Posts Tagged Exchange 2010 Virus Scan

Virus scanning recommendations for Exchange 2010

Posted by on Wednesday, 7 April, 2010

 Recommendations for Using File-Level Scanning with Exchange 2010

If you’re deploying file-level scanners on Exchange 2010 servers, make sure that the appropriate exclusions, such as directory exclusions, process exclusions, and file name extension exclusions, are in place for both memory-resident and file-level scanning. This section describes directory exclusions, process exclusions, and file name extension exclusions for each server or server role.

 Directory Exclusions

You must exclude specific directories for each Exchange server or server role on which you run a file-level antivirus scanner. This section describes the directories that you should exclude from file-level scanning for each server or server role.

Mailbox server role

  • Exchange databases, checkpoint files, and log files. By default, these are located in sub-folders under the %ExchangeInstallPath%\Mailbox folder. You can obtain the directory location by running the following commands in the Exchange Management Shell:
    • To determine the location of a mailbox database, transaction log, and checkpoint file, run the following command: Get-MailboxDatabase -server <servername>| format-list *path*
  • Database content indexes. By default, these are located in the same folder as the database file.
  • Group Metrics files. By default, these files are located in the %ExchangeInstallPath%\GroupMetrics folder.
  • General log files, such as message tracking and calendar repair log files. By default, these files are located in subfolders under the %ExchangeInstallPath%\TransportRoles\Logs folder and %ExchangeInstallPath%\Logging folder. To determine the log paths being used, run the following command in the Exchange Management Shell: Get-MailboxServer <servername> | format-list *path*
  • The Offline Address Book files. By default, these are located in subfolders under the %ExchangeInstallPath%\ExchangeOAB folder
  • IIS system files in the %SystemRoot%\System32\Inetsrv folder
  • The temporary folder that is used with offline maintenance utilities, such as Eseutil.exe. By default, this folder is the location where the .exe file is run from. However, you can configure where you perform the operation when you run the utility.
  • The Mailbox database temporary folder: %ExchangeInstallPath%\Mailbox\MDBTEMP
  • Any Exchange-aware antivirus program folders

Mailbox server that is a member of a Database Availability Group

All the items listed in the Mailbox server role list, and the following:

  • The quorum disk and the %Winnt%\Cluster folder

Witness server

  • The witness directory files. These are located on another server in the environment, typically a Hub Transport server. By default, these files are located in \\%SystemDrive%:\DAGFileShareWitnesses\<DAGFQDN> and default share (<DAGFQDN>) on that server. For more information about a database availability group (DAG) and witness servers, see Managing Database Availability Groups.

Hub Transport server role

  • General log files, for example, message tracking and connectivity logs. By default, these files are located in subfolders under the %ExchangeInstallPath%\TransportRoles\Logs folder. To determine the log paths being used, run the following command in the Exchange Management Shell: Get-TransportServer <servername>| format-list *logpath*,*tracingpath*
  • Pickup and Replay message directory folders. By default, these folders are located under the %ExchangeInstallPath%\TransportRoles folder. To determine the paths being used, run the following command in the Exchange Management Shell: Get-TransportServer <servername>| fl *dir*path*
  • The transport server role queue database, checkpoint, and log files. By default, these are located in the %ExchangeInstallPath%\TransportRoles\Data\Queue folder. For more information, see Managing Transport Queues.
  • The transport server role Sender Reputation database, checkpoint, and log files. By default, these are located in the %ExchangeInstallPath%\TransportRoles\Data\SenderReputation folder.
  • The transport server role IP filter database, checkpoint, and log files. By default, these are located in the %ExchangeInstallPath%\TransportRoles\Data\IpFilter folder.
  • The temporary folders that are used to perform conversions:
    • By default, content conversions are performed in the Exchange server’s TMP folder.
    • By default, OLE conversions are performed in %ExchangeInstallPath%\Working\OleConvertor folder.
  • Any Exchange-aware antivirus program folders

Edge Transport server role

  • The Active Directory Lightweight Directory Service database (AD LDS) and log files. By default, these are located in the %ExchangeInstallPath%\TransportRoles\Data\Adam folder. For more information about AD LDS database files, see Modify AD LDS Configuration.
  • General log files, for example message tracking. By default, these files are located in subfolders under the %ExchangeInstallPath%\TransportRoles\Logs folder. To determine the log paths being used, run the following command in the Exchange Management Shell: Get-TransportServer <servername> | format-list *logpath*,*tracingpath*
  • The Pickup and Replay message folders. By default, these are located under the %ExchangeInstallPath%\TransportRoles folder. To determine the log paths being used, run the following command in the Exchange Management Shell: Get-TransportServer <servername>| format-list *dir*path*
  • The transport server role queue database, checkpoint, and log files. By default, these are located in the %ExchangeInstallPath%\TransportRoles\Data\Queue folder. For more information about transport server queues, see Managing Transport Queues.
  • The transport server role Sender Reputation database, checkpoint, and log files. By default, these are located in the %ExchangeInstallPath%\TransportRoles\Data\SenderReputation folder
  • The transport server role IP filter database, checkpoint, and log files. By default, these are located in the %ExchangeInstallPath%\TransportRoles\Data\IpFilter folder
  • The temporary folders that are used to perform conversions:
    • By default, content conversions are performed in the server’s TMP folder.
    • By default, OLE conversions are performed in %ExchangeInstallPath%\Working\OleConvertor folder.
  • Any Exchange-aware antivirus program folders

Client Access server role

  • For servers using Internet Information Services (IIS) 7.0, the compression folder that is used with Microsoft Outlook Web App. By default, the compression folder for IIS 7.0 is located at %SystemDrive%\inetpub\temp\IIS Temporary Compressed Files.
  • For servers using IIS 6.0, the compression folder that is used with Microsoft Outlook Web App. By default, the compression folder for IIS 6.0 is located at %systemroot%\IIS Temporary Compressed Files.
  • Note   For more information about possible errors resulting from scanning the IIS compression folder, see Microsoft Knowledge Base article 817442, A 0-byte file may be returned when compression is enabled on a server that is running IIS.
  • IIS system files in the %SystemRoot%\System32\Inetsrv folder
  • Inetpub\logs\logfiles\w3svc
  • The Internet-related files that are stored in the sub-folders of the %ExchangeInstallPath%\ClientAccess folder
  • For servers that have protocol logging enabled for POP3 or IMAP4, the following folders:
    • POP3 folder: %ExchangeInstallPath%\Logging\POP3
    • IMAP4 folder: %ExchangeInstallPath%\Logging\IMAP4
  • The temporary folders that are used to perform conversions:
    • By default, content conversions are performed in the server’s TMP folder.
    • By default, OLE conversions are performed in %ExchangeInstallPath%\Working\OleConvertor folder.

Unified Messaging server role

  • The grammar files for different locales, for example en-EN or es-ES. By default, these are stored in the subfolders in the %ExchangeInstallPath%\UnifiedMessaging\grammars folder.
  • The voice prompts, greetings and informational message files. By default, these are stored in the subfolders in the %ExchangeInstallPath%\UnifiedMessaging\Prompts folder
  • The voicemail files that are temporarily stored in the %ExchangeInstallPath%\UnifiedMessaging\voicemail folder.
  • The temporary files generated by Unified Messaging. By default, these are stored in the %ExchangeInstallPath%\UnifiedMessaging\temp folder.

Microsoft Forefront Protection for Exchange

  • The Forefront installation folder. By default, this is %Program Files%\Microsoft Forefront Security\Exchange Server.
  • Any archived messages. By default, these are stored in the %Program Files%\Microsoft Forefront Security\Exchange Server\Data\Archive folder.
  • Any quarantined files. By default, these are stored in the %Program Files%\Microsoft Forefront Security\Exchange Server\Data\Quarantine folder.
  • The antivirus engine files. By default, these are stored in the subfolders of %Program Files%\Microsoft Forefront Security\Exchange Server\Data\Engines\x86 folder.
  • The configuration files. By default, these are stored in the %Program Files%\Microsoft Forefront Security\Exchange Server\Data folder.

 Process Exclusions

Many file-level scanners now support the scanning of processes, which can adversely affect Microsoft Exchange if the incorrect processes are scanned. Therefore, you should exclude the following processes from file-level scanners.

Cdb.exe Microsoft.Exchange.Search.Exsearch.exe
Cidaemon.exe Microsoft.Exchange.Servicehost.exe
Cluster.exe MSExchangeASTopologyService.exe
Dsamain.exe MSExchangeFDS.exe
EdgeCredentialSvc.exe MSExchangeMailboxAssistants.exe
EdgeTransport.exe MSExchangeMailboxReplication.exe
ExFBA.exe MSExchangeMailSubmission.exe
GalGrammarGenerator.exe MSExchangeRepl.exe
Inetinfo.exe MSExchangeTransport.exe
Mad.exe MSExchangeTransportLogSearch.exe
Microsoft.Exchange.AddressBook.Service.exe MSExchangeThrottling.exe
Microsoft.Exchange.AntispamUpdateSvc.exe Msftefd.exe
Microsoft.Exchange.ContentFilter.Wrapper.exe Msftesql.exe
Microsoft.Exchange.EdgeSyncSvc.exe OleConverter.exe
Microsoft.Exchange.Imap4.exe Powershell.exe
Microsoft.Exchange.Imap4service.exe SESWorker.exe
Microsoft.Exchange.Infoworker.Assistants.exe SpeechService.exe
Microsoft.Exchange.Monitoring.exe Store.exe
Microsoft.Exchange.Pop3.exe TranscodingService.exe
Microsoft.Exchange.Pop3service.exe UmService.exe
Microsoft.Exchange.ProtectedServiceHost.exe UmWorkerProcess.exe
Microsoft.Exchange.RPCClientAccess.Service.exe W3wp.exe

If you’re also deploying Forefront Protection for Exchange Server, exclude the following processes.

Adonavsvc.exe FscStatsServ.exe
FscController.exe FscTransportScanner.exe
FscDiag.exe FscUtility.exe
FscExec.exe FsEmailPickup.exe
FscImc.exe FssaClient.exe
FscManualScanner.exe GetEngineFiles.exe
FscMonitor.exe PerfmonitorSetup.exe
FscRealtimeScanner.exe ScanEngineTest.exe
FscStarter.exe SemSetup.exe

 File Name Extension Exclusions

In addition to excluding specific directories and processes, you should exclude the following Exchange-specific file name extensions in case directory exclusions fail or files are moved from their default locations.

Application-related extensions

  • .config
  • .dia
  • .wsb

Database-related extensions

  • .chk
  • .log
  • .edb
  • .jrs
  • .que

Offline address book-related extensions:

  • .lzx

Content Index-related extensions

.ci .wid .001
.dir .000 .002

 

Unified Messaging-related extensions

  • .cfg
  • .grxml

GroupMetrics

  • .dsc
  • .bin
  • .xml

Forefront Protection for Exchange Server–related extensions

.avc .dt .lst
.cab .fdb .mdb
.cfg .fdm .ppl
.config .ide .set
.da1 .key .v3d
.dat .klb .vdb
.def .kli .vdm

 

The file name extensions listed for Forefront Protection for Exchange Server are the signature files from various antivirus directory engines. In most cases, these file name extensions don’t change, but file name extensions may be added in the future as third-party antivirus vendors update their antivirus signature files.

Technet exchange 2010 Help http://technet.microsoft.com/en-us/library/bb332342.aspx