Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
Topic Last Modified: 2012-10-03
This topic describes the effects of file-level antivirus programs on computers that are running Microsoft Exchange Server 2010. If you implement the recommendations described in this topic, you can help enhance the security and health of your Exchange organization.
File-level scanners are frequently used. However, if they are configured incorrectly, they can cause problems in Exchange 2010. There are two types of file-level scanners:
- Memory-resident file-level scanning refers to a part of
file-level antivirus software that is loaded in memory at all
times. It checks all the files that are used on the hard disk and
in computer memory.
- On-demand file-level scanning refers to a part of
file-level antivirus software that you can configure to scan files
on the hard disk manually or on a schedule. Some versions of
antivirus software start the on-demand scan automatically after
virus signatures are updated to make sure that all files are
scanned with the latest signatures.
The following problems may occur when you use file-level scanners with Exchange 2010:
- File-level scanners may scan a file when the file is being used
or at a scheduled interval. This can cause the scanners to lock or
quarantine an Exchange log or a database file while Microsoft
Exchange tries to use the file. This behavior may cause a severe
failure in Microsoft Exchange and may also cause -1018 errors.
- File-level scanners don't provide protection against e-mail
viruses, such as the Storm Worm. Storm Worm was a backdoor Trojan
horse virus that propagated itself through e-mail messages. The
worm joined the infected computer to a botnet, where the computer
was used to send spam e-mail messages in periodic bursts. Such
viruses can affect the performance of the computer and the network
that it is attached to.
Recommendations for Using File-Level Scanning with Exchange 2010
If you're deploying file-level scanners on Exchange 2010 servers, make sure that the appropriate exclusions, such as directory exclusions, process exclusions, and file name extension exclusions, are in place for both memory-resident and file-level scanning. This section describes directory exclusions, process exclusions, and file name extension exclusions for each server or server role.
Directory Exclusions
You must exclude specific directories for each Exchange server or server role on which you run a file-level antivirus scanner. This section describes the directories that you should exclude from file-level scanning for each server or server role.
- Mailbox server role
-
- Exchange databases, checkpoint files, and log files. By
default, these are located in sub-folders under the
%ExchangeInstallPath%\Mailbox folder. You can obtain the directory
location by running the following commands in the Exchange
Management Shell:
- To determine the location of a mailbox database, transaction
log, and checkpoint file, run the following command:
Get-MailboxDatabase -server <servername>| format-list *path*
- To determine the location of a mailbox database, transaction
log, and checkpoint file, run the following command:
- Database content indexes. By default, these are located in the
same folder as the database file.
- Group Metrics files. By default, these files are located in the
%ExchangeInstallPath%\GroupMetrics folder.
- General log files, such as message tracking and calendar repair
log files. By default, these files are located in subfolders under
the %ExchangeInstallPath%\TransportRoles\Logs folder and
%ExchangeInstallPath%\Logging folder. To determine the log paths
being used, run the following command in the Exchange Management
Shell:
Get-MailboxServer <servername> | format-list *path*
- The Offline Address Book files. By default, these are located
in subfolders under the %ExchangeInstallPath%\ExchangeOAB
folder
- IIS system files in the %SystemRoot%\System32\Inetsrv
folder
- The temporary folder that is used with offline maintenance
utilities, such as Eseutil.exe. By default, this folder is the
location where the .exe file is run from. However, you can
configure where you perform the operation when you run the
utility.
- The Mailbox database temporary folder:
%ExchangeInstallPath%\Mailbox\MDBTEMP
- Any Exchange-aware antivirus program folders
- Exchange databases, checkpoint files, and log files. By
default, these are located in sub-folders under the
%ExchangeInstallPath%\Mailbox folder. You can obtain the directory
location by running the following commands in the Exchange
Management Shell:
- Mailbox server that is a member of a Database Availability Group
-
All the items listed in the Mailbox server role list and in the %Winnt%\Cluster folder.
- Witness server
-
- The witness directory files. These are located on another
server in the environment, typically a Hub Transport server. By
default, these files are located in
\\%SystemDrive%:\DAGFileShareWitnesses\<DAGFQDN> and default
share (<DAGFQDN>) on that server. For more information about
a database availability group (DAG) and witness servers, see
Managing
Database Availability Groups.
- The witness directory files. These are located on another
server in the environment, typically a Hub Transport server. By
default, these files are located in
\\%SystemDrive%:\DAGFileShareWitnesses\<DAGFQDN> and default
share (<DAGFQDN>) on that server. For more information about
a database availability group (DAG) and witness servers, see
Managing
Database Availability Groups.
- Hub Transport server role
-
- General log files, for example, message tracking and
connectivity logs. By default, these files are located in
subfolders under the %ExchangeInstallPath%\TransportRoles\Logs
folder. To determine the log paths being used, run the following
command in the Exchange Management Shell:
Get-TransportServer <servername>| format-list *logpath*,*tracingpath*
- Pickup and Replay message directory folders. By default, these
folders are located under the %ExchangeInstallPath%\TransportRoles
folder. To determine the paths being used, run the following
command in the Exchange Management Shell:
Get-TransportServer <servername>| fl *dir*path*
- The transport server role queue database, checkpoint, and log
files. By default, these are located in the
%ExchangeInstallPath%\TransportRoles\Data\Queue folder. For more
information, see Managing Transport
Queues.
- The transport server role Sender Reputation database,
checkpoint, and log files. By default, these are located in the
%ExchangeInstallPath%\TransportRoles\Data\SenderReputation
folder.
- The transport server role IP filter database, checkpoint, and
log files. By default, these are located in the
%ExchangeInstallPath%\TransportRoles\Data\IpFilter folder.
- The temporary folders that are used to perform conversions:
- By default, content conversions are performed in the Exchange
server’s TMP folder.
- By default, OLE conversions are performed in
%ExchangeInstallPath%\Working\OleConvertor folder.
- By default, content conversions are performed in the Exchange
server’s TMP folder.
- Any Exchange-aware antivirus program folders
- General log files, for example, message tracking and
connectivity logs. By default, these files are located in
subfolders under the %ExchangeInstallPath%\TransportRoles\Logs
folder. To determine the log paths being used, run the following
command in the Exchange Management Shell:
- Edge Transport server role
-
- The Active Directory Lightweight Directory Service database (AD
LDS) and log files. By default, these are located in the
%ExchangeInstallPath%\TransportRoles\Data\Adam folder. For more
information about AD LDS database files, see Modify AD LDS
Configuration.
- General log files, for example message tracking. By default,
these files are located in subfolders under the
%ExchangeInstallPath%\TransportRoles\Logs folder. To determine the
log paths being used, run the following command in the Exchange
Management Shell:
Get-TransportServer <servername> | format-list *logpath*,*tracingpath*
- The Pickup and Replay message folders. By default, these are
located under the %ExchangeInstallPath%\TransportRoles folder. To
determine the log paths being used, run the following command in
the Exchange Management Shell:
Get-TransportServer <servername>| format-list *dir*path*
- The transport server role queue database, checkpoint, and log
files. By default, these are located in the
%ExchangeInstallPath%\TransportRoles\Data\Queue folder. For more
information about transport server queues, see Managing Transport
Queues.
- The transport server role Sender Reputation database,
checkpoint, and log files. By default, these are located in the
%ExchangeInstallPath%\TransportRoles\Data\SenderReputation
folder
- The transport server role IP filter database, checkpoint, and
log files. By default, these are located in the
%ExchangeInstallPath%\TransportRoles\Data\IpFilter folder
- The temporary folders that are used to perform conversions:
- By default, content conversions are performed in the server’s
TMP folder.
- By default, OLE conversions are performed in
%ExchangeInstallPath%\Working\OleConvertor folder.
- By default, content conversions are performed in the server’s
TMP folder.
- Any Exchange-aware antivirus program folders
- The Active Directory Lightweight Directory Service database (AD
LDS) and log files. By default, these are located in the
%ExchangeInstallPath%\TransportRoles\Data\Adam folder. For more
information about AD LDS database files, see Modify AD LDS
Configuration.
- Client Access server role
-
- For servers using Internet Information Services (IIS) 7.0, the
compression folder that is used with Microsoft Outlook Web
App. By default, the compression folder for IIS 7.0 is located at
%SystemDrive%\inetpub\temp\IIS Temporary Compressed Files.
- For servers using IIS 6.0, the compression folder that is used
with Microsoft Outlook Web App. By default, the compression
folder for IIS 6.0 is located at %systemroot%\IIS Temporary
Compressed Files. For more information about possible errors
resulting from scanning the IIS compression folder, see Microsoft
Knowledge Base article 817442, A 0-byte file may be returned when compression
is enabled on a server that is running IIS.
- IIS system files in the %SystemRoot%\System32\Inetsrv
folder
- Inetpub\logs\logfiles\w3svc
- The Internet-related files that are stored in the sub-folders
of the %ExchangeInstallPath%\ClientAccess folder
- For servers that have protocol logging enabled for POP3 or
IMAP4, the following folders:
- POP3 folder: %ExchangeInstallPath%\Logging\POP3
- IMAP4 folder: %ExchangeInstallPath%\Logging\IMAP4
- POP3 folder: %ExchangeInstallPath%\Logging\POP3
- The temporary folders that are used to perform conversions:
- By default, content conversions are performed in the server’s
TMP folder.
- By default, OLE conversions are performed in
%ExchangeInstallPath%\Working\OleConvertor folder.
- By default, content conversions are performed in the server’s
TMP folder.
- For servers using Internet Information Services (IIS) 7.0, the
compression folder that is used with Microsoft Outlook Web
App. By default, the compression folder for IIS 7.0 is located at
%SystemDrive%\inetpub\temp\IIS Temporary Compressed Files.
- Unified Messaging server role
-
- The grammar files for different locales, for example en-EN or
es-ES. By default, these are stored in the subfolders in the
%ExchangeInstallPath%\UnifiedMessaging\grammars folder.
- The voice prompts, greetings and informational message files.
By default, these are stored in the subfolders in the
%ExchangeInstallPath%\UnifiedMessaging\Prompts folder
- The voicemail files that are temporarily stored in the
%ExchangeInstallPath%\UnifiedMessaging\voicemail folder.
- The temporary files generated by Unified Messaging. By default,
these are stored in the %ExchangeInstallPath%\UnifiedMessaging\temp
folder.
- The grammar files for different locales, for example en-EN or
es-ES. By default, these are stored in the subfolders in the
%ExchangeInstallPath%\UnifiedMessaging\grammars folder.
- Microsoft Forefront Protection for Exchange
-
- The Forefront installation folder. By default, this is %Program
Files (x86)%\Microsoft Forefront Protection for Exchange
Server\.
- Any archived messages. By default, these are stored in the
%Program Files (x86)%\Microsoft Forefront Protection for Exchange
Server\Data\Archive folder.
- Any quarantined files. By default, these are stored in the
%Program Files (x86)%\Microsoft Forefront Protection for Exchange
Server\Data\Quarantine folder.
- The antivirus engine files. By default, these are stored in the
subfolders of %Program Files (x86)%\Microsoft Forefront Protection
for Exchange Server\Data\Engines\x86 folder or the %Program Files
(x86)%\Microsoft Forefront Protection for Exchange
Server\Data\Engines\amd64 folder.
- The configuration files. By default, these are stored in the
%Program Files (x86)%\Microsoft Forefront Protection for Exchange
Server\Data folder.
- The Forefront installation folder. By default, this is %Program
Files (x86)%\Microsoft Forefront Protection for Exchange
Server\.
Process Exclusions
Many file-level scanners now support the scanning of processes, which can adversely affect Microsoft Exchange if the incorrect processes are scanned. Therefore, you should exclude the following processes from file-level scanners.
|
Cdb.exe |
Microsoft.Exchange.Search.Exsearch.exe |
|
Cidaemon.exe |
Microsoft.Exchange.Servicehost.exe |
|
Clussvc.exe |
MSExchangeADTopologyService.exe |
|
Dsamain.exe |
MSExchangeFDS.exe |
|
Microsoft.Exchange.EdgeCredentialSvc.exe |
MSExchangeMailboxAssistants.exe |
|
EdgeTransport.exe |
MSExchangeMailboxReplication.exe |
|
ExFBA.exe |
MSExchangeMailSubmission.exe |
|
GalGrammarGenerator.exe |
MSExchangeRepl.exe |
|
Inetinfo.exe |
MSExchangeTransport.exe |
|
Mad.exe |
MSExchangeTransportLogSearch.exe |
|
Microsoft.Exchange.AddressBook.Service.exe |
MSExchangeThrottling.exe |
|
Microsoft.Exchange.AntispamUpdateSvc.exe |
Msftefd.exe |
|
Microsoft.Exchange.ContentFilter.Wrapper.exe |
Msftesql.exe |
|
Microsoft.Exchange.EdgeSyncSvc.exe |
OleConverter.exe |
|
Microsoft.Exchange.Imap4.exe |
Powershell.exe |
|
Microsoft.Exchange.Imap4service.exe |
SESWorker.exe |
|
MSExchangeMailboxAssistants.exe |
SpeechService.exe |
|
Microsoft.Exchange.Monitoring.exe |
Store.exe |
|
Microsoft.Exchange.Pop3.exe |
TranscodingService.exe |
|
Microsoft.Exchange.Pop3service.exe |
UmService.exe |
|
Microsoft.Exchange.ProtectedServiceHost.exe |
UmWorkerProcess.exe |
|
Microsoft.Exchange.RPCClientAccess.Service.exe |
W3wp.exe |
If you're also deploying Forefront Protection for Exchange Server, exclude the following processes.
|
Adonavsvc.exe |
FscStatsServ.exe |
|
FscController.exe |
FscTransportScanner.exe |
|
FscDiag.exe |
FscUtility.exe |
|
FscExec.exe |
FsEmailPickup.exe |
|
FscImc.exe |
FssaClient.exe |
|
FscManualScanner.exe |
GetEngineFiles.exe |
|
FscMonitor.exe |
PerfmonitorSetup.exe |
|
FscRealtimeScanner.exe |
ScanEngineTest.exe |
|
FscStarter.exe |
SemSetup.exe |
File Name Extension Exclusions
In addition to excluding specific directories and processes, you should exclude the following Exchange-specific file name extensions in case directory exclusions fail or files are moved from their default locations.
- Application-related extensions
-
- .config
- .dia
- .wsb
- .config
- Database-related extensions
-
.chk
.jrs
.log
.edb
.jsl
.que
- Offline address book-related extensions
-
- .lzx
- .lzx
- Content Index-related extensions
-
.ci
.wid
.001
.dir
.000
.002
- Unified Messaging-related extensions
-
- .cfg
- .grxml
- .cfg
- GroupMetrics
-
- .dsc
- .bin
- .xml
- .dsc
- Forefront Protection for Exchange Server–related extensions
-
.avc
.dt
.lst
.cab
.fdb
.mdb
.cfg
.fdm
.ppl
.config
.ide
.set
.da1
.key
.v3d
.dat
.klb
.vdb
.def
.kli
.vdm
The file name extensions listed for Forefront Protection for Exchange Server are the signature files from various antivirus directory engines. In most cases, these file name extensions don't change. However, file name extensions may be added in the future as third-party antivirus vendors update their antivirus signature files.