It is a recommended practice to configure any antivirus software running on Exchange servers to exclude specific paths, processes, and file types. This recommendation is made to reduce the likelihood of your Exchange server experiencing a failure due to antivirus software locking a file or folder in a way that prevents Exchange from doing what it is trying to do. Such issues are actually quite common when antivirus software has not been configured to follow these recommendations, and usually surfaces as unpredictable failover behavior in database availability groups, as well as unexpected database dismounts.
Some time ago I published a PowerShell script that will scan an Exchange 2013 server and output a list of exclusions that follow the Microsoft recommendations. Exchange 2016 is a little different, with some items added to the list, as well as a few others removed from the list. Thanks to Matt K for pointing out several of the changes.
Today I’ve published a new script for generating Exchange 2016 antivirus exclusions. It works the same way as the 2013 version, you run the script locally on a server in the Exchange Management Shell, and then use the output files to configure your antivirus software manually or by importing the lists (Update: when installing Exchange 2016 CU3 or later on Windows Server 2016 you can also use the script to automatically configure the exclusions in Windows Defender). I made a few improvements this time around as well, so that different lists are output for Mailbox servers vs Edge Transport servers.
You can find the new script on the TechNet Script Gallery. I hope you find it helpful for your Exchange 2016 deployments.