It is a recommended practice to configure any antivirus software running on Exchange servers to exclude specific paths, processes, and file types. This recommendation is made to reduce the likelihood of your Exchange server experiencing a failure due to antivirus software locking a file or folder in a way that prevents Exchange from doing what it is trying to do. Such issues are actually quite common when antivirus software has not been configured to follow these recommendations, and usually surfaces as unpredictable failover behavior in database availability groups, as well as unexpected database dismounts.

Some time ago I published a PowerShell script that will scan an Exchange 2013 server and output a list of exclusions that follow the Microsoft recommendations. Exchange 2016 is a little different, with some items added to the list, as well as a few others removed from the list. Thanks to Matt K for pointing out several of the changes.

Today I’ve published a new script for generating Exchange 2016 antivirus exclusions. It works the same way as the 2013 version, you run the script locally on a server in the Exchange Management Shell, and then use the output files to configure your antivirus software manually or by importing the lists (Update: when installing Exchange 2016 CU3 or later on Windows Server 2016 you can also use the script to automatically configure the exclusions in Windows Defender). I made a few improvements this time around as well, so that different lists are output for Mailbox servers vs Edge Transport servers.

You can find the new script on the TechNet Script Gallery. I hope you find it helpful for your Exchange 2016 deployments.

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. RM

    Hey Paul, slight thing I noticed that wanted to bring to your attention (and perhaps I am wrong), is that the process exclusions the way its implemented will not exclude the processes but rather the files they touch (See below Defender link in next paragraph about what I mean). I thought by process exclusion section MS wants to exclude the actual processes from being scanned in here. (https://docs.microsoft.com/en-us/exchange/antispam-and-antimalware/windows-antivirus-software?view=exchserver-2019)

    you can refer to what I am saying in regards to how Windows Defender exclusion will be treated by the processexclusion flag in here: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus?view=o365-worldwide

    the paragraph in the above link states: “When you add a process to the process exclusion list, Microsoft Defender Antivirus won’t scan files opened by that process, no matter where the files are located. The process itself, however, will be scanned unless it has also been added to the file exclusion list.”

    so, instead of excluding the processes with the -exclusionprocess switch, they also must be excluded with the -exclusionpath switch. Refer to this to exclude a process

    https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus?view=o365-worldwide

    1. Tony Redmond

      Paul isn’t involved with the site any longer and this is now an old article. Maintaining old content to match the progress of technology is always a challenge. We’ll take a look and see what we can do.

      1. RM

        Thank you Tony and I agree regarding keeping context. I came across this article while researching and working on Exchange 2019 DATP exclusions on Windows Datacenter Core 2019. I saw another web blog from someone else also doing the exclusions the same way as here and noticed that some folks still looking into this one as a reference since practicle365 has been such a great resource to all of us. So, anyway, I thought it’s worthwhile to bring the point to the experts here. I’ll open a ticket with MS to have it verified/confirmed as to which DATP exclusion flag should be used for the Process exclusions section.

  2. Paolo

    Hello Paul, I saw this script is not updated since February 2017, it’s still safe to run it on current Exchange 2016 version?

    Thank you for your cooperation.

    Best regards.

  3. Jon

    Script for Exchange 2019?

  4. Mark

    Hi Paul,

    Great script but i have another question re antivirus scanning.

    Is it still recommended to scan mailboxes using API’s? I remember this back in 5.5 but these days we use appliances at the edge to scan emails as they pass in/out. I’d be nervous using any 3rd party database/mailbox scanner but i’ve been asked to look into it and cant see many products available for EX 2013/2016.

    Cheers
    Mark
    Cheers
    Mark

  5. Stephen Hudson

    Hi Paul,
    Just to be sure, I install Exchange 2016, move the default database and log folders to my preferred location, then run your script, before starting any of the Exchange post install tasks?
    Kind regards
    Stephen

      1. Stephen Hudson

        Hi Paul, I noticed when I ran the script on my Server2016/Exchange2016 setup that is listed the actual mailbox.edb file name in the list of Path (folder) Exclusions.
        ‘E:\Exchange_Databases\MailboxDB-01\MailboxDB-01.edb’

        Shouldn’t it just be the containing folder?
        ‘E:\Exchange_Databases\MailboxDB-01’

        Kind regards
        Stephen

  6. Ashfaq ahmed

    Thanks Paul for sharing & making our lives easier. can you please write same script for Domain controller.

    thanks.

  7. Fness

    So helpful thanks for sharing.
    Your articles and knowledge makes my life better 🙂

  8. Robatwork

    Paul I think it’s worth explicitly pointing out that
    a) need to run in an administrator EMS
    b) need to right click and Unblock the .ps1 file first

    At least I did on a new 2016 server

    Great useful script this one, so thanks

  9. RebPentacleB

    It would be great if the script put quotes around the paths, or better yet created a powershell script with Add-MpPreference -ExclusionPath “path” so you could run the output and aautomatically set up the exclusions.

      1. RedPentacleB

        Awesome!

Leave a Reply