By definition antivirus software examines files when the operating system performs operations on them, such as opening, creating or closing a file. To provide a secure environment an Exchange Administrator must be concerned with environment security. In terms of antivirus software, we have two types of antivirus for Exchange Server:
Exchange Server level Antivirus software
This software runs in the Exchange Server box. Exchange Server 2007 supports the Virus Scanning API (VSAPI) and also supports virus scanning at transport level.
Transport level antivirus is installed on the Exchange Server roles (Hub Transport and Edge Transport) and it creates transport agents to treat incoming message traffic before those messages reach the mailbox server. We can see an example of transport agent antivirus software through the Get-TransportAgent cmdlet, as shown in Figure 01.
Figure 01: An antivirus software using Transport Agents to protect the Exchange Server environment at Transport layer
File-level scanner antivirus software
It is not specific to Exchange Server but protecting the servers against viruses located on the file system of the operating system. File-level antivirus does not protect against e-mail viruses, they will not clean your mailbox if you get a virus through a received message. A best practice is to use the File-level antivirus software on all servers and the client operating system, and also creating a procedure to keep all the antivirus software signatures up-to-date across the organization.
Before starting to play with the file-level antivirus software keep in mind that Exchange Server 2007 has a new architecture. This new architecture enforces the use of x64 bit servers. Verify with your antivirus software vendor if there is a specific version for x64 bit to take advantage of the operation system architecture.
Note:
Some file-level antivirus software vendors have only 32 bit versions. We can install 32 bit on an x64 machine, but antivirus software running x64 bit will take advantage of the x64 architecture to provide better performance.
In the file-level scanner antivirus there are two options: Memory-resident and On-demand; the first allows the antivirusto be resident in the memory and it checks all files no matter where it is, memory or file-level, and the second option allows the scanning process to be run during a specific period.
The best approach is to use both: antivirus software for Exchange Server and File-level antivirus software on the operating system. It is also highly recommended to use file-level antivirus on client workstations.
Configuring File-level antivirus software
Okay, let’s configure our Exchange Servers to utilize File-level antivirus. Before we start please note that each Exchange Server role (Mailbox, CAS, Hub Transport, Edge Transport and Unified Messaging) has different requirements defined by the file-level antivirus software.
To properly configure file-level antivirus software for each specific role we need to configure the following:
-
Directory exclusions
-
Process exclusions
-
File extension exclusions
Note:
You must verify which options are available with your antivirus software vendor.
Configuring the directory exclusion list
We are going to see how to configure the file-level antivirus software directory exclusion list per Exchange Server Role:
Client Access Server (CAS)
We must make sure that the following directories will be excluded by the antivirus software:
-
The Internet Information Services (IIS) 6.0 compression folder
Default Value: %systemroot%\IIS Temporary Compressed Files -
IIS system files
Default value: %SystemRoot%\System32\Inetsrv folder -
Internet related files used by CAS
Default value: %Program Files%\Microsoft\Exchange Server\ClientAccess -
Server’s Temporary folder that performs content conversion
Default Value: C:\Windows\Temp
To gather this information: Right click My Computer Icon, Properties, click the Advanced tab, and then in the Environment Variables button, as shown in Figure 02.
Figure 02: The Server’s TEMP folder
Mailbox Server
In the Mailbox Servers we must make sure that the database, log files and checkpoint files are excluded from the file-level antivirus. The following cmdlets will show the directory folders of these components:
-
Mailbox database directory (Figure 03)
Get-MailboxDatabase –server <ServerName> | fl *path* -
Public Folder database directory (Figure 04)
Get-PublicFolderDatabase –server <ServerName> | fl *path* -
Message Tracking and Log Path for Managed Folders directories (Figure 05)
Get-MailboxServer <ServerName> | select *path* -
Storage Group directory (Figure 06)
Get-StrorageGroup –Server <ServerName> | fl *path*
Figure 03: The directories used by the Mailbox Databases and LCR files (if applicable)
Figure 04: The directory used by the Public Folder databases
Figure 05: Mailbox Server settings that must be in the antivirus directory exclusion list
Figure 06: Getting the directories used by the Storage Groups
-
Offline Address Book files
%Program Files%\Microsoft\Exchange Server\ExchangeOAB folder -
Mailbox database temporary folder
%Program Files%\Microsoft\Exchange Server\Mailbox\MDBTEMP -
The Internet Information Services (IIS) 6.0 compression folder
Default Value: %systemroot%\IIS Temporary Compressed Files -
IIS system files
Default value: %SystemRoot%\System32\Inetsrv folder -
Database Content indexes. We can get the Index Directory using the following script: getSearchIndexForDatabase.ps1 –all, as shown in Figure 07.
Figure 07: Using GetSearchIndexForDatabase.ps1 script to validate the Index Directory
-
Server’s TEMP folder which by default is used to perform content conversion (as shown in Figure 02)
-
Directory used for OLE conversions
%Program Files%\Microsoft\Exchange Server\Working\OleConvertor folder -
If you use any Exchange maintenance utility (eseutil, isinteg, and etc) make sure that the temporary folder is in the file-level antivirus software exclusion list.
Edge Transport Server and Hub Transport
In the Hub Transport Server we must exclude all the directories used by Message Tracking, message folders, etc. Use the cmdlet Get-TransportServer <ServerName> | select *path* to validate the directories, as shown in Figure 08.
Figure 08: Getting the directory information used by Transport components
We also have to exclude the Queue and IP Filter related folder directories which are listed in the EdgeTransport.exe.config file, as shown in Figure 09.
Figure 09: The IP Filter Database and Queue Database settings
-
Server’s TEMP folder (as shown in Figure 02)
-
OLE conversions folders %Program Files%\Microsoft\Exchange Server\Working\OleConvertor folder.
-
Sender Reputation database files that can be found under the following directory %Program Files%\Microsoft\Exchange Server\TransportRoles\Data\SenderReputation
-
ADAM database and log files (specific for Edge Transport): The default path is %Program Files%\Microsoft\Exchange Server\TransportRoles\Data\Adam but we can change or visualize through ConfigureAdam.ps1
Unified Messaging
The Unified Messaging role requires a few directories to be excluded from the file-level antivirus software:
-
Grammar Files
%Program Files%\Microsoft\Exchange Server\UnifiedMessaging\grammars -
Voice Prompts
%Program Files%\Microsoft\Exchange Server\UnifiedMessaging\Prompts -
Voicemail
%Program Files%\Microsoft\Exchange Server\UnifiedMessaging\voicemail -
Bad Voicemail
%Program Files%\Microsoft\Exchange Server\UnifiedMessaging\badvoicemail
A general directory exclusion for all Exchange Server roles
Usually there is Exchange Server antivirus software installed on the Exchange Servers boxes, and we must exclude the Quarantine directory and any other application that the antivirus software vendor specifies in the product’s Installation Manual.
Extra steps when using Mailbox Server clusters
Exchange Server 2007 allows two types of cluster solutions: CCR (Cluster Continuous Replication) which uses a file share witness as quorum and SCC (Single Copy Cluster) that uses a physical disk as quorum. In both cases the Quorum content must be excluded from the file-level antivirus software. To figure out which kind of cluster you are using just open the Cluster Administrator and look into the Cluster Group. You can have Majority Node Set entry which means that you are using CCR (Figure 10) or Physical Disk, that means we are using a SCC cluster.
Figure 10: The Majority Node Set entry that is used by CCR cluster implementations
The directory %Winnt%\Cluster must be present in the directory exclusion list on the file-level antivirus software in both scenarios (CCR or SCC). Now, that we already know which cluster type we have we can continue to configure the antivirus software.
Cluster Continuous Replication
In a CCR environment our Quorum is located in a remote share; we can use the cluster utility to figure out where the file share witness is and then configure, in the listed machine, the exception on that directory.
The command line to be used is shown in the Figure 11, and the syntax is:
Cluster <ClusterName> res “Majority Node Set” /priv, where ClusterName it is not the Exchange Cluster Name but the Name that you set up during the Cluster deployment.
Figure 11: The file share witness used by CCR
Now, we know the server and shared folder. We must log into that server and configure the directory exclusion list for that specific folder. In our figure this is the server called tofrontex1 and the physical path of the shared folder MNS_FSW_ClientCluster.
Single Copy Cluster
Using SCC we have to see which disk is being used by Quorum through the Cluster Administrator and configure that disk in the exclusion list. We have to do these steps in all the Cluster nodes.
Configuring file extension exclusion list
Some antivirus software vendors allow us to exclude file extensions from real time antivirus, the following extensions must be defined for Exchange Server 2007:
Mailbox Servers use the following extensions:
-
.chk
-
.log
-
.edb
-
.jrs
-
.que
Unified Messaging extensions:
-
.cfg
-
.grxml
Application related extensions,
-
.config
-
.dia
-
.wsb
Offline Address Book-related extensions that can be found in Mailbox Servers:
-
.lzx
Content Index-related extensions
-
.ci
-
.dir
-
.wid
-
.000
-
.001
-
.002
Configuring Process exclusion list
Some antivirus software allows the exclusion of processes from the file-level antivirus software. We can use the following table to exclude each listed process for each Exchange Server role.
|
Process |
Exchange Server Role |
|
Cdb.exe |
common |
|
Cidaemon.exe |
Common |
|
Cluster.exe |
Mailbox |
|
Dsamain.exe |
Edge |
|
Edgecredentialsvc.exe |
Edge |
|
Edgetransport.exe |
Edge |
|
Galgrammargenerator.exe |
Unified Messaging |
|
Inetinfo.exe |
Mailbox and CAS |
|
Mad.exe |
Mailbox |
|
Microsoft.Exchange.Antispamupdatesvc.exe |
Hub, Edge |
|
Microsoft.Exchange.Contentfilter.Wrapper.exe |
|
|
Microsoft.Exchange.Cluster.Replayservice.exe |
Mailbox |
|
Microsoft.Exchange.Edgesyncsvc.exe |
Hub |
|
Microsoft.Exchange.Imap4.exe |
CAS |
|
Microsoft.Exchange.Imap4service.exe |
CAS |
|
Microsoft.Exchange.Infoworker.Assistants.exe |
Mailbox |
|
Microsoft.Exchange.Monitoring.exe |
All Roles |
|
Microsoft.Exchange.Pop3.exe |
CAS |
|
Microsoft.Exchange.Pop3service.exe |
CAS |
|
Microsoft.Exchange.Search.Exsearch.exe |
Mailbox |
|
Microsoft.Exchange.Servicehost.exe |
CAS and Mailbox |
|
Msexchangeadtopologyservice.exe |
Mailbox, Hub, CAS, Unified Messaging |
|
Msexchangefds.exe |
CAS and Unified Messaging |
|
Msexchangemailboxassistants.exe |
Mailbox |
|
Msexchangemailsubmission.exe |
Mailbox |
|
Msexchangetransport.exe |
Hub Transport and Edge |
|
Msexchangetransportlogsearch.exe |
Mailbox, Hub Transport and Edge |
|
Msftefd.exe |
Mailbox Cluster |
|
Msftesql.exe |
Mailbox |
|
Oleconverter.exe |
Mailbox, Hub Transport |
|
Powershell.exe |
General |
|
Sesworker.exe |
|
|
Speechservice.exe |
Unified Messaging |
|
Store.exe |
Mailbox |
|
Transcodingservice.exe |
|
|
Umservice.exe |
Unified Messaging |
|
Umworkerprocess.exe |
Unified Messaging |
|
W3wp.exe |
IIS Service used by CAS and Mailbox |
Table 1
Conclusion
In this tutorial we have seen how to deploy file-level antivirus software on Exchange Server 2007 independently of the file-level antivirus software installed. We have also seen which directories must be excluded from the file-level antivirus software, specific extensions, and the services running in memory as well.
More Information
Exchange Server antivirus software
