TechNet
Export (0) Print
Expand All

Running Windows antivirus software on Exchange 2016 servers

 

Topic Last Modified: 2016-03-28

Learn about setting up Windows antivirus programs to run successfully on Exchange 2016 servers by configuring exclusions.

When you run Windows antivirus programs on Microsoft Exchange Server 2016 servers, you can help enhance the security and health of your Exchange organization. However, if they aren't configured correctly, Windows antivirus programs can cause problems in Exchange 2016.

There are two basic components of any Windows antivirus program:

  • Memory-resident scanning or real-time protection monitors all files and processes that are loaded and running in a computer's active memory.

  • File-level scanning refers to checking files on the hard disk for viruses manually or on a regular schedule. Some antivirus programs start an on-demand scan automatically after the virus signatures are updated to make sure that all files are scanned with the latest signatures.

The biggest potential problem is a Windows antivirus program might lock or quarantine an open log file or database file that Exchange needs to modify. This can cause severe failures in Exchange 2016, and it might also generate 1018 event log errors. Therefore, excluding these files from being scanned by the Windows antivirus program is very important.

Another issues to consider is that Windows antivirus programs can't replace email-based antispam and antimalware solutions because Windows antivirus programs that run on Windows servers can't detect viruses, malware, and spam that are distributed only through email.

When you deploy a Windows antivirus program on an Exchange 2016 server, make sure that the folder exclusions, process exclusions, and file name extension exclusions that are described in these sections are configured for both memory-resident and file-level scanning.

noteNote:
The %ExchangeInstallPath% value is typically C:\Program Files\Microsoft\Exchange Server\V15\ (includes a trailing "\"), the %SystemRoot% value is typically C:\Windows (doesn't include a trailing "\"), and the %SystemDrive% value is typically C: (doesn't include a trailing "\").
The locations of many of these Exchange folders are configurable in the Exchange Management Shell. To learn how to open the Exchange Management Shell in your on-premises Exchange organization, see Open the Exchange Management Shell.

Contents

Folder exclusions

Process exclusions

File name extension exclusions

Exclude the following folders from file-level scanning and memory-resident scanning on Exchange 2016 servers.

 

Folder Category Description Servers

%SystemRoot%\Cluster

DAGs

The cluster quorum database and other files for database availability groups (DAGs).

Mailbox servers

%SystemDrive%\DAGFileShareWitnesses\<DAGFQDN>

DAGs

The witness directory on the witness server that's configured for the DAG. The witness server can be virtually any Microsoft Windows server in the local Active Directory forest that isn't already a member of the DAG.

To see the actual location, run the following command: Get-DatabaseAvailabilityGroup <DAGName>| Format-List *Witness*

Any

%ExchangeInstallPath%ClientAccess\OAB

Offline Address Books

Offline Address Book files.

Mailbox servers

%ExchangeInstallPath%FIP-FS

Antimalware and DLP

Content scanning that's used by the Malware agent and data loss prevention (DLP).

Mailbox servers

%ExchangeInstallPath%GroupMetrics

MailTips

Group Metrics files that are used to calculate values for the Large Audience and External Recipients MailTips.

Mailbox servers

%ExchangeInstallPath%Logging

Exchange process logs

This folder contains many different types of Exchange logs in subfolders. For example:

  • Calendar Repair Assistant logs

  • Managed Folder Assistant logs

  • IMAP4 protocol logs

  • POP3 protocol logs

To see the actual locations, run the following commands:

  • Get-MailboxServer -Server <ServerName> | Format-List *LogPath*

  • Get-PopSettings <ServerName> | Format-List LogFileLocation

  • Get-ImapSettings <ServerName> | Format-List LogFileLocation

 

%ExchangeInstallPath%Mailbox

Mailbox databases

Exchange databases, checkpoint files, and log files. By default, these files are located in subfolders based on the name of the database. To see the actual locations, run the following command: Get-MailboxDatabase -Server <ServerName> | Format-List EdbFilePath,LogFolderPath

By default, database context index files are located in the same folder as the database files in a subfolder that's named after the GUID of the database.

Mailbox servers

%ExchangeInstallPath%TransportRoles\Data\Adam

EdgeSync

Active Directory Lightweight Directory Services (AD LDS) and log files.

Edge Transport servers

%ExchangeInstallPath%TransportRoles\Data\IpFilter

Connection filtering

IP filter database, checkpoint, and log files.

Edge Transport servers

%ExchangeInstallPath%TransportRoles\Data\Queue

Queues

Queue database, checkpoint, and log files.

Mailbox servers

Edge Transport servers

%ExchangeInstallPath%TransportRoles\Data\SenderReputation

Sender reputation

Sender Reputation database, checkpoint, and log files.

Edge Transport servers

Mailbox servers

%ExchangeInstallPath%TransportRoles\Data\Temp

Content conversion

Content conversion that's done in the transport pipeline.

Mailbox servers

Edge Transport servers

%ExchangeInstallPath%TransportRoles\Logs

Transport logs

Mail flow and transport pipeline logs are located in subfolders, for example:

  • Agent logging

  • Connectivity logging

  • Message tracking

  • Pipeline tracing

  • Send and Receive connector protocol logging

To see the actual locations, run the following commands:

  • Get-TransportService <ServerName> | Format-List *LogPath,*TracingPath

  • Get-FrontEndTransportService <ServerName> | Format-List *LogPath

  • Get-MailboxTransportService <ServerName> | Format-List *LogPath,*TracingPath

Mailbox servers

Edge Transport servers (Transport service only)

%ExchangeInstallPath%TransportRoles\Pickup

Pickup directory

The Pickup directory is used by administrators for mail flow testing or by applications that need to create and submit their own message files.

To see the actual location, run the following command: Get-TransportService <ServerName>| Format-List PickupDirectoryPath

Mailbox servers

Edge Transport servers

%ExchangeInstallPath%TransportRoles\Replay

Replay directory

The Replay directory receives messages from foreign gateway servers and can also be used to resubmit messages that administrators export from the queues of Exchange servers.

To see the actual location, run the following command: Get-TransportService <ServerName>| Format-List ReplayDirectoryPath

Mailbox servers

Edge Transport servers

%ExchangeInstallPath%UnifiedMessaging\Grammars

Unified Messaging

Grammar files for different locales, for example en-EN or es-ES.

Mailbox servers

%ExchangeInstallPath%UnifiedMessaging\Prompts

Unified Messaging

Voice prompts, greetings, and informational message files.

Mailbox servers

%ExchangeInstallPath%UnifiedMessaging\Temp

Unified Messaging

Temporary files generated by Unified Messaging.

Mailbox servers

%ExchangeInstallPath%UnifiedMessaging\Voicemail

Unified Messaging

Voice mail files that are temporarily stored.

Mailbox servers

%ExchangeInstallPath%Working\OleConverter

Content conversion

Transport Neutral Encoding Format (TNEF), also known as Rich Text Format (RTF), to MIME/HTML conversions.

Mailbox servers

Edge Transport servers

%SystemDrive%\inetpub\temp\IIS Temporary Compressed Files

Web components

Internet Information Services (IIS) compression folder that's used with Outlook on the web.

Mailbox servers

%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files

Web components

Temporary files that are used with Exchange services. These files are located in the following subfolders:

  • autodiscover

  • ecp

  • ews

  • mapi

  • mapi_emsmdb

  • microsoft-server-activesync

  • oab

  • owa

  • owa_calendar

  • powershell

  • root

  • rpc

Mailbox servers

%SystemRoot%\System32\Inetsrv

Web components

IIS system files.

Mailbox servers

Return to top

Many antivirus programs support the scanning of processes, which can adversely affect Microsoft Exchange if the incorrect processes are scanned. Therefore, you should exclude the following Exchange or related processes from process scanning.

 

Process Path Comments Servers

ComplianceAuditService.exe

%ExchangeInstallPath%Bin

Microsoft Exchange Compliance Audit service (MSComplianceAudit)

Mailbox servers

Dsamain.exe

%SystemRoot%\System32

Microsoft Exchange ADAM service (ADAM_MSExchange) (Active Directory Lightweight Directory Services (AD LDS) on subscribed Edge Transport servers)

Edge Transport servers

EdgeTransport.exe

%ExchangeInstallPath%Bin

Microsoft Exchange Transport service worker process

Mailbox servers

Edge Transport servers

fms.exe

%ExchangeInstallPath%FIP-FS\Bin

Content scanning component that's used by the Malware agent and DLP.

Mailbox servers

hostcontrollerservice.exe

%ExchangeInstallPath%Bin\Search\Ceres\HostController

Microsoft Exchange Search Host Controller service (HostControllerService)

Mailbox servers

inetinfo.exe

%SystemRoot%\System32\inetsrv

Internet Information Services (IIS)

Mailbox servers

Microsoft.Exchange.AntispamUpdateSvc.exe

%ExchangeInstallPath%Bin

Microsoft Exchange Antispam Update service (MSExchangeAntispamUpdate)

Mailbox servers

Edge Transport servers

Microsoft.Exchange.ContentFilter.Wrapper.exe

%ExchangeInstallPath%TransportRoles\agents\Hygiene

Content Filter agent

Mailbox servers

Edge Transport servers

Microsoft.Exchange.Diagnostics.Service.exe

%ExchangeInstallPath%Bin

Microsoft Exchange Diagnostics service (MSExchangeDiagnostics)

Mailbox servers

Edge Transport servers

Microsoft.Exchange.Directory.TopologyService.exe

%ExchangeInstallPath%Bin

Microsoft Exchange Active Directory Topology service (MSExchangeADTopology)

Mailbox servers

Microsoft.Exchange.EdgeCredentialSvc.exe

%ExchangeInstallPath%Bin

Microsoft Exchange Credential service (MSExchangeEdgeCredential)

Edge Transport servers

Microsoft.Exchange.EdgeSyncSvc.exe

%ExchangeInstallPath%Bin

Microsoft Exchange EdgeSync service (MSExchangeEdgeSync)

Mailbox servers

Microsoft.Exchange.Imap4.exe

ExchangeInstallPath%FrontEnd\PopImap

Microsoft Exchange IMAP4 service (MSExchangeImap4)

Mailbox servers

Microsoft.Exchange.Imap4service.exe

%ExchangeInstallPath%ClientAccess\PopImap

Microsoft Exchange IMAP4 Backend service (MSExchangeIMAP4BE)

Mailbox servers

Microsoft.Exchange.Notifications.Broker.exe

%ExchangeInstallPath%Bin

Microsoft Exchange Notifications Broker service (MSExchangeNotificationsBroker)

Mailbox servers

Microsoft.Exchange.Pop3.exe

%ExchangeInstallPath%FrontEnd\PopImap

Microsoft Exchange POP3 service (MSExchangePop3)

Mailbox servers

Microsoft.Exchange.Pop3service.exe

%ExchangeInstallPath%ClientAccess\PopImap

Microsoft Exchange POP3 Backend service (MSExchangePOP3BE)

Mailbox servers

Microsoft.Exchange.ProtectedServiceHost.exe

%ExchangeInstallPath%Bin

Microsoft Exchange Service Host service (MSExchangeServiceHost)

Mailbox servers

Edge Transport servers

Microsoft.Exchange.RPCClientAccess.Service.exe

%ExchangeInstallPath%Bin

Microsoft Exchange RPC Client Access service (MSExchangeRPC)

Mailbox servers

Microsoft.Exchange.Search.Service.exe

%ExchangeInstallPath%Bin

Microsoft Exchange Search service (MSExchangeFastSearch)

Mailbox servers

Microsoft.Exchange.Servicehost.exe

%ExchangeInstallPath%Bin

Microsoft Exchange Service Host service (MSExchangeServiceHost)

Mailbox servers

Edge Transport servers

Microsoft.Exchange.Store.Service.exe

%ExchangeInstallPath%Bin

Microsoft Exchange Information Store service (MSExchangeIS)

Mailbox servers

Microsoft.Exchange.Store.Worker.exe

%ExchangeInstallPath%Bin

Microsoft Exchange Information Store service worker process

Mailbox servers

Microsoft.Exchange.UM.CallRouter.exe

%ExchangeInstallPath%FrontEnd\CallRouter

Microsoft Exchange Unified Messaging Call Router service (MSExchangeUMCR)

Mailbox servers

MSExchangeCompliance.exe

%ExchangeInstallPath%Bin

Microsoft Exchange Compliance Service (MSExchangeCompliance)

Mailbox servers

MSExchangeDagMgmt.exe

%ExchangeInstallPath%Bin

Microsoft Exchange DAG Management service (MSExchangeDagMgmt)

Mailbox servers

MSExchangeDelivery.exe

%ExchangeInstallPath%Bin

Microsoft Exchange Mailbox Transport Delivery service (MSExchangeDelivery)

Mailbox servers

MSExchangeFrontendTransport.exe

%ExchangeInstallPath%Bin

Microsoft Exchange Frontend Transport service (MSExchangeFrontEndTransport)

Mailbox servers

MSExchangeHMHost.exe

%ExchangeInstallPath%Bin

Microsoft Exchange Health Manager service (MSExchangeHM)

Mailbox servers

Mailbox servers

Edge Transport servers

MSExchangeHMWorker.exe

%ExchangeInstallPath%Bin

Microsoft Exchange Health Manager service worker process

Mailbox servers

Mailbox servers

Edge Transport servers

MSExchangeMailboxAssistants.exe

%ExchangeInstallPath%Bin

Microsoft Exchange Mailbox Assistants service (MSExchangeMailboxAssistants)

Mailbox servers

MSExchangeMailboxReplication.exe

%ExchangeInstallPath%Bin

Microsoft Exchange Mailbox Replication service (MSExchangeMailboxReplication)

Mailbox servers

MSExchangeRepl.exe

%ExchangeInstallPath%Bin

Microsoft Exchange Replication service (MSExchangeRepl)

Mailbox servers

MSExchangeSubmission.exe

%ExchangeInstallPath%Bin

Microsoft Exchange Mailbox Transport Submission service (MSExchangeSubmission)

Mailbox servers

MSExchangeTransport.exe

%ExchangeInstallPath%Bin

Microsoft Exchange Transport service (MSExchangeTransport)

Mailbox servers

Edge Transport servers

MSExchangeTransportLogSearch.exe

%ExchangeInstallPath%Bin

Microsoft Exchange Transport Log Search service (MSExchangeTransportLogSearch)

Mailbox servers

Edge Transport servers

MSExchangeThrottling.exe

%ExchangeInstallPath%Bin

Microsoft Exchange Throttling service (MSExchangeThrottling)

Mailbox servers

Noderunner.exe

%ExchangeInstallPath%Bin\Search\Ceres\Runtime\1.0

Microsoft Exchange Search service (MSExchangeFastSearch)

Mailbox servers

OleConverter.exe

%ExchangeInstallPath%Bin

Converts rich text format (RTF) messages to MIME/HTML for external recipients.

Mailbox servers

ParserServer.exe

%ExchangeInstallPath%Bin\Search\Ceres\ParserServer

Microsoft Exchange Search service (MSExchangeFastSearch)

Mailbox servers

Powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0

Exchange Management Shell

Mailbox servers

Edge Transport servers

ScanEngineTest.exe

%ExchangeInstallPath%FIP-FS\Bin

Content scanning component that's used by the Malware agent and DLP

Mailbox servers

ScanningProcess.exe

%ExchangeInstallPath%FIP-FS\Bin

Content scanning component that's used by the Malware agent and DLP

Mailbox servers

UmService.exe

%ExchangeInstallPath%Bin

Microsoft Exchange Unified Messaging service (MSExchangeUM)

Mailbox servers

UmWorkerProcess.exe

%ExchangeInstallPath%Bin

Microsoft Exchange Unified Messaging service worker process

Mailbox servers

UpdateService.exe

%ExchangeInstallPath%FIP-FS\Bin

Content scanning component that's used by the Malware agent and DLP

Mailbox servers

W3wp.exe

%SystemRoot%\System32\inetsrv

Internet Information Services (IIS)

Mailbox servers

wsbexchange.exe

%ExchangeInstallPath%Bin

Microsoft Exchange Server Extension for Windows Server Backup (wsbexchange)

Mailbox servers

Return to top

In addition to excluding specific folders and processes, you should exclude the following Exchange-specific file name extensions in case folder exclusions fail or files are moved from their default locations.

 

Extensions Description Servers
  • .config

Application-related extensions

Mailbox servers

Edge Transport servers

  • .chk

  • .edb

  • .jfm

  • .jrs

  • .log

  • .que

Database-related extensions

Mailbox servers

Edge Transport servers

  • .dsc

  • .txt

Group Metrics-related extensions

Mailbox servers

  • .cfg

  • .grxml

Unified Messaging-related extensions

Mailbox servers

  • .lzx

Offline address book-related extensions

Mailbox servers

Return to top

 
Show:
© 2016 Microsoft