Configuring file-level antivirus software in Exchange Server 2007

By definition antivirus software examines files when the operating system performs operations on them, such as opening, creating or closing a file. To provide a secure environment an Exchange Administrator must be concerned with environment security. In terms of antivirus software, we have two types of antivirus for Exchange Server:

Exchange Server level Antivirus software

This software runs in the Exchange Server box. Exchange Server 2007 supports the Virus Scanning API (VSAPI) and also supports virus scanning at transport level.

Transport level antivirus is installed on the Exchange Server roles (Hub Transport and Edge Transport) and it creates transport agents to treat incoming message traffic before those messages reach the mailbox server. We can see an example of transport agent antivirus software through the Get-TransportAgent cmdlet, as shown in Figure 01.

Figure 01: An antivirus software using Transport Agents to protect the Exchange Server environment at Transport layer

File-level scanner antivirus software

It is not specific to Exchange Server but protecting the servers against viruses located on the file system of the operating system. File-level antivirus does not protect against e-mail viruses, they will not clean your mailbox if you get a virus through a received message. A best practice is to use the File-level antivirus software on all servers and the client operating system, and also creating a procedure to keep all the antivirus software signatures up-to-date across the organization.

Before starting to play with the file-level antivirus software keep in mind that Exchange Server 2007 has a new architecture. This new architecture enforces the use of x64 bit servers. Verify with your antivirus software vendor if there is a specific version for x64 bit to take advantage of the operation system architecture.

Some file-level antivirus software vendors have only 32 bit versions. We can install 32 bit on an x64 machine, but antivirus software running x64 bit will take advantage of the x64 architecture to provide better performance.

In the file-level scanner antivirus there are two options: Memory-resident and On-demand; the first allows the antivirusto be resident in the memory and it checks all files no matter where it is, memory or file-level, and the second option allows the scanning process to be run during a specific period.

The best approach is to use both: antivirus software for Exchange Server and File-level antivirus software on the operating system. It is also highly recommended to use file-level antivirus on client workstations.

Configuring File-level antivirus software

Okay, let’s configure our Exchange Servers to utilize File-level antivirus. Before we start please note that each Exchange Server role (Mailbox, CAS, Hub Transport, Edge Transport and Unified Messaging) has different requirements defined by the file-level antivirus software.

To properly configure file-level antivirus software for each specific role we need to configure the following:

  • Directory exclusions

  • Process exclusions

  • File extension exclusions

You must verify which options are available with your antivirus software vendor.

Configuring the directory exclusion list

We are going to see how to configure the file-level antivirus software directory exclusion list per Exchange Server Role:

Client Access Server (CAS)

We must make sure that the following directories will be excluded by the antivirus software:

  • The Internet Information Services (IIS) 6.0 compression folder
    Default Value: %systemroot%\IIS Temporary Compressed Files

  • IIS system files
    Default value: %SystemRoot%\System32\Inetsrv folder

  • Internet related files used by CAS
    Default value: %Program Files%\Microsoft\Exchange Server\ClientAccess

  • Server’s Temporary folder that performs content conversion
    Default Value: C:\Windows\Temp
    To gather this information: Right click My Computer Icon, Properties, click the Advanced tab, and then in the Environment Variables button, as shown in Figure 02.

Figure 02: The Server’s TEMP folder

Mailbox Server

In the Mailbox Servers we must make sure that the database, log files and checkpoint files are excluded from the file-level antivirus. The following cmdlets will show the directory folders of these components:

  • Mailbox database directory (Figure 03)
    Get-MailboxDatabase –server <ServerName> | fl *path*

  • Public Folder database directory (Figure 04)
    Get-PublicFolderDatabase –server <ServerName> | fl *path*

  • Message Tracking and Log Path for Managed Folders directories (Figure 05)
    Get-MailboxServer <ServerName> | select *path*

  • Storage Group directory (Figure 06)
    Get-StrorageGroup –Server <ServerName> | fl *path*

Figure 03: The directories used by the Mailbox Databases and LCR files (if applicable)

Figure 04: The directory used by the Public Folder databases

Figure 05: Mailbox Server settings that must be in the antivirus directory exclusion list

Figure 06: Getting the directories used by the Storage Groups

  • Offline Address Book files
    %Program Files%\Microsoft\Exchange Server\ExchangeOAB folder

  • Mailbox database temporary folder
    %Program Files%\Microsoft\Exchange Server\Mailbox\MDBTEMP

  • The Internet Information Services (IIS) 6.0 compression folder
    Default Value: %systemroot%\IIS Temporary Compressed Files

  • IIS system files
    Default value: %SystemRoot%\System32\Inetsrv folder

  • Database Content indexes. We can get the Index Directory using the following script: getSearchIndexForDatabase.ps1 –all, as shown in Figure 07.

Figure 07:
Using GetSearchIndexForDatabase.ps1 script to validate the Index Directory

  • Server’s TEMP folder which by default is used to perform content conversion (as shown in Figure 02)

  • Directory used for OLE conversions
    %Program Files%\Microsoft\Exchange Server\Working\OleConvertor folder

  • If you use any Exchange maintenance utility (eseutil, isinteg, and etc) make sure that the temporary folder is in the file-level antivirus software exclusion list.

Edge Transport Server and Hub Transport

In the Hub Transport Server we must exclude all the directories used by Message Tracking, message folders, etc. Use the cmdlet Get-TransportServer <ServerName> | select *path* to validate the directories, as shown in Figure 08.

Figure 08: Getting the directory information used by Transport components

We also have to exclude the Queue and IP Filter related folder directories which are listed in the EdgeTransport.exe.config file, as shown in Figure 09.

Figure 09: The IP Filter Database and Queue Database settings

  • Server’s TEMP folder (as shown in Figure 02)

  • OLE conversions folders %Program Files%\Microsoft\Exchange Server\Working\OleConvertor folder.

  • Sender Reputation database files that can be found under the following directory %Program Files%\Microsoft\Exchange Server\TransportRoles\Data\SenderReputation

  • ADAM database and log files (specific for Edge Transport): The default path is %Program Files%\Microsoft\Exchange Server\TransportRoles\Data\Adam but we can change or visualize through ConfigureAdam.ps1

Unified Messaging

The Unified Messaging role requires a few directories to be excluded from the file-level antivirus software:

  • Grammar Files
    %Program Files%\Microsoft\Exchange Server\UnifiedMessaging\grammars

  • Voice Prompts
    %Program Files%\Microsoft\Exchange Server\UnifiedMessaging\Prompts

  • Voicemail
    %Program Files%\Microsoft\Exchange Server\UnifiedMessaging\voicemail

  • Bad Voicemail
    %Program Files%\Microsoft\Exchange Server\UnifiedMessaging\badvoicemail

A general directory exclusion for all Exchange Server roles

Usually there is Exchange Server antivirus software installed on the Exchange Servers boxes, and we must exclude the Quarantine directory and any other application that the antivirus software vendor specifies in the product’s Installation Manual.

Extra steps when using Mailbox Server clusters

Exchange Server 2007 allows two types of cluster solutions: CCR (Cluster Continuous Replication) which uses a file share witness as quorum and SCC (Single Copy Cluster) that uses a physical disk as quorum. In both cases the Quorum content must be excluded from the file-level antivirus software. To figure out which kind of cluster you are using just open the Cluster Administrator and look into the Cluster Group. You can have Majority Node Set entry which means that you are using CCR (Figure 10) or Physical Disk, that means we are using a SCC cluster.

Figure 10: The Majority Node Set entry that is used by CCR cluster implementations

The directory %Winnt%\Cluster must be present in the directory exclusion list on the file-level antivirus software in both scenarios (CCR or SCC). Now, that we already know which cluster type we have we can continue to configure the antivirus software.

Cluster Continuous Replication

In a CCR environment our Quorum is located in a remote share; we can use the cluster utility to figure out where the file share witness is and then configure, in the listed machine, the exception on that directory.

The command line to be used is shown in the Figure 11, and the syntax is:

Cluster <ClusterName> res “Majority Node Set” /priv, where ClusterName it is not the Exchange Cluster Name but the Name that you set up during the Cluster deployment.

Figure 11: The file share witness used by CCR

Now, we know the server and shared folder. We must log into that server and configure the directory exclusion list for that specific folder. In our figure this is the server called tofrontex1 and the physical path of the shared folder MNS_FSW_ClientCluster.

Single Copy Cluster

Using SCC we have to see which disk is being used by Quorum through the Cluster Administrator and configure that disk in the exclusion list. We have to do these steps in all the Cluster nodes.

Configuring file extension exclusion list

Some antivirus software vendors allow us to exclude file extensions from real time antivirus, the following extensions must be defined for Exchange Server 2007:

Mailbox Servers use the following extensions:

  • .chk

  • .log

  • .edb

  • .jrs

  • .que

Unified Messaging extensions:

  • .cfg

  • .grxml

Application related extensions,

  • .config

  • .dia

  • .wsb

Offline Address Book-related extensions that can be found in Mailbox Servers:

  • .lzx

Content Index-related extensions

  • .ci

  • .dir

  • .wid

  • .000

  • .001

  • .002

Configuring Process exclusion list

Some antivirus software allows the exclusion of processes from the file-level antivirus software. We can use the following table to exclude each listed process for each Exchange Server role.


Exchange Server Role














Unified Messaging


Mailbox and CAS




Hub, Edge













All Roles








CAS and Mailbox


Mailbox, Hub, CAS, Unified Messaging


CAS and Unified Messaging






Hub Transport and Edge


Mailbox, Hub Transport and Edge


Mailbox Cluster




Mailbox, Hub Transport





Unified Messaging





Unified Messaging


Unified Messaging


IIS Service used by CAS and Mailbox

Table 1


In this tutorial we have seen how to deploy file-level antivirus software on Exchange Server 2007 independently of the file-level antivirus software installed. We have also seen which directories must be excluded from the file-level antivirus software, specific extensions, and the services running in memory as well.

More Information
Exchange Server antivirus software

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top