One of the common problems we see with antivirus is that it sends Exchange installs to a painful crawl. It becomes particularly apparent during the Languages step. I have personally witnessed this behavior during both Exchange 2010 and 2013 upgrades. The issue is the file-level antivirus. In particular real-time protection. If enabled it can cause Exchange installs to take several hours.
The solution–disable real-time protection before installing or upgrading Exchange.
In fact, make sure you have all the exceptions in place as outlined by this Microsoft TechNet article. At a very minimum I recommend to exclude–from all scans–the entire Exchange install directory, transport files, IIS files and, the entire drive (or mount point) where each database and its associated log files reside. If you have a DAG exclude the witness directory and the cluster database files.
Note: With all the hooks that antivirus has into the OS disabling real-time protection might not be enough. In some cases temporarily uninstalling antivirus might be the answer.
But how do we know its antivirus?
One of the common symptoms is high CPU utilization. Bringing up task manager we can see that antivirus is very active during the Exchange install.
As soon as we disable real-time protection CPU utilization drops and the Languages step completes in a few minutes.
Below are the instructions on disabling real-time protection for Microsoft SCEP.
Disable real-time protection (System Center Endpoint Protection)
To disable real-time protection in System Center Endpoint Protection (SCEP) perform the following steps:
Double-click the EndPoint Protection () icon in the taskbar.
Select the Settings tab. Select Real-time protection.
Uncheck Turn on Real-time Protection (recommended).
Click Save Changes.
How about you? Have you experienced upgrade slowdowns from real-time protection? Do you think we need file-level antivirus on Exchange servers at all? Drop a comment below.