExchangeOAB folder

    • IIS system files in the %SystemRoot%\System32\Inetsrv folder

    • The temporary folder that is used with offline maintenance utilities, such as Eseutil.exe. By default, this folder is the location where the .exe file is run from. However, you can configure where you perform the operation when you run the utility.

    • The Mailbox database temporary folder: %ExchangeInstallPath%\Mailbox\MDBTEMP

    • Any Exchange-aware antivirus program folders

  • Mailbox server that is a member of a Database Availability Group
    All the items listed in the Mailbox server role list and in the %Winnt%\Cluster folder.
  • Witness server

    • The witness directory files. These are located on another server in the environment, typically a Hub Transport server. By default, these files are located in \\%SystemDrive%:\DAGFileShareWitnesses\<DAGFQDN> and default share (<DAGFQDN>) on that server. For more information about a database availability group (DAG) and witness servers, see Managing Database Availability Groups.
  • Hub Transport server role

    • General log files, for example, message tracking and connectivity logs. By default, these files are located in subfolders under the %ExchangeInstallPath%\TransportRoles\Logs folder. To determine the log paths being used, run the following command in the Exchange Management Shell: Get-TransportServer <servername>| format-list *logpath*,*tracingpath*

    • Pickup and Replay message directory folders. By default, these folders are located under the %ExchangeInstallPath%\TransportRoles folder. To determine the paths being used, run the following command in the Exchange Management Shell: Get-TransportServer <servername>| fl *dir*path*

    • The transport server role queue database, checkpoint, and log files. By default, these are located in the %ExchangeInstallPath%\TransportRoles\Data\Queue folder. For more information, see Managing Transport Queues.

    • The transport server role Sender Reputation database, checkpoint, and log files. By default, these are located in the %ExchangeInstallPath%\TransportRoles\Data\SenderReputation folder.

    • The transport server role IP filter database, checkpoint, and log files. By default, these are located in the %ExchangeInstallPath%\TransportRoles\Data\IpFilter folder.

    • The temporary folders that are used to perform conversions:

      • By default, content conversions are performed in the Exchange server’s TMP folder.

      • By default, OLE conversions are performed in %ExchangeInstallPath%\Working\OleConvertor folder.

    • Any Exchange-aware antivirus program folders

  • Edge Transport server role

    • The Active Directory Lightweight Directory Service database (AD LDS) and log files. By default, these are located in the %ExchangeInstallPath%\TransportRoles\Data\Adam folder. For more information about AD LDS database files, see Modify AD LDS Configuration.

    • General log files, for example message tracking. By default, these files are located in subfolders under the %ExchangeInstallPath%\TransportRoles\Logs folder. To determine the log paths being used, run the following command in the Exchange Management Shell: Get-TransportServer <servername> | format-list *logpath*,*tracingpath*

    • The Pickup and Replay message folders. By default, these are located under the %ExchangeInstallPath%\TransportRoles folder. To determine the log paths being used, run the following command in the Exchange Management Shell: Get-TransportServer <servername>| format-list *dir*path*

    • The transport server role queue database, checkpoint, and log files. By default, these are located in the %ExchangeInstallPath%\TransportRoles\Data\Queue folder. For more information about transport server queues, see Managing Transport Queues.

    • The transport server role Sender Reputation database, checkpoint, and log files. By default, these are located in the %ExchangeInstallPath%\TransportRoles\Data\SenderReputation folder

    • The transport server role IP filter database, checkpoint, and log files. By default, these are located in the %ExchangeInstallPath%\TransportRoles\Data\IpFilter folder

    • The temporary folders that are used to perform conversions:

      • By default, content conversions are performed in the server’s TMP folder.

      • By default, OLE conversions are performed in %ExchangeInstallPath%\Working\OleConvertor folder.

    • Any Exchange-aware antivirus program folders

  • Client Access server role

    • For servers using Internet Information Services (IIS) 7.0, the compression folder that is used with Microsoft Outlook Web App. By default, the compression folder for IIS 7.0 is located at %SystemDrive%\inetpub\temp\IIS Temporary Compressed Files.

    • For servers using IIS 6.0, the compression folder that is used with Microsoft Outlook Web App. By default, the compression folder for IIS 6.0 is located at %systemroot%\IIS Temporary Compressed Files. For more information about possible errors resulting from scanning the IIS compression folder, see Microsoft Knowledge Base article 817442, A 0-byte file may be returned when compression is enabled on a server that is running IIS.

    • IIS system files in the %SystemRoot%\System32\Inetsrv folder

    • Inetpub\logs\logfiles\w3svc

    • The Internet-related files that are stored in the sub-folders of the %ExchangeInstallPath%\ClientAccess folder

    • For servers that have protocol logging enabled for POP3 or IMAP4, the following folders:

      • POP3 folder: %ExchangeInstallPath%\Logging\POP3

      • IMAP4 folder: %ExchangeInstallPath%\Logging\IMAP4

    • The temporary folders that are used to perform conversions:

      • By default, content conversions are performed in the server’s TMP folder.

      • By default, OLE conversions are performed in %ExchangeInstallPath%\Working\OleConvertor folder.

    • Temporary files in sub-folders of the %windir%\Microsoft.NET\Framework64\v2.0.50727\Temporary ASP.NET Files folder.

  • Unified Messaging server role

    • The grammar files for different locales, for example en-EN or es-ES. By default, these are stored in the subfolders in the %ExchangeInstallPath%\UnifiedMessaging\grammars folder.

    • The voice prompts, greetings and informational message files. By default, these are stored in the subfolders in the %ExchangeInstallPath%\UnifiedMessaging\Prompts folder

    • The voicemail files that are temporarily stored in the %ExchangeInstallPath%\UnifiedMessaging\voicemail folder.

    • The temporary files generated by Unified Messaging. By default, these are stored in the %ExchangeInstallPath%\UnifiedMessaging\temp folder.

  • Microsoft Forefront Protection for Exchange

    • The Forefront installation folder. By default, this is %Program Files (x86)%\Microsoft Forefront Protection for Exchange Server\.

    • Any archived messages. By default, these are stored in the %Program Files (x86)%\Microsoft Forefront Protection for Exchange Server\Data\Archive folder.

    • Any quarantined files. By default, these are stored in the %Program Files (x86)%\Microsoft Forefront Protection for Exchange Server\Data\Quarantine folder.

    • The antivirus engine files. By default, these are stored in the subfolders of %Program Files (x86)%\Microsoft Forefront Protection for Exchange Server\Data\Engines\x86 folder or the %Program Files (x86)%\Microsoft Forefront Protection for Exchange Server\Data\Engines\amd64 folder.

    • The configuration files. By default, these are stored in the %Program Files (x86)%\Microsoft Forefront Protection for Exchange Server\Data folder.

Process Exclusions

Many file-level scanners now support the scanning of processes, which can adversely affect Microsoft Exchange if the incorrect processes are scanned. Therefore, you should exclude the following processes from file-level scanners.

Cdb.exe

Microsoft.Exchange.Search.Exsearch.exe

Cidaemon.exe

Microsoft.Exchange.Servicehost.exe

Clussvc.exe

MSExchangeADTopologyService.exe

Dsamain.exe

MSExchangeFDS.exe

Microsoft.Exchange.EdgeCredentialSvc.exe

MSExchangeMailboxAssistants.exe

EdgeTransport.exe

MSExchangeMailboxReplication.exe

ExFBA.exe

MSExchangeMailSubmission.exe

GalGrammarGenerator.exe

MSExchangeRepl.exe

Inetinfo.exe

MSExchangeTransport.exe

Mad.exe

MSExchangeTransportLogSearch.exe

Microsoft.Exchange.AddressBook.Service.exe

MSExchangeThrottling.exe

Microsoft.Exchange.AntispamUpdateSvc.exe

Msftefd.exe

Microsoft.Exchange.ContentFilter.Wrapper.exe

Msftesql.exe

Microsoft.Exchange.EdgeSyncSvc.exe

OleConverter.exe

Microsoft.Exchange.Imap4.exe

Powershell.exe

Microsoft.Exchange.Imap4service.exe

SESWorker.exe

MSExchangeMailboxAssistants.exe

SpeechService.exe

Microsoft.Exchange.Monitoring.exe

Store.exe

Microsoft.Exchange.Pop3.exe

TranscodingService.exe

Microsoft.Exchange.Pop3service.exe

UmService.exe

Microsoft.Exchange.ProtectedServiceHost.exe

UmWorkerProcess.exe

Microsoft.Exchange.RPCClientAccess.Service.exe

W3wp.exe

If you're also deploying Forefront Protection for Exchange Server, exclude the following processes.

Adonavsvc.exe

FscStatsServ.exe

FscController.exe

FscTransportScanner.exe

FscDiag.exe

FscUtility.exe

FscExec.exe

FsEmailPickup.exe

FscImc.exe

FssaClient.exe

FscManualScanner.exe

GetEngineFiles.exe

FscMonitor.exe

PerfmonitorSetup.exe

FscRealtimeScanner.exe

ScanEngineTest.exe

FscStarter.exe

SemSetup.exe

File Name Extension Exclusions

In addition to excluding specific directories and processes, you should exclude the following Exchange-specific file name extensions in case directory exclusions fail or files are moved from their default locations.

  • Application-related extensions

    • .config

    • .dia

    • .wsb

  • Database-related extensions

    .chk

    .jrs

    .log

    .edb

    .jsl

    .que

  • Offline address book-related extensions

    • .lzx
  • Content Index-related extensions

    .ci

    .wid

    .001

    .dir

    .000

    .002

  • Unified Messaging-related extensions

    • .cfg

    • .grxml

  • GroupMetrics

    • .dsc

    • .bin

    • .xml

  • Forefront Protection for Exchange Server–related extensions

    .avc

    .dt

    .lst

    .cab

    .fdb

    .mdb

    .cfg

    .fdm

    .ppl

    .config

    .ide

    .set

    .da1

    .key

    .v3d

    .dat

    .klb

    .vdb

    .def

    .kli

    .vdm

The file name extensions listed for Forefront Protection for Exchange Server are the signature files from various antivirus directory engines. In most cases, these file name extensions don't change. However, file name extensions may be added in the future as third-party antivirus vendors update their antivirus signature files.

 © 2010 Microsoft Corporation. All rights reserved.