Exchange: Identifying File Level Antivirus Exclusions For Exchange Server Installations
Protecting Exchange against malicious viruses is critical to ensure the health and availability of your messaging environment. However, it is also critical that some folders\files must be excluded from file level scanning. Scanning these critical folders\files can cause serious damage such as corruption, database not being able to mount, restore problems among other issues. According to Microsoft's recommendation, it is critical that you exclude the following directories.
1. Exclude all directories that include your Exchange database files (EDB STM) For example in a default installation, the Exchange database is placed in your \Exchsrvr\Mdbdata folder. Exclude this entire directory.
2. Exclude your Exchsrvr\Mtadata folder
3. Exclude all logs such as message tracking, SMTP. Exclude the directory Exchsrvr\server_name.log
4. Exclude your Exchange queue directory. Exchsrvr\Mailroot
5. Exclude your directory where your IFS creates the streaming .tmp files. The IFS creates these .tmp files when a large object is streamed into the store and the .stm file is too fragmented to have the entire object written in it. For example, a large object can be a message or a file. During normal operation, when the Microsoft Exchange services are stopped, these files are removed from the Temp folder. By defualt, this folder is in the Exchsrvr\Mdbdata directory. However, they can also be in your %SYSTEMROOT%\TEMP directory.
6. Exclude your Exchsrvr\Bin directory
7. Exclude your IIS system files directory %SYSTEMROOT%\System32\Inetsrv
8. Exclude your Gather logs if running search indexing services. These log files contain log information or catalog for the indexing service.
You may elect to just exclude the entire Exchsrvr directory, however the above configuration will give you the best protection.
If you have ever scanned your Exchange directory where your database or logs were stored, your database may be corrupted. The level of corruption cannot be directly quantified. For example the longer your AV was scanning these directories may lead to more corruption but may not be necessarily true. It may also depend on the AV application as well. However, symptoms of corruption may not be immediately visible and may arise further down the road. Therefore, it is best practice to create a fresh database and move your users to the new database.
Lb*.tmp Files Are Created in the TEMP Folder and Are Not Deleted
Exchange lb*.tmp files in the Windows Temp folder cause ESE -2237 error
MCSE M+, S+, MCTS, Security+
How useful was this article? Want to see a tip not listed? Please leave a comment.