Configuring file-level antivirus software in Exchange Server 2007


By definition antivirus software examines files when the operating system performs operations on them, such as opening, creating or closing a file. To provide a secure environment an Exchange Administrator must be concerned with environment security. In terms of antivirus software, we have two types of antivirus for Exchange Server:


Exchange Server level Antivirus software


This software runs in the Exchange Server box. Exchange Server 2007 supports the Virus Scanning API (VSAPI) and also supports virus scanning at transport level.


Transport level antivirus is installed on the Exchange Server roles (Hub Transport and Edge Transport) and it creates transport agents to treat incoming message traffic before those messages reach the mailbox server. We can see an example of transport agent antivirus software through the Get-TransportAgent cmdlet, as shown in Figure 01.



Figure 01: An antivirus software using Transport Agents to protect the Exchange Server environment at Transport layer


File-level scanner antivirus software


It is not specific to Exchange Server but protecting the servers against viruses located on the file system of the operating system. File-level antivirus does not protect against e-mail viruses, they will not clean your mailbox if you get a virus through a received message. A best practice is to use the File-level antivirus software on all servers and the client operating system, and also creating a procedure to keep all the antivirus software signatures up-to-date across the organization.


Before starting to play with the file-level antivirus software keep in mind that Exchange Server 2007 has a new architecture. This new architecture enforces the use of x64 bit servers. Verify with your antivirus software vendor if there is a specific version for x64 bit to take advantage of the operation system architecture.


Note:
Some file-level antivirus software vendors have only 32 bit versions. We can install 32 bit on an x64 machine, but antivirus software running x64 bit will take advantage of the x64 architecture to provide better performance.


In the file-level scanner antivirus there are two options: Memory-resident and On-demand; the first allows the antivirusto be resident in the memory and it checks all files no matter where it is, memory or file-level, and the second option allows the scanning process to be run during a specific period.


The best approach is to use both: antivirus software for Exchange Server and File-level antivirus software on the operating system. It is also highly recommended to use file-level antivirus on client workstations.


Configuring File-level antivirus software


Okay, let’s configure our Exchange Servers to utilize File-level antivirus. Before we start please note that each Exchange Server role (Mailbox, CAS, Hub Transport, Edge Transport and Unified Messaging) has different requirements defined by the file-level antivirus software.


To properly configure file-level antivirus software for each specific role we need to configure the following:




  • Directory exclusions


  • Process exclusions


  • File extension exclusions

Note:
You must verify which options are available with your antivirus software vendor.


Configuring the directory exclusion list


We are going to see how to configure the file-level antivirus software directory exclusion list per Exchange Server Role:


Client Access Server (CAS)


We must make sure that the following directories will be excluded by the antivirus software:




  • The Internet Information Services (IIS) 6.0 compression folder
    Default Value: %systemroot%\IIS Temporary Compressed Files


  • IIS system files
    Default value: %SystemRoot%\System32\Inetsrv folder


  • Internet related files used by CAS
    Default value: %Program Files%\Microsoft\Exchange Server\ClientAccess


  • Server’s Temporary folder that performs content conversion
    Default Value: C:\Windows\Temp
    To gather this information: Right click My Computer Icon, Properties, click the Advanced tab, and then in the Environment Variables button, as shown in Figure 02.


Figure 02: The Server’s TEMP folder


Mailbox Server


In the Mailbox Servers we must make sure that the database, log files and checkpoint files are excluded from the file-level antivirus. The following cmdlets will show the directory folders of these components:




  • Mailbox database directory (Figure 03)
    Get-MailboxDatabase –server <ServerName> | fl *path*


  • Public Folder database directory (Figure 04)
    Get-PublicFolderDatabase –server <ServerName> | fl *path*


  • Message Tracking and Log Path for Managed Folders directories (Figure 05)
    Get-MailboxServer <ServerName> | select *path*


  • Storage Group directory (Figure 06)
    Get-StrorageGroup –Server <ServerName> | fl *path*


Figure 03: The directories used by the Mailbox Databases and LCR files (if applicable)



Figure 04: The directory used by the Public Folder databases



Figure 05: Mailbox Server settings that must be in the antivirus directory exclusion list



Figure 06: Getting the directories used by the Storage Groups




  • Offline Address Book files
    %Program Files%\Microsoft\Exchange Server\ExchangeOAB folder


  • Mailbox database temporary folder
    %Program Files%\Microsoft\Exchange Server\Mailbox\MDBTEMP


  • The Internet Information Services (IIS) 6.0 compression folder
    Default Value: %systemroot%\IIS Temporary Compressed Files


  • IIS system files
    Default value: %SystemRoot%\System32\Inetsrv folder


  • Database Content indexes. We can get the Index Directory using the following script: getSearchIndexForDatabase.ps1 –all, as shown in Figure 07.


Figure 07:
Using GetSearchIndexForDatabase.ps1 script to validate the Index Directory




  • Server’s TEMP folder which by default is used to perform content conversion (as shown in Figure 02)


  • Directory used for OLE conversions
    %Program Files%\Microsoft\Exchange Server\Working\OleConvertor folder


  • If you use any Exchange maintenance utility (eseutil, isinteg, and etc) make sure that the temporary folder is in the file-level antivirus software exclusion list.

Edge Transport Server and Hub Transport


In the Hub Transport Server we must exclude all the directories used by Message Tracking, message folders, etc. Use the cmdlet Get-TransportServer <ServerName> | select *path* to validate the directories, as shown in Figure 08.



Figure 08: Getting the directory information used by Transport components


We also have to exclude the Queue and IP Filter related folder directories which are listed in the EdgeTransport.exe.config file, as shown in Figure 09.



Figure 09: The IP Filter Database and Queue Database settings




  • Server’s TEMP folder (as shown in Figure 02)


  • OLE conversions folders %Program Files%\Microsoft\Exchange Server\Working\OleConvertor folder.


  • Sender Reputation database files that can be found under the following directory %Program Files%\Microsoft\Exchange Server\TransportRoles\Data\SenderReputation


  • ADAM database and log files (specific for Edge Transport): The default path is %Program Files%\Microsoft\Exchange Server\TransportRoles\Data\Adam but we can change or visualize through ConfigureAdam.ps1

Unified Messaging


The Unified Messaging role requires a few directories to be excluded from the file-level antivirus software:




  • Grammar Files
    %Program Files%\Microsoft\Exchange Server\UnifiedMessaging\grammars


  • Voice Prompts
    %Program Files%\Microsoft\Exchange Server\UnifiedMessaging\Prompts


  • Voicemail
    %Program Files%\Microsoft\Exchange Server\UnifiedMessaging\voicemail


  • Bad Voicemail
    %Program Files%\Microsoft\Exchange Server\UnifiedMessaging\badvoicemail

A general directory exclusion for all Exchange Server roles


Usually there is Exchange Server antivirus software installed on the Exchange Servers boxes, and we must exclude the Quarantine directory and any other application that the antivirus software vendor specifies in the product’s Installation Manual.


Extra steps when using Mailbox Server clusters


Exchange Server 2007 allows two types of cluster solutions: CCR (Cluster Continuous Replication) which uses a file share witness as quorum and SCC (Single Copy Cluster) that uses a physical disk as quorum. In both cases the Quorum content must be excluded from the file-level antivirus software. To figure out which kind of cluster you are using just open the Cluster Administrator and look into the Cluster Group. You can have Majority Node Set entry which means that you are using CCR (Figure 10) or Physical Disk, that means we are using a SCC cluster.



Figure 10: The Majority Node Set entry that is used by CCR cluster implementations


The directory %Winnt%\Cluster must be present in the directory exclusion list on the file-level antivirus software in both scenarios (CCR or SCC). Now, that we already know which cluster type we have we can continue to configure the antivirus software.


Cluster Continuous Replication


In a CCR environment our Quorum is located in a remote share; we can use the cluster utility to figure out where the file share witness is and then configure, in the listed machine, the exception on that directory.


The command line to be used is shown in the Figure 11, and the syntax is:


Cluster <ClusterName> res “Majority Node Set” /priv, where ClusterName it is not the Exchange Cluster Name but the Name that you set up during the Cluster deployment.



Figure 11: The file share witness used by CCR


Now, we know the server and shared folder. We must log into that server and configure the directory exclusion list for that specific folder. In our figure this is the server called tofrontex1 and the physical path of the shared folder MNS_FSW_ClientCluster.


Single Copy Cluster


Using SCC we have to see which disk is being used by Quorum through the Cluster Administrator and configure that disk in the exclusion list. We have to do these steps in all the Cluster nodes.


Configuring file extension exclusion list


Some antivirus software vendors allow us to exclude file extensions from real time antivirus, the following extensions must be defined for Exchange Server 2007:


Mailbox Servers use the following extensions:




  • .chk


  • .log


  • .edb


  • .jrs


  • .que

Unified Messaging extensions:




  • .cfg


  • .grxml

Application related extensions,




  • .config


  • .dia


  • .wsb

Offline Address Book-related extensions that can be found in Mailbox Servers:




  • .lzx

Content Index-related extensions




  • .ci


  • .dir


  • .wid


  • .000


  • .001


  • .002

Configuring Process exclusion list


Some antivirus software allows the exclusion of processes from the file-level antivirus software. We can use the following table to exclude each listed process for each Exchange Server role.

























































































































Process


Exchange Server Role


Cdb.exe


common


Cidaemon.exe


Common


Cluster.exe


Mailbox


Dsamain.exe


Edge


Edgecredentialsvc.exe


Edge


Edgetransport.exe


Edge


Galgrammargenerator.exe


Unified Messaging


Inetinfo.exe


Mailbox and CAS


Mad.exe


Mailbox


Microsoft.Exchange.Antispamupdatesvc.exe


Hub, Edge


Microsoft.Exchange.Contentfilter.Wrapper.exe


Microsoft.Exchange.Cluster.Replayservice.exe


Mailbox


Microsoft.Exchange.Edgesyncsvc.exe


Hub


Microsoft.Exchange.Imap4.exe


CAS


Microsoft.Exchange.Imap4service.exe


CAS


Microsoft.Exchange.Infoworker.Assistants.exe


Mailbox


Microsoft.Exchange.Monitoring.exe


All Roles


Microsoft.Exchange.Pop3.exe


CAS


Microsoft.Exchange.Pop3service.exe


CAS


Microsoft.Exchange.Search.Exsearch.exe


Mailbox


Microsoft.Exchange.Servicehost.exe


CAS and Mailbox


Msexchangeadtopologyservice.exe


Mailbox, Hub, CAS, Unified Messaging


Msexchangefds.exe


CAS and Unified Messaging


Msexchangemailboxassistants.exe


Mailbox


Msexchangemailsubmission.exe


Mailbox


Msexchangetransport.exe


Hub Transport and Edge


Msexchangetransportlogsearch.exe


Mailbox, Hub Transport and Edge


Msftefd.exe


Mailbox Cluster


Msftesql.exe


Mailbox


Oleconverter.exe


Mailbox, Hub Transport


Powershell.exe


General


Sesworker.exe


Speechservice.exe


Unified Messaging


Store.exe


Mailbox


Transcodingservice.exe


Umservice.exe


Unified Messaging


Umworkerprocess.exe


Unified Messaging


W3wp.exe


IIS Service used by CAS and Mailbox


Table 1


Conclusion


In this tutorial we have seen how to deploy file-level antivirus software on Exchange Server 2007 independently of the file-level antivirus software installed. We have also seen which directories must be excluded from the file-level antivirus software, specific extensions, and the services running in memory as well.


More Information
Exchange Server antivirus software

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top