What folders should be excluded?
Mailbox Server Role:
You must exclude specific directories for each Exchange server or server role on which you run a file-level antivirus scanner. This section describes the directories that you should exclude from file-level scanning for each server or server role.
- Mailbox server role
- Exchange databases, checkpoint files, and log files across all storage groups. By default, these are located in sub-folders under the %Program Files%MicrosoftExchange ServerMailbox folder. You can obtain the directory location by running the following commands in the Exchange Management Shell:
- To determine the location of a transaction log and checkpoint file, run the following command:
Get-StorageGroup -server <servername>| fl *path*
- To determine the location of a mailbox database, run the following command:
Get-MailboxDatabase -server <servername>| fl *path*
- To determine the location of a public folder database, run the following command:
Get-PublicFolderDatabase -server <servername>| fl *path*
- Database content indexes. By default, these are located in storage group sub-folders under the %Program Files%MicrosoftExchange ServerMailbox folder.
- General log files, such as message tracking log files. These files are located in subfolders under the %Program Files%MicrosoftExchange ServerTransportRolesLogs folder and %Program Files%MicrosoftExchange ServerLogging folder. To determine the log paths being used, run the following command in the Exchange Management Shell:
Get-MailboxServer <servername>| fl *path*
- The Offline Address Book files that are located in subfolders under the %Program Files%MicrosoftExchange ServerExchangeOAB folder
- IIS system files in the %SystemRoot%System32Inetsrv folder
- The temporary folder that is used with offline maintenance utilities, such as Eseutil.exe. By default, this folder is the location where the .exe file is run from. However, you can configure where you perform the operation from when you run the utility.
- The temporary folders that are used to perform conversions:
- Content conversions are performed in the server’s TMP folder.
- OLE conversions are performed in %Program Files%MicrosoftExchange ServerWorkingOleConvertor folder.
- The Mailbox database temporary folder: %Program Files%MicrosoftExchange ServerMailboxMDBTEMP
- Any Exchange-aware antivirus program folders
Clustered Mailbox Server Role:
All the items listed in the Mailbox server role list, and the following:
- The quorum disk and the %Winnt%Cluster folder
- The file share witness. This is located on another server in the environment, typically a Hub transport server.
Hub Transport Server Role:
General log files, for example, message tracking. These files are located in subfolders under the %Program Files%MicrosoftExchange ServerTransportRolesLogs folder. To determine the log paths being used, run the following command in the Exchange Management Shell: Get-TransportServer <servername>| fl *logpath*,*tracingpath*
The message folders that are located under the %Program Files%MicrosoftExchange ServerTransportRoles folder. To determine the paths being used, run the following command in the Exchange Management Shell: Get-TransportServer <servername>| fl *dir*path*
The transport server role queue database, checkpoint, and log files that are located in the %Program Files%MicrosoftExchange ServerTransportRolesDataQueue folder. For more information about how to obtain the directory location if the queue database files have been moved from the default location, see Working with the Queue Database on Transport Servers.
The transport server role Sender Reputation database, checkpoint, and log files that are located in the %Program Files%MicrosoftExchange ServerTransportRolesDataSenderReputation folder
The transport server role IP filter database, checkpoint, and log files that are located in the %Program Files%MicrosoftExchange ServerTransportRolesDataIpFilter folder
The temporary folders that are used to perform conversions:
- Content conversions are performed in the server’s TMP folder.
- OLE conversions are performed in %Program Files%MicrosoftExchange ServerWorkingOleConvertor folder.
Any Exchange-aware antivirus program folders
Edge Transport Server Role:
The Active Directory Application Mode (ADAM) database and log files that are located in the %Program Files%MicrosoftExchange ServerTransportRolesDataAdam folder. For more information about how to obtain the directory location if the ADAM database files have been moved from the default location, see How to Modify ADAM Configuration.
General log files, for example message tracking. These files are located in subfolders under the %Program Files%MicrosoftExchange ServerTransportRolesLogs folder. To determine the log paths being used, run the following command in the Exchange Management Shell: Get-TransportServer <servername>| fl *logpath*,*tracingpath*
The message folders that are located under the %Program Files%MicrosoftExchange ServerTransportRoles folder. To determine the log paths being used, run the following command in the Exchange Management Shell: Get-TransportServer <servername>| fl *dir*path*
The transport server role queue database, checkpoint, and log files that are located in the %Program Files%MicrosoftExchange ServerTransportRolesDataQueue folder. For more information about how to obtain the directory location if the queue database files have been moved from the default location, see Working with the Queue Database on Transport Servers.
The transport server role Sender Reputation database, checkpoint, and log files that are located in the %Program Files%MicrosoftExchange ServerTransportRolesDataSenderReputation folder
The transport server role IP filter database, checkpoint, and log files that are located in the %Program Files%MicrosoftExchange ServerTransportRolesDataIpFilter folder
The temporary folders that are used to perform conversions:
- Content conversions are performed in the server’s TMP folder.
- OLE conversions are performed in %Program Files%MicrosoftExchange ServerWorkingOleConvertor folder.
Any Exchange-aware antivirus program folders
Client Access Server Role:
The Internet Information Services (IIS) 6.0 compression folder that is used with Microsoft Outlook Web Access. By default, the compression folder in IIS 6.0 is located at %systemroot%IIS Temporary Compressed Files.
For more information, see the Microsoft Knowledge Base article, IIS 6.0: Antivirus Scanning of IIS Compression Directory May Result in 0-Byte File.
IIS system files in the %SystemRoot%System32Inetsrv folder
The Internet-related files that are stored in the sub-folders of the %Program Files%MicrosoftExchange ServerClientAccess folder
The temporary folder that is used to perform content conversion. By default, this is the server’s TMP folder.
Unified Messaging Server Role:
The grammar files that are stored in the subfolders in the %Program Files%MicrosoftExchange ServerUnifiedMessaginggrammars folder
The voice prompts that are stored in the subfolders in the %Program Files%MicrosoftExchange ServerUnifiedMessagingPrompts folder
The voicemail files that are stored in the %Program Files%MicrosoftExchange ServerUnifiedMessagingvoicemail folder
The bad voicemail files that are stored in the %Program Files%MicrosoftExchange ServerUnifiedMessagingbadvoicemail folder
Forefront Security Server for Exchange role:
The archived messages that are stored in the %Program Files%Microsoft ForeFront SecurityExchange ServerDataArchive folder
The quarantined files that are stored in the %Program Files%Microsoft ForeFront SecurityExchange ServerDataQuarantine folder
The antivirus engine files that are stored in the subfolders of %Program Files%Microsoft ForeFront SecurityExchange ServerDataEnginesx86 folder
The configuration files that are stored in the %Program Files%Microsoft ForeFront SecurityExchange ServerData folder
Microsoft Forefront Security for Exchange server on single copy clusters:
In addition to the directories that contain antivirus engine and configuration files, exclude the directory on the shared storage used for ForeFront data.To determine the path that ForeFront uses on an SCC, check the value of the following registry key:
HKEY_LOCAL_MACHINESOFTWAREWow6432NodeMicrosoftForefront Server SecurityExchange ServerDatabasePath
Incorrectly editing the registry can cause serious problems that may require you to reinstall your operating system. Problems resulting from editing the registry incorrectly may not be able to be resolved. Before editing the registry, back up any valuable data.
Which processes should be excluded?
Cdb.exe |
Microsoft.Exchange.Search.Exsearch.exe |
Cidaemon.exe |
Microsoft.Exchange.Servicehost.exe |
Cluster.exe |
Msexchangeadtopologyservice.exe |
Dsamain.exe |
Msexchangefds.exe |
Edgecredentialsvc.exe |
Msexchangemailboxassistants.exe |
Edgetransport.exe |
Msexchangemailsubmission.exe |
Galgrammargenerator.exe |
Msexchangetransport.exe |
Inetinfo.exe |
Msexchangetransportlogsearch.exe |
Mad.exe |
Msftefd.exe |
Microsoft.Exchange.Antispamupdatesvc.exe |
Msftesql.exe |
Microsoft.Exchange.Contentfilter.Wrapper.exe |
Oleconverter.exe |
Microsoft.Exchange.Cluster.Replayservice.exe |
Powershell.exe |
Microsoft.Exchange.Edgesyncsvc.exe |
Sesworker.exe |
Microsoft.Exchange.Imap4.exe |
Speechservice.exe |
Microsoft.Exchange.Imap4service.exe |
Store.exe |
Microsoft.Exchange.Infoworker.Assistants.exe |
Transcodingservice.exe |
Microsoft.Exchange.Monitoring.exe |
Umservice.exe |
Microsoft.Exchange.Pop3.exe |
Umworkerprocess.exe |
Microsoft.Exchange.Pop3service.exe |
W3wp.exe |
If Forefront is being deployed exclude these as well:
Adonavsvc.exe |
Fscstatsserv.exe |
Fsccontroller.exe |
Fsctransportscanner.exe |
Fscdiag.exe |
Fscutility.exe |
Fscexec.exe |
Fsemailpickup.exe |
Fscimc.exe |
Fssaclient.exe |
Fscmanualscanner.exe |
Getenginefiles.exe |
Fscmonitor.exe |
Perfmonitorsetup.exe |
Fscrealtimescanner.exe |
Scanenginetest.exe |
Fscstarter.exe |
Semsetup.exe |
Extensions that can also be excluded in case any of the above items are moved to another directory:
- Application-related extensions
-
- Database-related extensions
-
- Offline Address Book-related extensions:
-
- Content Index-related extensions
-
.ci |
.wid |
.001 |
.dir |
.000 |
.002 |
- Unified Messaging-related extensions
-
- ForeFront Security for Exchange Server–related extensions
-
.avc |
.dt |
.lst |
.cab |
.fdb |
.mdb |
.cfg |
.fdm |
.ppl |
.config |
.ide |
.set |
.da1 |
.key |
.v3d |
.dat |
.klb |
.vdb |
.def |
.kli |
.vdm |