Applies to: Exchange Server 2013
Topic Last Modified: 2013-03-04
This topic describes the effects of file-level antivirus programs on computers that are running Microsoft Exchange Server 2013. If you implement the recommendations described in this topic, you can help enhance the security and health of your Exchange organization.
File-level scanners are frequently used. However, if they are configured incorrectly, they can cause problems in Exchange 2013. There are two types of file-level scanners:
- Memory-resident file-level scanning refers to a part of
file-level antivirus software that is loaded in memory at all
times. It checks all the files that are used on the hard disk and
in computer memory.
- On-demand file-level scanning refers to a part of
file-level antivirus software that you can configure to scan files
on the hard disk manually or on a schedule. Some versions of
antivirus software start the on-demand scan automatically after
virus signatures are updated to make sure that all files are
scanned with the latest signatures.
The following problems may occur when you use file-level scanners with Exchange 2013:
- File-level scanners may scan a file when the file is being used
or at a scheduled interval. This can cause the scanners to lock or
quarantine an Exchange log or a database file while Exchange 2013
tries to use the file. This behavior may cause a severe failure in
Exchange 2013 and may also cause -1018 event log errors.
- File-level scanners don't provide protection against email
viruses, such as Storm Worm. Storm Worm was a backdoor Trojan horse
program that propagated itself through email messages. The worm
joined the infected computer to a botnet, where the computer was
used to send spam in periodic bursts.
Recommendations for using file-level scanning with Exchange 2013
If you're deploying file-level scanners on Exchange 2013 servers, make sure that the appropriate exclusions, such as directory exclusions, process exclusions, and file name extension exclusions, are in place for both memory-resident and file-level scanning. This section describes recommended directory exclusions, process exclusions, and file name extension exclusions.
Contents
File name extension exclusions
Directory exclusions
You must exclude specific directories for each Exchange server on which you run a file-level antivirus scanner. This section describes the directories that you should exclude from file-level scanning.
- Mailbox servers
-
- Mailbox databases
- Exchange databases, checkpoint files, and log files. By
default, these are located in sub-folders under the
%ExchangeInstallPath%Mailbox folder. To determine the location of a
mailbox database, transaction log, and checkpoint file, run the
following command:
Get-MailboxDatabase -Server <servername>| Format-List *path*
- Database content indexes. By default, these are located in the
same folder as the database file.
- Group Metrics files. By default, these files are located in the
%ExchangeInstallPath%GroupMetrics folder.
- General log files, such as message tracking and calendar repair
log files. By default, these files are located in subfolders under
the %ExchangeInstallPath%TransportRoles\Logs folder and
%ExchangeInstallPath%Logging folder. To determine the log paths
being used, run the following command in the Exchange Management
Shell:
Get-MailboxServer <servername> | Format-List *path*
- The Offline Address Book files. By default, these are located
in subfolders under the %ExchangeInstallPath%ClientAccess\OAB
folder.
- IIS system files in the %SystemRoot%\System32\Inetsrv
folder.
- The Mailbox database temporary folder:
%ExchangeInstallPath%Mailbox\MDBTEMP
- Exchange databases, checkpoint files, and log files. By
default, these are located in sub-folders under the
%ExchangeInstallPath%Mailbox folder. To determine the location of a
mailbox database, transaction log, and checkpoint file, run the
following command:
- Members of Database Availability Groups
- All the items listed in the Mailbox databases list, and
the cluster quorum database that exists at %Windir%\Cluster.
- The witness directory files. These files are located on another
server in the environment, typically a Client Access server that
isn’t installed on the same computer as a Mailbox server. By
default, the witness directory files are located in
%SystemDrive%:\DAGFileShareWitnesses\<DAGFQDN>.
- All the items listed in the Mailbox databases list, and
the cluster quorum database that exists at %Windir%\Cluster.
- Transport service
- Log files, for example, message tracking and connectivity logs.
By default, these files are located in subfolders under the
%ExchangeInstallPath%TransportRoles\Logs folder. To determine the
log paths being used, run the following command in the Exchange
Management Shell:
Get-TransportService <servername> | Format-List *logpath*,*tracingpath*
- Pickup and Replay message directory folders. By default, these
folders are located under the %ExchangeInstallPath%TransportRoles
folder. To determine the paths being used, run the following
command in the Exchange Management Shell:
Get-TransportService <servername>| fl *dir*path*
- The queue databases, checkpoints, and log files. By default,
these are located in the
%ExchangeInstallPath%TransportRoles\Data\Queue folder.
- The Sender Reputation database, checkpoint, and log files. By
default, these are located in the
%ExchangeInstallPath%TransportRoles\Data\SenderReputation
folder.
- The temporary folders that are used to perform conversions:
- By default, content conversions are performed in the Exchange
server’s %TMP% folder.
- By default, OLE conversions are performed in
%ExchangeInstallPath%Working\OleConverter folder.
- By default, content conversions are performed in the Exchange
server’s %TMP% folder.
- The content scanning component is used by the Malware agent and
data loss prevention (DLP). By default, these files are located in
the %ExchangeInstallPath%FIP-FS folder.
- Log files, for example, message tracking and connectivity logs.
By default, these files are located in subfolders under the
%ExchangeInstallPath%TransportRoles\Logs folder. To determine the
log paths being used, run the following command in the Exchange
Management Shell:
- Mailbox Transport service
- Log files, for example, connectivity logs. By default, these
files are located in subfolders under the
%ExchangeInstallPath%TransportRoles\Logs\Mailbox folder. To
determine the log paths being used, run the following command in
the Exchange Management Shell:
Get-MailboxTransportService <servername> | Format-List *logpath*
- Log files, for example, connectivity logs. By default, these
files are located in subfolders under the
%ExchangeInstallPath%TransportRoles\Logs\Mailbox folder. To
determine the log paths being used, run the following command in
the Exchange Management Shell:
- Unified Messaging
- The grammar files for different locales, for example en-EN or
es-ES. By default, these are stored in the subfolders in the
%ExchangeInstallPath%UnifiedMessaging\grammars folder.
- The voice prompts, greetings and informational message files.
By default, these are stored in the subfolders in the
%ExchangeInstallPath%UnifiedMessaging\Prompts folder
- The voicemail files that are temporarily stored in the
%ExchangeInstallPath%UnifiedMessaging\voicemail folder.
- The temporary files generated by Unified Messaging. By default,
these are stored in the %ExchangeInstallPath%UnifiedMessaging\temp
folder.
- The grammar files for different locales, for example en-EN or
es-ES. By default, these are stored in the subfolders in the
%ExchangeInstallPath%UnifiedMessaging\grammars folder.
- Mailbox databases
- Client Access servers
-
- Web components
- For servers using Internet Information Services (IIS) 7.0, the
compression folder that is used with Microsoft Outlook Web
App. By default, the compression folder for IIS 7.0 is located at
%SystemDrive%\inetpub\temp\IIS Temporary Compressed Files.
- IIS system files in the %SystemRoot%\System32\Inetsrv
folder
- Inetpub\logs\logfiles\w3svc
- For servers using Internet Information Services (IIS) 7.0, the
compression folder that is used with Microsoft Outlook Web
App. By default, the compression folder for IIS 7.0 is located at
%SystemDrive%\inetpub\temp\IIS Temporary Compressed Files.
- POP3 and IMAP4 protocol logging
- POP3 folder: %ExchangeInstallPath%Logging\POP3
- IMAP4 folder: %ExchangeInstallPath%Logging\IMAP4
- POP3 folder: %ExchangeInstallPath%Logging\POP3
- Front End Transport service
- Log files, for example, connectivity logs and protocol logs. By
default, these files are located in subfolders under the
%ExchangeInstallPath%TransportRoles\Logs\FrontEnd folder. To
determine the log paths being used, run the following command in
the Exchange Management Shell:
Get-FrontEndTransportService <servername> | Format-List *logpath*
- Log files, for example, connectivity logs and protocol logs. By
default, these files are located in subfolders under the
%ExchangeInstallPath%TransportRoles\Logs\FrontEnd folder. To
determine the log paths being used, run the following command in
the Exchange Management Shell:
- Web components
Process exclusions
Many file-level scanners now support the scanning of processes, which can adversely affect Microsoft Exchange if the incorrect processes are scanned. Therefore, you should exclude the following processes from file-level scanners.
|
Cdb.exe |
Microsoft.Exchange.Pop3service.exe |
MSExchangeSubmission.exe |
|
Cidaemon.exe |
Microsoft.Exchange.ProtectedServiceHost.exe |
MSExchangeTransport.exe |
|
Clussvc.exe |
Microsoft.Exchange.RPCClientAccess.Service.exe |
MSExchangeTransportLogSearch.exe |
|
Dsamain.exe |
Microsoft.Exchange.Search.Service.exe |
MSExchangeThrottling.exe |
|
EdgeCredentialSvc.exe |
Microsoft.Exchange.Servicehost.exe |
Msftefd.exe |
|
EdgeTransport.exe |
Microsoft.Exchange.Store.Service.exe |
Msftesql.exe |
|
ExFBA.exe |
Microsoft.Exchange.Store.Worker.exe |
OleConverter.exe |
|
Inetinfo.exe |
Microsoft.Exchange.TransportSyncManagerSvc.exe |
Powershell.exe |
|
Microsoft.Exchange.AntispamUpdateSvc.exe |
Microsoft.Exchange.UM.CallRouter.exe |
ScanEngineTest.exe |
|
Microsoft.Exchange.ContentFilter.Wrapper.exe |
MSExchangeDelivery.exe |
ScanningProcess.exe |
|
Microsoft.Exchange.Diagnostics.Service.exe |
MSExchangeFrontendTransport.exe |
TranscodingService.exe |
|
Microsoft.Exchange.Directory.TopologyService.exe |
MSExchangeHMHost.exe |
UmService.exe |
|
Microsoft.Exchange.EdgeSyncSvc.exe |
MSExchangeHMWorker.exe |
UmWorkerProcess.exe |
|
Microsoft.Exchange.Imap4.exe |
MSExchangeLESearchWorker.exe |
UpdateService.exe |
|
Microsoft.Exchange.Imap4service.exe |
MSExchangeMailboxAssistants.exe |
W3wp.exe |
|
Microsoft.Exchange.Monitoring.exe |
MSExchangeMailboxReplication.exe |
|
|
Microsoft.Exchange.Pop3.exe |
MSExchangeRepl.exe |
|
File name extension exclusions
In addition to excluding specific directories and processes, you should exclude the following Exchange-specific file name extensions in case directory exclusions fail or files are moved from their default locations.
- Application-related extensions:
-
- .config
- .dia
- .wsb
- .config
- Database-related extensions:
-
- .chk
- .edb
- .jrs
- .jsl
- .log
- .que
- .chk
- Offline address book-related extensions:
-
- .lzx
- .lzx
- Content Index-related extensions:
-
- .ci
- .dir
- .wid
- .000
- .001
- .002
- .ci
- Unified Messaging-related extensions:
-
- .cfg
- .grxml
- .cfg
- Group Metrics-related extensions:
-
- .dsc
- .txt
- .dsc