Antivirus software that is not correctly configured is a fairly common cause of many performance and stability issues with Exchange. It’s a good idea to run antivirus software on your Exchange 2013 servers to help prevent malware, and I always recommend it to customers. But if you do install antivirus software you need to configure it with the correct exclusions so that it doesn’t interfere with Exchange Server’s operations.
Microsoft has published a list of file/folder, process, and file type exclusions that should be applied to antivirus software running on an Exchange 2013 server. It’s quite long, and you might notice some duplication of effort. For example, Microsoft recommends excluding the path of the database files (eg, F:\DB01\DB01.edb) but also the file type .edb. Why both? Well it’s just a precaution in case a database is moved to a different path without updating the exclusions list, or if the antivirus software you’re using needs to handle the exclusions a specific way.
Since the exclusions list is so long and relies on a number of variables (eg the Exchange install path is something you can choose during setup, so it won’t always be C:\Program Files…), working out the actual list of exclusions is a very long and tedious task.
That’s why I’ve written a PowerShell script to generate the list quickly and easily.
Get-Exchange2013AVExclusions.ps1 can be downloaded from the TechNet Script Gallery.
The script is run directly on an Exchange 2013 server using the Exchange Management Shell. If you’re deploying multiple servers with the same configuration (eg members of a database availability group) you can use the script to generate the exclusions list off one server and then use your antivirus software’s policy-based management to deploy the same settings to all of your servers.
Simply run the script with no parameters to generate the exclusions lists.
[PS] C:\Scripts\av>.\Get-Exchange2013AVExclusions.ps1 Done.
The result is three text files; one for the file/folder paths, one for the processes, and one for the file extensions.
Feedback and questions are welcome in the comments below.
hey Paul can you share this script Thanks
Good write-up, I am regular visitor of one’s web
site, maintain up the nice operate, and It’s going to be a regular visitor for a lengthy time.
I really like your writing style, good information, thanks for putting up :D.
Unquestionably believe that which you said. Your favorite reason appeared to be
on the net the simplest thing to be aware of. I say to you, I certainly
get annoyed while people consider worries that they plainly
don’t know about. You managed to hit the nail upon the top as well as defined out the whole thing without having side-effects , people can take a
signal. Will likely be back to get more. Thanks
Hi to ebery body, it’s my first visit of this blog;
this website carries awesome and in fact excellent stuff in support of readers.
After running Get-Exchange2013AVExclusions.ps1 , the powershell output “File not found” and only the path file was created. The other 2 files were failed to create.
Hi, great script!
But the output cannot bulk-added to System Center Endpoint Protection (SCEP). For that you need to add a ; after each line. No big deal, just takes some extra time.
i’m getting an error on line 267:
The operation couldn’t be performed because ‘MB2’ couldn’t be found.
+ CategoryInfo : NotSpecified: (:) [Get-FrontendTransportService], ManagementObjectNotFoundException
+ FullyQualifiedErrorId : [Server=MB2,RequestId=e9da3998-0b7b-4e5d-aae7-846a3a8b4662,TimeStamp=7/11/2016 7:08:
24 AM] [FailureCategory=Cmdlet-ManagementObjectNotFoundException] 7B21FB8C,Microsoft.Exchange.Management.SystemCon
figurationTasks.GetFrontendTransportService
+ PSComputerName : mb2.acme.com
Get-Member : You must specify an object for the Get-Member cmdlet.
At C:usersxxxxxGet-Exchange2013AVExclusions.ps1:267 char:27
+ $names = @($fetransport | Get-Member | Where {$_.membertype -eq “NoteProperty”})
+ ~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Get-Member], InvalidOperationException
+ FullyQualifiedErrorId : NoObjectInGetMember,Microsoft.PowerShell.Commands.GetMemberCommand
Hi Paul,
The script works great and collects all details as it is meant to. I am trying to contribute to make sure the script is updated if the following information is correct as per the MS TechNet links.
Looking at Exchange 2013 Content conversion(as published in https://technet.microsoft.com/en-us/library/bb332342(v=exchg.150).aspx#Directory) I see the content conversion uses %TMP% which is a system variable. During any system operations, system variable used will be configured in System variable and in this case it will be C:temp folder.
As per the codes under “Content Conversion” section I see it is hardcoded to C:windowstemp, which I believe may be used for few temp operations but not for content conversion in Exch2013.
I am working with MS on the same and will update the results.
Looking at the below article, it is applied to Exchange 2016 where content conversions are used in “%ExchangeInstallPath%TransportRolesDataTemp”
I am working on this to make sure if C:temp to be excluded or not in Exchange 2013 and if you have any more information about content conversion , please share.
Thanks,
Srikanth Rao K
When i ran the script i get C:Windowstemp. My AV already finds virus in here. The above example doesnt show this folder. i was wondering how it got on the exception list.
thanks
The Real Person!
The Real Person!
Due to content conversions by Transport services. According to the TechNet link in the article…. “by default, content conversions are performed in the Exchange server’s %TMP% folder.”
Hi Paul,
this is (as usual) an excellent resource and very much appreciated, thank you.
If we change TemporaryStoragePath in EdgeTransport.exe.config (for example by using MoveTransportDatabase.ps1 with the -TemporaryStoragePath switch) then I guess the need to scan c:temp is removed (our AV guys were really concerned about configuring that one…)
If we make this change then I think the script won’t realise we’ve changed the path as it just reads the %TMP% variable at line 185?
Again, many thanks for publishing this.
The Real Person!
The Real Person!
Sounds reasonable. Just make sure that change isn’t overwritten with each new CU you apply. Or if it is, that you re-apply the change.
Really useful. Thanks!
Hi Paul
With this work fine for Exchange 2016?
The Real Person!
The Real Person!
Probably yes, but I haven’t gone through the 2016 article here (https://technet.microsoft.com/en-us/library/bb332342(v=exchg.160).aspx) to confirm yet.
So in reviewing Microsoft’s AV Exclusion list for Exchange Server 2016 (https://technet.microsoft.com/en-us/library/bb332342(v=exchg.160).aspx) there are a few things that I found are missing after running the Get-Exchange2013AvExclusion.ps1
-File Extensions
.jfm
– Processes
ComplianceAuditService.exe
MSExchangeCompliance.exe
Microsoft.Exchange.Notifications.Broker.exe
wsbexchange.exe
-File Paths
%ExchangeInstallPath%TransportRolesDataTemp
%ExchangeInstallPath%TransportRolesDataSenderReputation
%SystemRoot%Microsoft.NETFramework64v4.0.30319Temporary ASP.NET Files
%ExchangeInstallPath%TransportRolesLogs
– Get-TransportService -Identity | FL *Logpath,*Tracingpath
C:Program FilesMicrosoftExchange ServerV15TransportRolesLogsHubLatencyLog
C:Program FilesMicrosoftExchange ServerV15TransportRolesLogsHubGeneralLog
C:Program FilesMicrosoftExchange ServerV15TransportRolesLogsHubTransportHttp
C:Program FilesMicrosoftExchange ServerV15TransportRolesLogsMailboxPipelineTracing
Please note that these are exclusions only for Exchange. If you install other software on the same server (which IMHO should only be Exchange related), they might require exclusions as well.
I’ve seen corrupt backups due to the agent process not being excluded…
Great idea, thanks! How did we live without it? 🙂
Thanks Great script !
Rob,
i wrote a similar script for Exchange 2010 long time ago
Should do the job.
http://www.weeta.net/page/scripts
Rgds
Stéphane
Any idea of where I can get his now as the link is Invalid ?
Many thanks
Shaun
great script!!!!
any idea whether this would work with exchange 2010?
The Real Person!
The Real Person!
The same sort of thing would work but Microsoft publishes a different set of AV exclusion recommendations for each different version of Exchange.