In prior releases of Windows Server, Microsoft shipped basic malware protection through its Windows Defender software. For full protection either System Center Endpoint Protection, or, a third-party antivirus solution was required. With Windows Server 2016, Windows Defender matured into a fully fledged antivirus solution. It has now been re-branded as Windows Defender Antivirus.
Regardless of whether you choose Windows Defender Antivirus, or, a third-party antivirus solution you need to be sure these products are not scanning critical Exchange components. Microsoft publishes an extensive list of file, folder and, process exclusions to include in your antivirus configuration.
There are eighty-four exclusions in total.
Adding these exclusions are critical to the health and performance of Exchange. Without these exclusions, antivirus software could lock or quarantine files and processes critical to the operation of Exchange.
In this article, we explore how to add the required 84 exclusions to Windows Defender Antivirus. We also have a basic script to automate adding these exclusions for you.
Let’s get started!
Adding Exchange exclusions with PowerShell
Adding 84 exceptions manually through the graphical user interface would be time-consuming, tedious and, prone to human error. This only magnifies with the number of Exchange servers we need to deploy. Windows Defender can be managed through multiple methods (such as System Center or Group Policy). However, for this article, we will explore adding the required exclusions using PowerShell.
To add an exclusion via PowerShell we can use the Add-MpPreference cmdlet. For a folder exclusion, we combine this with the -ExclusionPath parameter. For example, a folder exclusion may look like this.
C:\> Add-MpPreference -ExclusionPath %SystemRoot%\Cluster
A folder exclusion not only excludes the folder and its files but also all sub-folders.
We can also substitute logical paths with environment variables. In the example above, %SystemRoot% is an environment variable that maps to your Windows folder (for example C:\Windows).
The Exchange setup program creates an environment variable for your Exchange install path called %ExchangeInstallPath%. For example, if you installed Exchange in the default location this variable would equal C:\Program Files\Microsoft\Exchange Server\V15. We can use this environment variable once to eliminate 18 of the necessary folder exclusions required by Exchange.
We can also specify multiple folder paths by separating them with commas. For example, to quickly add all the required folder exclusions we can run this one line of code.
C:\> Add-MpPreference -ExclusionPath %SystemRoot%\Cluster, %SystemDrive%\DAGFileShareWitnesses, %ExchangeInstallPath%, "%SystemDrive%\inetpub\temp\IIS Temporary Compressed Files", %SystemRoot%\Microsoft.NET\Framework64, %SystemRoot%\System32\Inetsrv
The Exchange guidance also requires us to exclude various processes. To exclude processes we use the -ExclusionProcess parameter. For example, to exclude all required Exchange processes run the following command. We can separate each process with a comma.
C:\> Add-MpPreference -ExclusionProcess ComplianceAuditService.exe, Dsamain.exe, EdgeTransport.exe, fms.exe, hostcontrollerservice.exe, inetinfo.exe, Microsoft.Exchange.AntispamUpdateSvc.exe, Microsoft.Exchange.ContentFilter.Wrapper.exe, Microsoft.Exchange.Diagnostics.Service.exe, Microsoft.Exchange.Directory.TopologyService.exe, Microsoft.Exchange.EdgeCredentialSvc.exe, Microsoft.Exchange.EdgeSyncSvc.exe, Microsoft.Exchange.Imap4.exe, Microsoft.Exchange.Imap4service.exe, Microsoft.Exchange.Notifications.Broker.exe, Microsoft.Exchange.Pop3.exe, Microsoft.Exchange.Pop3service.exe, Microsoft.Exchange.ProtectedServiceHost.exe, Microsoft.Exchange.RPCClientAccess.Service.exe, Microsoft.Exchange.Search.Service.exe, Microsoft.Exchange.Servicehost.exe, Microsoft.Exchange.Store.Service.exe, Microsoft.Exchange.Store.Worker.exe, Microsoft.Exchange.UM.CallRouter.exe, MSExchangeCompliance.exe, MSExchangeDagMgmt.exe, MSExchangeDelivery.exe, MSExchangeFrontendTransport.exe, MSExchangeHMHost.exe, MSExchangeHMWorker.exe, MSExchangeMailboxAssistants.exe, MSExchangeMailboxReplication.exe, MSExchangeRepl.exe, MSExchangeSubmission.exe, MSExchangeTransport.exe, MSExchangeTransportLogSearch.exe, MSExchangeThrottling.exe, Noderunner.exe, OleConverter.exe, ParserServer.exe, Powershell.exe, ScanEngineTest.exe, ScanningProcess.exe, UmService.exe, UmWorkerProcess.exe, UpdateService.exe, W3wp.exe, wsbexchange.exe
Finally, the Exchange documentation also instructs us to exclude certain file types. We can do this with the -ExclusionExtension parameter. For example, to exclude all required file types run the following command. You will notice the extension list covers the database and logs files.
C:\> Add-MpPreference -ExclusionExtension .config, .chk, .edb, .jfm, .jrs, .log, .que, .dsc, .txt, .cfg, .grxml, .lzx
Scripting it instead
In the prior section, we saved a lot of time by combining our 84 exclusions into 3 lines of PowerShell code. But we can take this even further. We could combine those three lines into a very basic PowerShell script. Rather than repeat what we have above you can download and check out that example script here.
This is a script in its most rudimentary form. It has no error checking or intelligence behind it. But it can certainly act as a good starting point. I would be curious how you leverage it. Drop me a comment on how you improve it.
Checking our work
You can validate that these exceptions are in place by running Get-MpPreference. For example, to check our folder exclusions we can run the following command.
C:\> Get-MpPreference | Select -Expand ExclusionPath %ExchangeInstallPath% %SystemDrive%\DAGFileShareWitnesses %SystemDrive%\inetpub\temp %SystemDrive%\inetpub\temp\IIS Temporary Compressed Files %SystemRoot%\Cluster %SystemRoot%\Microsoft.NET\Framework64 %SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files %SystemRoot%\System32\Inetsrv
Similarly, you can do this for the extension and process exclusions as well. Just switch out the property after the -Expand parameter. For example, to check all file extensions we specify the property ExclusionExtension. For processes substitute this with ExclusionProcess.
C:\> Get-MpPreference | Select -Expand ExclusionExtension .cfg .chk .config .dsc .edb .grxml .jfm .jrs .log .lzx .que .txt
Alternatively, you can also check this from the Windows Defender client itself. From Windows Defender select Settings in the top right. From the Settings screen scroll to the Exclusions section and click Add an exclusion.
From the Add an exclusion screen you can verify all exclusions we added via PowerShell.
Here are some articles I thought you might like:
- Install Exchange 2016 in your lab (7-part series)
- Renew a Certificate in Exchange 2016
- Extend, Prepare and Verify Active Directory for Exchange 2016
- Configure Kemp Load Balancer for Exchange 2016
Drop me a comment if you improve the Windows Defender script. Also, be sure to join the conversation on Twitter @SuperTekBoy.