Antivirus and Exchange 2007

What folders should be excluded?

Mailbox Server Role:

You must exclude specific directories for each Exchange server or server role on which you run a file-level antivirus scanner. This section describes the directories that you should exclude from file-level scanning for each server or server role.

Mailbox server role
  • Exchange databases, checkpoint files, and log files across all storage groups. By default, these are located in sub-folders under the %Program Files%MicrosoftExchange ServerMailbox folder. You can obtain the directory location by running the following commands in the Exchange Management Shell:
    • To determine the location of a transaction log and checkpoint file, run the following command: Get-StorageGroup -server <servername>| fl *path*
    • To determine the location of a mailbox database, run the following command: Get-MailboxDatabase -server <servername>| fl *path*
    • To determine the location of a public folder database, run the following command: Get-PublicFolderDatabase -server <servername>| fl *path*
  • Database content indexes. By default, these are located in storage group sub-folders under the %Program Files%MicrosoftExchange ServerMailbox folder.
  • General log files, such as message tracking log files. These files are located in subfolders under the %Program Files%MicrosoftExchange ServerTransportRolesLogs folder and %Program Files%MicrosoftExchange ServerLogging folder. To determine the log paths being used, run the following command in the Exchange Management Shell: Get-MailboxServer <servername>| fl *path* 
  • The Offline Address Book files that are located in subfolders under the %Program Files%MicrosoftExchange ServerExchangeOAB folder
  • IIS system files in the %SystemRoot%System32Inetsrv folder
  • The temporary folder that is used with offline maintenance utilities, such as Eseutil.exe. By default, this folder is the location where the .exe file is run from. However, you can configure where you perform the operation from when you run the utility.
  • The temporary folders that are used to perform conversions:
    • Content conversions are performed in the server’s TMP folder.
    • OLE conversions are performed in %Program Files%MicrosoftExchange ServerWorkingOleConvertor folder.
    • The Mailbox database temporary folder: %Program Files%MicrosoftExchange ServerMailboxMDBTEMP
  • Any Exchange-aware antivirus program folders

 Clustered Mailbox Server Role:

All the items listed in the Mailbox server role list, and the following:

  • The quorum disk and the %Winnt%Cluster folder
  • The file share witness. This is located on another server in the environment, typically a Hub transport server.

Hub Transport Server Role:

  • General log files, for example, message tracking. These files are located in subfolders under the %Program Files%MicrosoftExchange ServerTransportRolesLogs folder. To determine the log paths being used, run the following command in the Exchange Management Shell: Get-TransportServer <servername>| fl *logpath*,*tracingpath*
  • The message folders that are located under the %Program Files%MicrosoftExchange ServerTransportRoles folder. To determine the paths being used, run the following command in the Exchange Management Shell: Get-TransportServer <servername>| fl *dir*path* 
  • The transport server role queue database, checkpoint, and log files that are located in the %Program Files%MicrosoftExchange ServerTransportRolesDataQueue folder. For more information about how to obtain the directory location if the queue database files have been moved from the default location, see Working with the Queue Database on Transport Servers.
  • The transport server role Sender Reputation database, checkpoint, and log files that are located in the %Program Files%MicrosoftExchange ServerTransportRolesDataSenderReputation folder
  • The transport server role IP filter database, checkpoint, and log files that are located in the %Program Files%MicrosoftExchange ServerTransportRolesDataIpFilter folder
  • The temporary folders that are used to perform conversions:
    • Content conversions are performed in the server’s TMP folder.
    • OLE conversions are performed in %Program Files%MicrosoftExchange ServerWorkingOleConvertor folder.
  • Any Exchange-aware antivirus program folders
  • Edge Transport Server Role:

  • The Active Directory Application Mode (ADAM) database and log files that are located in the %Program Files%MicrosoftExchange ServerTransportRolesDataAdam folder. For more information about how to obtain the directory location if the ADAM database files have been moved from the default location, see How to Modify ADAM Configuration.
  • General log files, for example message tracking. These files are located in subfolders under the %Program Files%MicrosoftExchange ServerTransportRolesLogs folder. To determine the log paths being used, run the following command in the Exchange Management Shell: Get-TransportServer <servername>| fl *logpath*,*tracingpath*
  • The message folders that are located under the %Program Files%MicrosoftExchange ServerTransportRoles folder. To determine the log paths being used, run the following command in the Exchange Management Shell: Get-TransportServer <servername>| fl *dir*path* 
  • The transport server role queue database, checkpoint, and log files that are located in the %Program Files%MicrosoftExchange ServerTransportRolesDataQueue folder. For more information about how to obtain the directory location if the queue database files have been moved from the default location, see Working with the Queue Database on Transport Servers.
  • The transport server role Sender Reputation database, checkpoint, and log files that are located in the %Program Files%MicrosoftExchange ServerTransportRolesDataSenderReputation folder
  • The transport server role IP filter database, checkpoint, and log files that are located in the %Program Files%MicrosoftExchange ServerTransportRolesDataIpFilter folder
  • The temporary folders that are used to perform conversions:
    • Content conversions are performed in the server’s TMP folder.
    • OLE conversions are performed in %Program Files%MicrosoftExchange ServerWorkingOleConvertor folder.
  • Any Exchange-aware antivirus program folders
  • Client Access Server Role:

  • The Internet Information Services (IIS) 6.0 compression folder that is used with Microsoft Outlook Web Access. By default, the compression folder in IIS 6.0 is located at %systemroot%IIS Temporary Compressed Files.
    For more information, see the Microsoft Knowledge Base article, IIS 6.0: Antivirus Scanning of IIS Compression Directory May Result in 0-Byte File.
  • IIS system files in the %SystemRoot%System32Inetsrv folder
  • The Internet-related files that are stored in the sub-folders of the %Program Files%MicrosoftExchange ServerClientAccess folder
  • The temporary folder that is used to perform content conversion. By default, this is the server’s TMP folder.
  • Unified Messaging Server Role:

  • The grammar files that are stored in the subfolders in the %Program Files%MicrosoftExchange ServerUnifiedMessaginggrammars folder
  • The voice prompts that are stored in the subfolders in the %Program Files%MicrosoftExchange ServerUnifiedMessagingPrompts folder
  • The voicemail files that are stored in the %Program Files%MicrosoftExchange ServerUnifiedMessagingvoicemail folder
  • The bad voicemail files that are stored in the %Program Files%MicrosoftExchange ServerUnifiedMessagingbadvoicemail folder
  • Forefront Security Server for Exchange role:

  • The archived messages that are stored in the %Program Files%Microsoft ForeFront SecurityExchange ServerDataArchive folder
  • The quarantined files that are stored in the %Program Files%Microsoft ForeFront SecurityExchange ServerDataQuarantine folder
  • The antivirus engine files that are stored in the subfolders of %Program Files%Microsoft ForeFront SecurityExchange ServerDataEnginesx86 folder
  • The configuration files that are stored in the %Program Files%Microsoft ForeFront SecurityExchange ServerData folder
  • Microsoft Forefront Security for Exchange server on single copy clusters:

  • In addition to the directories that contain antivirus engine and configuration files, exclude the directory on the shared storage used for ForeFront data.To determine the path that ForeFront uses on an SCC, check the value of the following registry key:
    HKEY_LOCAL_MACHINESOFTWAREWow6432NodeMicrosoftForefront Server SecurityExchange ServerDatabasePath
    Incorrectly editing the registry can cause serious problems that may require you to reinstall your operating system. Problems resulting from editing the registry incorrectly may not be able to be resolved. Before editing the registry, back up any valuable data. 
  • Which processes should be excluded?

    Cdb.exe Microsoft.Exchange.Search.Exsearch.exe
    Cidaemon.exe Microsoft.Exchange.Servicehost.exe
    Cluster.exe Msexchangeadtopologyservice.exe
    Dsamain.exe Msexchangefds.exe
    Edgecredentialsvc.exe Msexchangemailboxassistants.exe
    Edgetransport.exe Msexchangemailsubmission.exe
    Galgrammargenerator.exe Msexchangetransport.exe
    Inetinfo.exe Msexchangetransportlogsearch.exe
    Mad.exe Msftefd.exe
    Microsoft.Exchange.Antispamupdatesvc.exe Msftesql.exe
    Microsoft.Exchange.Contentfilter.Wrapper.exe Oleconverter.exe
    Microsoft.Exchange.Cluster.Replayservice.exe Powershell.exe
    Microsoft.Exchange.Edgesyncsvc.exe Sesworker.exe
    Microsoft.Exchange.Imap4.exe Speechservice.exe
    Microsoft.Exchange.Imap4service.exe Store.exe
    Microsoft.Exchange.Infoworker.Assistants.exe Transcodingservice.exe
    Microsoft.Exchange.Monitoring.exe Umservice.exe
    Microsoft.Exchange.Pop3.exe Umworkerprocess.exe
    Microsoft.Exchange.Pop3service.exe W3wp.exe

    If Forefront is being deployed exclude these as well:

    Adonavsvc.exe Fscstatsserv.exe
    Fsccontroller.exe Fsctransportscanner.exe
    Fscdiag.exe Fscutility.exe
    Fscexec.exe Fsemailpickup.exe
    Fscimc.exe Fssaclient.exe
    Fscmanualscanner.exe Getenginefiles.exe
    Fscmonitor.exe Perfmonitorsetup.exe
    Fscrealtimescanner.exe Scanenginetest.exe
    Fscstarter.exe Semsetup.exe

     
    Extensions that can also be excluded in case any of the above items are moved to another directory:

    Application-related extensions
    • .config
    • .dia
    • .wsb
    Database-related extensions
    • .chk
    • .log
    • .edb
    • .jrs
    • .que
    Offline Address Book-related extensions:
    • .lzx
    Content Index-related extensions

    .ci .wid .001
    .dir .000 .002

     

    Unified Messaging-related extensions
    • .cfg
    • .grxml
    ForeFront Security for Exchange Server–related extensions

    .avc .dt .lst
    .cab .fdb .mdb
    .cfg .fdm .ppl
    .config .ide .set
    .da1 .key .v3d
    .dat .klb .vdb
    .def .kli .vdm
    0 replies

    Leave a Reply

    Want to join the discussion?
    Feel free to contribute!

    Leave a Reply