Microsoft Defender Antivirus on Windows Server
Exchange Server and antivirus software must coexist properly to prevent data loss and service disruptions. This guide walks through essential configurations and introduces an automated solution to implement them correctly.
The Critical Problem
When antivirus software locks or quarantines Exchange database files or logs, it can cause severe issues:
- Performance Degradation: Exchange processes may slow down waiting for file access.
- Service Interruptions: Critical services like the Information Store or Transport service might stop unexpectedly.
- Potential Database Issues: Interference during database writes or log file operations could, in rare cases, lead to inconsistencies.
These problems occur because Exchange needs constant access to its files, while antivirus software attempts to scan and sometimes lock these same files.
Antivirus software is still recommended on the server, but it must be configured to ignore specific Exchange components.
Required Exclusions for Exchange Server
Microsoft recommends three categories of exclusions:
Directory Exclusions
Prevent scanning of entire folders used heavily by Exchange. This includes locations for:
- Exchange databases (.edb files) and checkpoint files (.chk)
- Transaction log files (.log files)
- Transport Queue database files
- Content Indexing files
- OWA temporary files
- Unified Messaging files (if applicable)
- Certain IIS system and logging directories
Process Exclusions
Prevent the scanner from monitoring the actions of key Exchange and related processes, such as:
- store.exe (Information Store)
- MSExchangeTransport.exe (Transport Service)
- inetinfo.exe, w3wp.exe (IIS Processes)
- Search and indexing processes
- .NET Framework compilation processes
File Name Extension Exclusions
Prevent scanning of specific file types commonly used by Exchange, regardless of their location. Examples include:
- .edb
- .log
- .jrs
- .chk
- .ci, .wid, .dir
- .dat (certain lock files)
- .tmp
You can find the comprehensive lists of recommended paths, processes, and extensions on the Microsoft Learn page provided earlier: Running Windows antivirus software on Exchange servers.
Implementing the Exclusions
You have two main approaches:
- Manual Configuration: Using the lists from the Microsoft documentation, manually configure the directory, process, and file extension exclusions within your specific antivirus software’s management console. This requires careful attention to detail to ensure all recommended items are included based on your server’s roles and configuration.
- Using the Set-ExchAVExclusions.ps1 Script: Microsoft provides a helpful PowerShell script designed to automate this process, particularly for Microsoft Defender Antivirus.
- Source: Microsoft CSS-Exchange GitHub Repository
- Functionality: The script detects the actual paths used by your Exchange installation (database paths, log paths, etc.) and applies the recommended exclusions directly to Microsoft Defender Antivirus settings.
- Third-Party Antivirus: If you use a non-Microsoft antivirus solution, the script likely cannot configure it directly. However, you can often run the script with parameters that will output the specific list of folders, processes, and extensions relevant to your server’s configuration. You can then use this generated list to manually configure your third-party antivirus software accurately.
Automating Exclusion Setup with Set-ExchAVExclusions
Microsoft provides a PowerShell script that automates the entire exclusion configuration process:
Powershell code
This will run Set-ExchAVExclusions Script against the local server.
.\Set-ExchAVExclusions.ps1
This will run Set-ExchAVExclusions Script against the local server and show in screen the expected exclusions on screen without setting them.
.\Set-ExchAVExclusions.ps1 -ListRecommendedExclusions
This will run Set-ExchAVExclusions Script against the local server and show in screen the expected exclusions on screen without setting them and write them in the defined FileName.
.\Set-ExchAVExclusions.ps1 -ListRecommendedExclusions -FileName .\Exclusions.txt
This will run Set-ExchAVExclusions Script against the local server and write them in the defined FileName.
.\Set-ExchAVExclusions.ps1 -FileName .\Exclusions.txt
The script requires:
- Administrator rights in Exchange Management Shell
- Local Administrator membership
- Windows Defender (for automatic configuration)
For third-party antivirus solutions, use the script to generate the exclusion list, then apply it manually to your product.
Implementation Checklist
- Run Set-ExchAVExclusions.ps1 to identify required exclusions
- Configure Windows Defender automatically with the script, or manually apply exclusions to third-party antivirus
- Test Exchange functionality after applying exclusions
- Document your exclusion configuration
- Verify exclusions remain after antivirus updates
Final Notes
Windows Antivirus Cannot Replace Email Security Solutions
Standard Windows antivirus software operates at the file system level, examining files as they’re created or accessed on disk. This approach misses many email-specific threats that:
- Exist only within message bodies or attachments
- Use social engineering tactics specific to email communication
- Exploit email protocol vulnerabilities
- Appear in encrypted attachments that desktop antivirus can’t inspect
Email-specific security solutions analyze messages in transit, check against reputation databases, and apply content filtering rules specifically designed for email-borne threats. They also provide features like URL rewriting, time-of-click protection, and specialized phishing detection that Windows antivirus lacks.
Troubleshooting with Temporary Antivirus Disabling
When Exchange exhibits performance issues or service disruptions, antivirus interference often contributes to the problem. Microsoft support frequently recommends temporarily disabling antivirus.
Configuring antivirus exclusions is not optional; it’s a required step for maintaining a stable and performant Exchange Server environment while ensuring operating system security. Neglecting these exclusions can lead to avoidable operational problems.
Reference materials:
Running Windows antivirus software on Exchange servers:
https://learn.microsoft.com/en-us/Exchange/antispam-and-antimalware/windows-antivirus-software?view=exchserver-2019
Microsoft’s Set-ExchAVEclusions.ps1 script will assist in setting the Antivirus Exclusions according to the documentation for Microsoft Exchange Server:
https://microsoft.github.io/CSS-Exchange/Setup/Set-ExchAVExclusions
Installing Microsoft Defender Antivirus on Windows Server:
https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-on-windows-server
Strengthen Your Server Security with Messageware
Data breaches have increased by 72%, servers are compromised in under 90 minutes. Ensure you have multiple layers of security software protecting your Windows Servers.
Messageware offers powerful security solutions, including:
Z-Day Guard for All Windows Servers: Next-gen server protection, providing detection, alerting, and response (MDR) to zero-day and server penetration cyber-attacks. Leverages embedded monitoring technology that cannot be turned off by malicious software. No need to research complicated deployments and no learning curve to install and manage.
EPG Guard for Exchange Servers: Real-time security stops AD account lockouts, eliminates brute force password attacks, provides intelligent GEO blocking, and prevents Exchange Server vulnerability probing. Enhance security through real-time collection and analysis of logon information, with advanced reporting, threat detection, and security controls.
Don’t leave your critical infrastructure vulnerable, be proactive and stay ahead of evolving threats.