File-Level Antivirus Scanning on Exchange 2010
Applies to: Exchange Server 2010 SP2, Exchange Server 2010 SP3
This topic describes the effects of file-level antivirus programs on computers that are running Microsoft Exchange Server 2010. If you implement the recommendations described in this topic, you can help enhance the security and health of your Exchange organization.
File-level scanners are frequently used. However, if they are configured incorrectly, they can cause problems in Exchange 2010. There are two types of file-level scanners:
Memory-resident file-level scanning refers to a part of file-level antivirus software that is loaded in memory at all times. It checks all the files that are used on the hard disk and in computer memory.
On-demand file-level scanning refers to a part of file-level antivirus software that you can configure to scan files on the hard disk manually or on a schedule. Some versions of antivirus software start the on-demand scan automatically after virus signatures are updated to make sure that all files are scanned with the latest signatures.
The following problems may occur when you use file-level scanners with Exchange 2010:
File-level scanners may scan a file when the file is being used or at a scheduled interval. This can cause the scanners to lock or quarantine an Exchange log or a database file while Microsoft Exchange tries to use the file. This behavior may cause a severe failure in Microsoft Exchange and may also cause -1018 errors.
File-level scanners don't provide protection against e-mail viruses, such as the Storm Worm. Storm Worm was a backdoor Trojan horse virus that propagated itself through e-mail messages. The worm joined the infected computer to a botnet, where the computer was used to send spam e-mail messages in periodic bursts. Such viruses can affect the performance of the computer and the network that it is attached to.
Recommendations for Using File-Level Scanning with Exchange 2010
If you're deploying file-level scanners on Exchange 2010 servers, make sure that the appropriate exclusions, such as directory exclusions, process exclusions, and file name extension exclusions, are in place for both memory-resident and file-level scanning. This section describes directory exclusions, process exclusions, and file name extension exclusions for each server or server role.
Directory Exclusions
You must exclude specific directories for each Exchange server or server role on which you run a file-level antivirus scanner. This section describes the directories that you should exclude from file-level scanning for each server or server role.
Mailbox server role
Exchange databases, checkpoint files, and log files. By default, these are located in sub-folders under the %ExchangeInstallPath%\Mailbox folder. You can obtain the directory location by running the following commands in the Exchange Management Shell:
- To determine the location of a mailbox database, transaction log, and checkpoint file, run the following command:
Get-MailboxDatabase -server <servername>| format-list *path*
- To determine the location of a mailbox database, transaction log, and checkpoint file, run the following command:
Database content indexes. By default, these are located in the same folder as the database file.
Group Metrics files. By default, these files are located in the %ExchangeInstallPath%\GroupMetrics folder.
General log files, such as message tracking and calendar repair log files. By default, these files are located in subfolders under the %ExchangeInstallPath%\TransportRoles\Logs folder and %ExchangeInstallPath%\Logging folder. To determine the log paths being used, run the following command in the Exchange Management Shell:
Get-MailboxServer <servername> | format-list *path*The Offline Address Book files. By default, these are located in subfolders under the %ExchangeInstallPath%\ExchangeOAB folder
IIS system files in the %SystemRoot%\System32\Inetsrv folder
The temporary folder that is used with offline maintenance utilities, such as Eseutil.exe. By default, this folder is the location where the .exe file is run from. However, you can configure where you perform the operation when you run the utility.
The Mailbox database temporary folder: %ExchangeInstallPath%\Mailbox\MDBTEMP
Any Exchange-aware antivirus program folders
- Mailbox server that is a member of a Database Availability Group
All the items listed in the Mailbox server role list and in the %Winnt%\Cluster folder.
Witness server
- The witness directory files. These are located on another server in the environment, typically a Hub Transport server. By default, these files are located in \\%SystemDrive%:\DAGFileShareWitnesses\<DAGFQDN> and default share (<DAGFQDN>) on that server. For more information about a database availability group (DAG) and witness servers, see Managing Database Availability Groups.
Hub Transport server role
General log files, for example, message tracking and connectivity logs. By default, these files are located in subfolders under the %ExchangeInstallPath%\TransportRoles\Logs folder. To determine the log paths being used, run the following command in the Exchange Management Shell:
Get-TransportServer <servername>| format-list *logpath*,*tracingpath*Pickup and Replay message directory folders. By default, these folders are located under the %ExchangeInstallPath%\TransportRoles folder. To determine the paths being used, run the following command in the Exchange Management Shell:
Get-TransportServer <servername>| fl *dir*path*The transport server role queue database, checkpoint, and log files. By default, these are located in the %ExchangeInstallPath%\TransportRoles\Data\Queue folder. For more information, see Managing Transport Queues.
The transport server role Sender Reputation database, checkpoint, and log files. By default, these are located in the %ExchangeInstallPath%\TransportRoles\Data\SenderReputation folder.
The transport server role IP filter database, checkpoint, and log files. By default, these are located in the %ExchangeInstallPath%\TransportRoles\Data\IpFilter folder.
The temporary folders that are used to perform conversions:
By default, content conversions are performed in the Exchange server’s TMP folder.
By default, OLE conversions are performed in %ExchangeInstallPath%\Working\OleConvertor folder.
Any Exchange-aware antivirus program folders
Edge Transport server role
The Active Directory Lightweight Directory Service database (AD LDS) and log files. By default, these are located in the %ExchangeInstallPath%\TransportRoles\Data\Adam folder. For more information about AD LDS database files, see Modify AD LDS Configuration.
General log files, for example message tracking. By default, these files are located in subfolders under the %ExchangeInstallPath%\TransportRoles\Logs folder. To determine the log paths being used, run the following command in the Exchange Management Shell:
Get-TransportServer <servername> | format-list *logpath*,*tracingpath*The Pickup and Replay message folders. By default, these are located under the %ExchangeInstallPath%\TransportRoles folder. To determine the log paths being used, run the following command in the Exchange Management Shell:
Get-TransportServer <servername>| format-list *dir*path*The transport server role queue database, checkpoint, and log files. By default, these are located in the %ExchangeInstallPath%\TransportRoles\Data\Queue folder. For more information about transport server queues, see Managing Transport Queues.
The transport server role Sender Reputation database, checkpoint, and log files. By default, these are located in the %ExchangeInstallPath%\TransportRoles\Data\SenderReputation folder
The transport server role IP filter database, checkpoint, and log files. By default, these are located in the %ExchangeInstallPath%\TransportRoles\Data\IpFilter folder
The temporary folders that are used to perform conversions:
By default, content conversions are performed in the server’s TMP folder.
By default, OLE conversions are performed in %ExchangeInstallPath%\Working\OleConvertor folder.
Any Exchange-aware antivirus program folders
Client Access server role
For servers using Internet Information Services (IIS) 7.0, the compression folder that is used with Microsoft Outlook Web App. By default, the compression folder for IIS 7.0 is located at %SystemDrive%\inetpub\temp\IIS Temporary Compressed Files.
For servers using IIS 6.0, the compression folder that is used with Microsoft Outlook Web App. By default, the compression folder for IIS 6.0 is located at %systemroot%\IIS Temporary Compressed Files. For more information about possible errors resulting from scanning the IIS compression folder, see Microsoft Knowledge Base article 817442, A 0-byte file may be returned when compression is enabled on a server that is running IIS.
IIS system files in the %SystemRoot%\System32\Inetsrv folder
Inetpub\logs\logfiles\w3svc
The Internet-related files that are stored in the sub-folders of the %ExchangeInstallPath%\ClientAccess folder
For servers that have protocol logging enabled for POP3 or IMAP4, the following folders:
POP3 folder: %ExchangeInstallPath%\Logging\POP3
IMAP4 folder: %ExchangeInstallPath%\Logging\IMAP4
The temporary folders that are used to perform conversions:
By default, content conversions are performed in the server’s TMP folder.
By default, OLE conversions are performed in %ExchangeInstallPath%\Working\OleConvertor folder.
Temporary files in sub-folders of the %windir%\Microsoft.NET\Framework64\v2.0.50727\Temporary ASP.NET Files folder.
Unified Messaging server role
The grammar files for different locales, for example en-EN or es-ES. By default, these are stored in the subfolders in the %ExchangeInstallPath%\UnifiedMessaging\grammars folder.
The voice prompts, greetings and informational message files. By default, these are stored in the subfolders in the %ExchangeInstallPath%\UnifiedMessaging\Prompts folder
The voicemail files that are temporarily stored in the %ExchangeInstallPath%\UnifiedMessaging\voicemail folder.
The temporary files generated by Unified Messaging. By default, these are stored in the %ExchangeInstallPath%\UnifiedMessaging\temp folder.
Microsoft Forefront Protection for Exchange
The Forefront installation folder. By default, this is %Program Files (x86)%\Microsoft Forefront Protection for Exchange Server\.
Any archived messages. By default, these are stored in the %Program Files (x86)%\Microsoft Forefront Protection for Exchange Server\Data\Archive folder.
Any quarantined files. By default, these are stored in the %Program Files (x86)%\Microsoft Forefront Protection for Exchange Server\Data\Quarantine folder.
The antivirus engine files. By default, these are stored in the subfolders of %Program Files (x86)%\Microsoft Forefront Protection for Exchange Server\Data\Engines\x86 folder or the %Program Files (x86)%\Microsoft Forefront Protection for Exchange Server\Data\Engines\amd64 folder.
The configuration files. By default, these are stored in the %Program Files (x86)%\Microsoft Forefront Protection for Exchange Server\Data folder.
Process Exclusions
Many file-level scanners now support the scanning of processes, which can adversely affect Microsoft Exchange if the incorrect processes are scanned. Therefore, you should exclude the following processes from file-level scanners.
Cdb.exe |
Microsoft.Exchange.Search.Exsearch.exe |
Cidaemon.exe |
Microsoft.Exchange.Servicehost.exe |
Clussvc.exe |
MSExchangeADTopologyService.exe |
Dsamain.exe |
MSExchangeFDS.exe |
Microsoft.Exchange.EdgeCredentialSvc.exe |
MSExchangeMailboxAssistants.exe |
EdgeTransport.exe |
MSExchangeMailboxReplication.exe |
ExFBA.exe |
MSExchangeMailSubmission.exe |
GalGrammarGenerator.exe |
MSExchangeRepl.exe |
Inetinfo.exe |
MSExchangeTransport.exe |
Mad.exe |
MSExchangeTransportLogSearch.exe |
Microsoft.Exchange.AddressBook.Service.exe |
MSExchangeThrottling.exe |
Microsoft.Exchange.AntispamUpdateSvc.exe |
Msftefd.exe |
Microsoft.Exchange.ContentFilter.Wrapper.exe |
Msftesql.exe |
Microsoft.Exchange.EdgeSyncSvc.exe |
OleConverter.exe |
Microsoft.Exchange.Imap4.exe |
Powershell.exe |
Microsoft.Exchange.Imap4service.exe |
SESWorker.exe |
MSExchangeMailboxAssistants.exe |
SpeechService.exe |
Microsoft.Exchange.Monitoring.exe |
Store.exe |
Microsoft.Exchange.Pop3.exe |
TranscodingService.exe |
Microsoft.Exchange.Pop3service.exe |
UmService.exe |
Microsoft.Exchange.ProtectedServiceHost.exe |
UmWorkerProcess.exe |
Microsoft.Exchange.RPCClientAccess.Service.exe |
W3wp.exe |
If you're also deploying Forefront Protection for Exchange Server, exclude the following processes.
Adonavsvc.exe |
FscStatsServ.exe |
FscController.exe |
FscTransportScanner.exe |
FscDiag.exe |
FscUtility.exe |
FscExec.exe |
FsEmailPickup.exe |
FscImc.exe |
FssaClient.exe |
FscManualScanner.exe |
GetEngineFiles.exe |
FscMonitor.exe |
PerfmonitorSetup.exe |
FscRealtimeScanner.exe |
ScanEngineTest.exe |
FscStarter.exe |
SemSetup.exe |
File Name Extension Exclusions
In addition to excluding specific directories and processes, you should exclude the following Exchange-specific file name extensions in case directory exclusions fail or files are moved from their default locations.
Application-related extensions
.config
.dia
.wsb
Database-related extensions
.chk
.jrs
.log
.edb
.jsl
.que
Offline address book-related extensions
- .lzx
Content Index-related extensions
.ci
.wid
.001
.dir
.000
.002
Unified Messaging-related extensions
.cfg
.grxml
GroupMetrics
.dsc
.bin
.xml
Forefront Protection for Exchange Server–related extensions
.avc
.dt
.lst
.cab
.fdb
.mdb
.cfg
.fdm
.ppl
.config
.ide
.set
.da1
.key
.v3d
.dat
.klb
.vdb
.def
.kli
.vdm
The file name extensions listed for Forefront Protection for Exchange Server are the signature files from various antivirus directory engines. In most cases, these file name extensions don't change. However, file name extensions may be added in the future as third-party antivirus vendors update their antivirus signature files.
© 2010 Microsoft Corporation. All rights reserved.