It is a recommended practice to configure any antivirus software running on Exchange servers to exclude specific paths, processes, and file types. This recommendation is made to reduce the likelihood of your Exchange server experiencing a failure due to antivirus software locking a file or folder in a way that prevents Exchange from doing what it is trying to do. Such issues are actually quite common when antivirus software has not been configured to follow these recommendations, and usually surfaces as unpredictable failover behavior in database availability groups, as well as unexpected database dismounts.
Some time ago I published a PowerShell script that will scan an Exchange 2013 server and output a list of exclusions that follow the Microsoft recommendations. Exchange 2016 is a little different, with some items added to the list, as well as a few others removed from the list. Thanks to Matt K for pointing out several of the changes.
Today I’ve published a new script for generating Exchange 2016 antivirus exclusions. It works the same way as the 2013 version, you run the script locally on a server in the Exchange Management Shell, and then use the output files to configure your antivirus software manually or by importing the lists (Update: when installing Exchange 2016 CU3 or later on Windows Server 2016 you can also use the script to automatically configure the exclusions in Windows Defender). I made a few improvements this time around as well, so that different lists are output for Mailbox servers vs Edge Transport servers.
You can find the new script on the TechNet Script Gallery. I hope you find it helpful for your Exchange 2016 deployments.
Hey Paul, slight thing I noticed that wanted to bring to your attention (and perhaps I am wrong), is that the process exclusions the way its implemented will not exclude the processes but rather the files they touch (See below Defender link in next paragraph about what I mean). I thought by process exclusion section MS wants to exclude the actual processes from being scanned in here. (https://docs.microsoft.com/en-us/exchange/antispam-and-antimalware/windows-antivirus-software?view=exchserver-2019)
you can refer to what I am saying in regards to how Windows Defender exclusion will be treated by the processexclusion flag in here: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus?view=o365-worldwide
the paragraph in the above link states: “When you add a process to the process exclusion list, Microsoft Defender Antivirus won’t scan files opened by that process, no matter where the files are located. The process itself, however, will be scanned unless it has also been added to the file exclusion list.”
so, instead of excluding the processes with the -exclusionprocess switch, they also must be excluded with the -exclusionpath switch. Refer to this to exclude a process
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus?view=o365-worldwide
The Real Person!
Author Tony Redmond acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Paul isn’t involved with the site any longer and this is now an old article. Maintaining old content to match the progress of technology is always a challenge. We’ll take a look and see what we can do.
Thank you Tony and I agree regarding keeping context. I came across this article while researching and working on Exchange 2019 DATP exclusions on Windows Datacenter Core 2019. I saw another web blog from someone else also doing the exclusions the same way as here and noticed that some folks still looking into this one as a reference since practicle365 has been such a great resource to all of us. So, anyway, I thought it’s worthwhile to bring the point to the experts here. I’ll open a ticket with MS to have it verified/confirmed as to which DATP exclusion flag should be used for the Process exclusions section.
Thanks Paul, you are a legend. The link no longer works btw, but I managed to google it and found it on GitHub. For others: https://github.com/cunninghamp/ExchangeServerAntivirusExclusions
Hello Paul, I saw this script is not updated since February 2017, it’s still safe to run it on current Exchange 2016 version?
Thank you for your cooperation.
Best regards.
Script for Exchange 2019?
Hi Paul,
Great script but i have another question re antivirus scanning.
Is it still recommended to scan mailboxes using API’s? I remember this back in 5.5 but these days we use appliances at the edge to scan emails as they pass in/out. I’d be nervous using any 3rd party database/mailbox scanner but i’ve been asked to look into it and cant see many products available for EX 2013/2016.
Cheers
Mark
Cheers
Mark
Hi Paul,
Just to be sure, I install Exchange 2016, move the default database and log folders to my preferred location, then run your script, before starting any of the Exchange post install tasks?
Kind regards
Stephen
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Correct.
Hi Paul, I noticed when I ran the script on my Server2016/Exchange2016 setup that is listed the actual mailbox.edb file name in the list of Path (folder) Exclusions.
‘E:\Exchange_Databases\MailboxDB-01\MailboxDB-01.edb’
Shouldn’t it just be the containing folder?
‘E:\Exchange_Databases\MailboxDB-01’
Kind regards
Stephen
Thanks Paul for sharing & making our lives easier. can you please write same script for Domain controller.
thanks.
So helpful thanks for sharing.
Your articles and knowledge makes my life better 🙂
Paul I think it’s worth explicitly pointing out that
a) need to run in an administrator EMS
b) need to right click and Unblock the .ps1 file first
At least I did on a new 2016 server
Great useful script this one, so thanks
It would be great if the script put quotes around the paths, or better yet created a powershell script with Add-MpPreference -ExclusionPath “path” so you could run the output and aautomatically set up the exclusions.
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Actually the script can already do the Windows Defender config for you. I’ve just updated the notes on the TechNet Script Gallery to include that usage example.
https://gallery.technet.microsoft.com/office/Generate-Antivirus-f1a9a59e
Awesome!