Antivirus software that is not correctly configured is a fairly common cause of many performance and stability issues with Exchange. It’s a good idea to run antivirus software on your Exchange 2013 servers to help prevent malware, and I always recommend it to customers. But if you do install antivirus software you need to configure it with the correct exclusions so that it doesn’t interfere with Exchange Server’s operations.

Microsoft has published a list of file/folder, process, and file type exclusions that should be applied to antivirus software running on an Exchange 2013 server. It’s quite long, and you might notice some duplication of effort. For example, Microsoft recommends excluding the path of the database files (eg, F:\DB01\DB01.edb) but also the file type .edb. Why both? Well it’s just a precaution in case a database is moved to a different path without updating the exclusions list, or if the antivirus software you’re using needs to handle the exclusions a specific way.

Since the exclusions list is so long and relies on a number of variables (eg the Exchange install path is something you can choose during setup, so it won’t always be C:\Program Files…), working out the actual list of exclusions is a very long and tedious task.

That’s why I’ve written a PowerShell script to generate the list quickly and easily.

Get-Exchange2013AVExclusions.ps1 can be downloaded from the TechNet Script Gallery.

The script is run directly on an Exchange 2013 server using the Exchange Management Shell. If you’re deploying multiple servers with the same configuration (eg members of a database availability group) you can use the script to generate the exclusions list off one server and then use your antivirus software’s policy-based management to deploy the same settings to all of your servers.

Simply run the script with no parameters to generate the exclusions lists.

[PS] C:\Scripts\av>.\Get-Exchange2013AVExclusions.ps1
Done.

The result is three text files; one for the file/folder paths, one for the processes, and one for the file extensions.

exchange-2013-antivirus-exclusions-01

exchange-2013-antivirus-exclusions-02

Feedback and questions are welcome in the comments below.

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. umer

    hey Paul can you share this script Thanks

  2. Kathaleen Gerste

    Good write-up, I am regular visitor of one’s web
    site, maintain up the nice operate, and It’s going to be a regular visitor for a lengthy time.

  3. Roxanna Marchand

    I really like your writing style, good information, thanks for putting up :D.

  4. Quyen Wagstaff

    Unquestionably believe that which you said. Your favorite reason appeared to be
    on the net the simplest thing to be aware of. I say to you, I certainly
    get annoyed while people consider worries that they plainly
    don’t know about. You managed to hit the nail upon the top as well as defined out the whole thing without having side-effects , people can take a
    signal. Will likely be back to get more. Thanks

  5. Janine Carrillo

    Hi to ebery body, it’s my first visit of this blog;
    this website carries awesome and in fact excellent stuff in support of readers.

  6. Michael

    After running Get-Exchange2013AVExclusions.ps1 , the powershell output “File not found” and only the path file was created. The other 2 files were failed to create.

  7. Xcom3

    Hi, great script!
    But the output cannot bulk-added to System Center Endpoint Protection (SCEP). For that you need to add a ; after each line. No big deal, just takes some extra time.

  8. rino19ny

    i’m getting an error on line 267:

    The operation couldn’t be performed because ‘MB2’ couldn’t be found.
    + CategoryInfo : NotSpecified: (:) [Get-FrontendTransportService], ManagementObjectNotFoundException
    + FullyQualifiedErrorId : [Server=MB2,RequestId=e9da3998-0b7b-4e5d-aae7-846a3a8b4662,TimeStamp=7/11/2016 7:08:
    24 AM] [FailureCategory=Cmdlet-ManagementObjectNotFoundException] 7B21FB8C,Microsoft.Exchange.Management.SystemCon
    figurationTasks.GetFrontendTransportService
    + PSComputerName : mb2.acme.com

    Get-Member : You must specify an object for the Get-Member cmdlet.
    At C:usersxxxxxGet-Exchange2013AVExclusions.ps1:267 char:27
    + $names = @($fetransport | Get-Member | Where {$_.membertype -eq “NoteProperty”})
    + ~~~~~~~~~~
    + CategoryInfo : CloseError: (:) [Get-Member], InvalidOperationException
    + FullyQualifiedErrorId : NoObjectInGetMember,Microsoft.PowerShell.Commands.GetMemberCommand

  9. Srikanth

    Hi Paul,
    The script works great and collects all details as it is meant to. I am trying to contribute to make sure the script is updated if the following information is correct as per the MS TechNet links.
    Looking at Exchange 2013 Content conversion(as published in https://technet.microsoft.com/en-us/library/bb332342(v=exchg.150).aspx#Directory) I see the content conversion uses %TMP% which is a system variable. During any system operations, system variable used will be configured in System variable and in this case it will be C:temp folder.
    As per the codes under “Content Conversion” section I see it is hardcoded to C:windowstemp, which I believe may be used for few temp operations but not for content conversion in Exch2013.
    I am working with MS on the same and will update the results.

    Looking at the below article, it is applied to Exchange 2016 where content conversions are used in “%ExchangeInstallPath%TransportRolesDataTemp”

    I am working on this to make sure if C:temp to be excluded or not in Exchange 2013 and if you have any more information about content conversion , please share.

    Thanks,
    Srikanth Rao K

  10. Allied

    When i ran the script i get C:Windowstemp. My AV already finds virus in here. The above example doesnt show this folder. i was wondering how it got on the exception list.

    thanks

    1. Avatar photo
      1. RedCatRockets

        Hi Paul,

        this is (as usual) an excellent resource and very much appreciated, thank you.

        If we change TemporaryStoragePath in EdgeTransport.exe.config (for example by using MoveTransportDatabase.ps1 with the -TemporaryStoragePath switch) then I guess the need to scan c:temp is removed (our AV guys were really concerned about configuring that one…)

        If we make this change then I think the script won’t realise we’ve changed the path as it just reads the %TMP% variable at line 185?

        Again, many thanks for publishing this.

  11. Brandon

    Really useful. Thanks!

  12. Dhillan

    Hi Paul

    With this work fine for Exchange 2016?

      1. Matt K.

        So in reviewing Microsoft’s AV Exclusion list for Exchange Server 2016 (https://technet.microsoft.com/en-us/library/bb332342(v=exchg.160).aspx) there are a few things that I found are missing after running the Get-Exchange2013AvExclusion.ps1
        -File Extensions
        .jfm
        – Processes
        ComplianceAuditService.exe
        MSExchangeCompliance.exe
        Microsoft.Exchange.Notifications.Broker.exe
        wsbexchange.exe
        -File Paths
        %ExchangeInstallPath%TransportRolesDataTemp
        %ExchangeInstallPath%TransportRolesDataSenderReputation
        %SystemRoot%Microsoft.NETFramework64v4.0.30319Temporary ASP.NET Files
        %ExchangeInstallPath%TransportRolesLogs
        – Get-TransportService -Identity | FL *Logpath,*Tracingpath
        C:Program FilesMicrosoftExchange ServerV15TransportRolesLogsHubLatencyLog
        C:Program FilesMicrosoftExchange ServerV15TransportRolesLogsHubGeneralLog
        C:Program FilesMicrosoftExchange ServerV15TransportRolesLogsHubTransportHttp
        C:Program FilesMicrosoftExchange ServerV15TransportRolesLogsMailboxPipelineTracing

  13. Dave Stork

    Please note that these are exclusions only for Exchange. If you install other software on the same server (which IMHO should only be Exchange related), they might require exclusions as well.
    I’ve seen corrupt backups due to the agent process not being excluded…

  14. Jiri

    Great idea, thanks! How did we live without it? 🙂

  15. RVoogt

    Thanks Great script !

    1. Shaun vt

      Any idea of where I can get his now as the link is Invalid ?

      Many thanks

      Shaun

  16. shafeeque

    great script!!!!

  17. Rob

    any idea whether this would work with exchange 2010?

Leave a Reply