UPDATED 7/12/23: Exclusions updated per Microsoft announcement.
In prior releases of Windows Server, Microsoft shipped basic malware protection through its Windows Defender software. For full protection, either System Center Endpoint Protection, or, a third-party antivirus solution was required. With Windows Server 2016, Windows Defender matured into a fully-fledged antivirus solution. It has now been re-branded as Windows Defender Antivirus.
Regardless of whether you choose Windows Defender Antivirus, or, a third-party antivirus solution, you need to be sure these products are not scanning critical Exchange components. Microsoft publishes an extensive list of files, folders, and process exclusions to include in your antivirus configuration.
There are eighty-four exclusions in total.
Adding these exclusions is critical to the health and performance of Exchange. Without these exclusions, antivirus software could lock or quarantine files and processes critical to the operation of Exchange.
In this article, we explore how to add the required 84 exclusions to Windows Defender Antivirus. We also have a basic script to automate adding these exclusions for you.
Let’s get started!
Adding Exchange exclusions with PowerShell
Adding 84 exceptions manually through the graphical user interface would be time-consuming, tedious, and prone to human error. This only magnifies the number of Exchange servers we need to deploy. Windows Defender can be managed through multiple methods (such as System Center or Group Policy). However, for this article, we will explore adding the required exclusions using PowerShell.
To add an exclusion via PowerShell, we can use the Add-MpPreference cmdlet. For a folder exclusion, we combine this with the -ExclusionPath parameter. For example, a folder exclusion may look like this.
C:\> Add-MpPreference -ExclusionPath %SystemRoot%\Cluster
A folder exclusion not only excludes the folder and its files but also all sub-folders.
We can also substitute logical paths with environment variables. In the example above, %SystemRoot% is an environment variable that maps to your Windows folder (for example C:\Windows).
The Exchange setup program creates an environment variable for your Exchange install path called %ExchangeInstallPath%. For example, if you installed Exchange in the default location, this variable would equal C:\Program Files\Microsoft\Exchange Server\V15. We can use this environment variable once to eliminate 18 of the necessary folder exclusions required by Exchange.
We can also specify multiple folder paths by separating them with commas. For example, to quickly add all the required folder exclusions, we can run this one line of code.
C:\> Add-MpPreference -ExclusionPath %SystemRoot%\Cluster, %SystemDrive%\DAGFileShareWitnesses, %ExchangeInstallPath%, %SystemDrive%\inetpub\temp, "%SystemDrive%\inetpub\temp\IIS Temporary Compressed Files", %SystemRoot%\Microsoft.NET\Framework64
Note: Should a path contain spaces, you will need to enclose that path in quotation marks.
Exchange guidance also requires us to exclude various processes. To exclude processes, we use the -ExclusionProcess parameter. For example, to exclude all required Exchange processes, run the following command. We can separate each process with a comma.
C:\> Add-MpPreference -ExclusionProcess ComplianceAuditService.exe, Dsamain.exe, EdgeTransport.exe, fms.exe, hostcontrollerservice.exe, inetinfo.exe, Microsoft.Exchange.AntispamUpdateSvc.exe, Microsoft.Exchange.ContentFilter.Wrapper.exe, Microsoft.Exchange.Diagnostics.Service.exe, Microsoft.Exchange.Directory.TopologyService.exe, Microsoft.Exchange.EdgeCredentialSvc.exe, Microsoft.Exchange.EdgeSyncSvc.exe, Microsoft.Exchange.Imap4.exe, Microsoft.Exchange.Imap4service.exe, Microsoft.Exchange.Notifications.Broker.exe, Microsoft.Exchange.Pop3.exe, Microsoft.Exchange.Pop3service.exe, Microsoft.Exchange.ProtectedServiceHost.exe, Microsoft.Exchange.RPCClientAccess.Service.exe, Microsoft.Exchange.Search.Service.exe, Microsoft.Exchange.Servicehost.exe, Microsoft.Exchange.Store.Service.exe, Microsoft.Exchange.Store.Worker.exe, Microsoft.Exchange.UM.CallRouter.exe, MSExchangeCompliance.exe, MSExchangeDagMgmt.exe, MSExchangeDelivery.exe, MSExchangeFrontendTransport.exe, MSExchangeHMHost.exe, MSExchangeHMWorker.exe, MSExchangeMailboxAssistants.exe, MSExchangeMailboxReplication.exe, MSExchangeRepl.exe, MSExchangeSubmission.exe, MSExchangeTransport.exe, MSExchangeTransportLogSearch.exe, MSExchangeThrottling.exe, Noderunner.exe, OleConverter.exe, ParserServer.exe, ScanEngineTest.exe, ScanningProcess.exe, UmService.exe, UmWorkerProcess.exe, UpdateService.exe, wsbexchange.exe
Finally, the Exchange documentation also instructs us to exclude certain file types. We can do this with the -ExclusionExtension parameter. For example, to exclude all required file types, run the following command. You will notice the extension list covers the database and logs files.
C:\> Add-MpPreference -ExclusionExtension .config, .chk, .edb, .jfm, .jrs, .log, .que, .dsc, .txt, .cfg, .grxml, .lzx
Scripting it instead
In the prior section, we saved a lot of time by combining our 84 exclusions into 3 lines of PowerShell code. But we can take this even further. We could combine those three lines into a very basic PowerShell script. Rather than repeat what we have above, you can download and check out that example script using the link below.
This is a script in its most rudimentary form. It has no error checking or intelligence behind it. But it can certainly act as a good starting point. I would be curious how you leverage it. Drop me a comment on how you improve it.
Checking our work
You can validate that these exceptions are in place by running Get-MpPreference. For example, to check our folder exclusions, we can run the following command.
C:\> Get-MpPreference | Select -Expand ExclusionPath %ExchangeInstallPath% %SystemDrive%\DAGFileShareWitnesses %SystemDrive%\inetpub\temp %SystemDrive%\inetpub\temp\IIS Temporary Compressed Files %SystemRoot%\Cluster %SystemRoot%\Microsoft.NET\Framework64
Similarly, you can do this for the extension and process exclusions as well. Just switch out the property after the -Expand parameter. For example, to check all file extensions, we specify the property ExclusionExtension. For processes, substitute this with ExclusionProcess.
C:\> Get-MpPreference | Select -Expand ExclusionExtension .cfg .chk .config .dsc .edb .grxml .jfm .jrs .log .lzx .que .txt
Alternatively, you can also check this from the Windows Defender client itself. From Windows Defender, select Settings in the top right. From the Settings screen, scroll to the Exclusions section and click Add an exclusion.
From the Add an exclusion screen, you can verify all exclusions we added via PowerShell.
Further Reading
Here are some articles I thought you might like:
- Install Exchange 2016 in your lab (7-part series)
- Renew a Certificate in Exchange 2016
- Extend, Prepare, and Verify Active Directory for Exchange 2016
- Configure Kemp Load Balancer for Exchange 2016
Drop me a comment if you improve the Windows Defender script. Also, be sure to join the conversation on Twitter @SuperTekBoy.
Special Thanks: MVP Mike Crowley
folder paths for exchange server has 25 on MS technet, yours only 5.
In mine, I specify the entire %ExchangeInstallPath% and all subfolders. The TechNet article gets more specific within the install path. I recommend using whichever fits your organization the best.
Would these exclusions be applicable for a sharepoint server?
Great article and awesome script, thank you!
Are there any exclusions for an Edge server role for Windows Defender?
Hey BW,
It would be a smaller subset of the same exclusions in this article. I’ll have to figure out which and update this article. In the meantime you can use the same exclusions and script for Edge. It would just be more exclusions than you need.