Main Area and Open Discussion > General Software Discussion
Processes and/or folders to exclude from malware scanners for Exchange email
questorfla:
I have asked the vendors themselves and gotten almost nowhere. They usuallytell me to run half a dozen other pieces of software some of which i have never heard of and post on a public forum the results of these scans. This does not sound very secure or give me a lot of faith in the abilities of the software involved. It is like those programs that say "Turn off all AV and Mal-ware programs before installing"
Isn't that exactly what a virus or Mal-ware would want you to do? I can understand the need in some cases but the logic behind the statement that is as if ' Of course you should never use an Antivirus or Mal-ware program before installing OUR software . Trust us! ' This ongoing issue is creating a serious problem with our email in Exchange 2013 but the same protection software has worked so well for keeping us free of threats that I am hesitant to dump it, yet cannot get any assistance in what needs to be excluded for the mail to get through.
Has anyone else seen this problem and found any working solutions other than getting another product which may not work any better and could be far worse. I do not want to be "brand specific" but we all have the same two pieces of protection software and turning 'ONE' of them OFF is >Always< the solution. It isn't the AV software either so that narrows it down a bit. If I have posted before about this, sorry to be a repeat offender :) But the problem won't go away and there are too many people for me to just remove it from everyone even though doing so is an instant fix.
x16wda:
Here are the relevant sections I set up for our Exchange environment. First section for file paths, next is extensions, then processes. Adjust as needed for your environment. Pardon the wrappings, this is for MS System Center Endpoint Protection. (Every bit as good as MSE, mmhm.)
--- Code: Text ---<AddKey Name="SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Exclusions\Paths" Disabled="false"> <AddValue Name="%windir%\SoftwareDistribution\Datastore\Datastore.edb" Type="REG_DWORD" Disabled="false">0</AddValue> <AddValue Name="%windir%\SoftwareDistribution\Datastore\Logs\Res*.log" Type="REG_DWORD" Disabled="false">0</AddValue> <AddValue Name="%windir%\SoftwareDistribution\Datastore\Logs\Res*.jrs" Type="REG_DWORD" Disabled="false">0</AddValue> <AddValue Name="%windir%\SoftwareDistribution\Datastore\Logs\Edb.chk" Type="REG_DWORD" Disabled="false">0</AddValue> <AddValue Name="%windir%\SoftwareDistribution\Datastore\Logs\Tmp.edb" Type="REG_DWORD" Disabled="false">0</AddValue> <AddValue Name="%windir%\Security\Database\*.edb" Type="REG_DWORD" Disabled="false">0</AddValue> <AddValue Name="%windir%\Security\Database\*.sdb" Type="REG_DWORD" Disabled="false">0</AddValue> <AddValue Name="%windir%\Security\Database\*.log" Type="REG_DWORD" Disabled="false">0</AddValue> <AddValue Name="%windir%\Security\Database\*.chk" Type="REG_DWORD" Disabled="false">0</AddValue> <AddValue Name="%windir%\Security\Database\*.jrs" Type="REG_DWORD" Disabled="false">0</AddValue> <AddValue Name="%ALLUSERSPROFILE%\NTuser.pol" Type="REG_DWORD" Disabled="false">0</AddValue> <AddValue Name="%SystemRoot%\System32\GroupPolicy\registry.pol" Type="REG_DWORD" Disabled="false">0</AddValue> <AddValue Name="\Program Files\Microsoft\Exchange Server" Type="REG_DWORD" Disabled="false">0</AddValue> <AddValue Name="C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14" Type="REG_DWORD" Disabled="false">0</AddValue> <AddValue Name="%ProgramData%\Microsoft\Search\Data\Applications\Windows" Type="REG_DWORD" Disabled="false">0</AddValue> <AddValue Name="%systemdrive%\System Volume Information\DFSR" Type="REG_DWORD" Disabled="false">0</AddValue> <AddValue Name="%systemroot%\System32\DHCP" Type="REG_DWORD" Disabled="false">0</AddValue> <AddValue Name="%systemroot%\System32\dns" Type="REG_DWORD" Disabled="false">0</AddValue> <AddValue Name="%systemroot%\System32\wins" Type="REG_DWORD" Disabled="false">0</AddValue> <AddValue Name="%systemroot%\Sysvol\domain" Type="REG_DWORD" Disabled="false">0</AddValue> <AddValue Name="%systemroot%\Sysvol\staging areas" Type="REG_DWORD" Disabled="false">0</AddValue> <AddValue Name="%windir%\ntds" Type="REG_DWORD" Disabled="false">0</AddValue> <AddValue Name="%windir%\ntfrs" Type="REG_DWORD" Disabled="false">0</AddValue> <AddValue Name="%SystemDrive%\DAGFileShareWitnesses\*" Type="REG_DWORD" Disabled="false">0</AddValue> <AddValue Name="%ExchangeInstallPath%\Mailbox" Type="REG_DWORD" Disabled="false">0</AddValue> <AddValue Name="%ExchangeInstallPath%\GroupMetrics" Type="REG_DWORD" Disabled="false">0</AddValue> <AddValue Name="%ExchangeInstallPath%\TransportRoles\Logs" Type="REG_DWORD" Disabled="false">0</AddValue> <AddValue Name="%ExchangeInstallPath%\Logging" Type="REG_DWORD" Disabled="false">0</AddValue> <AddValue Name="%ExchangeInstallPath%\ExchangeOAB" Type="REG_DWORD" Disabled="false">0</AddValue> <AddValue Name="%ExchangeInstallPath%\Mailbox\MDBTEMP" Type="REG_DWORD" Disabled="false">0</AddValue> <AddValue Name="%userprofile%\AppData\Local\Microsoft\Outlook" Type="REG_DWORD" Disabled="false">0</AddValue> <AddValue Name="%userprofile%\Application Data\Microsoft\Outlook" Type="REG_DWORD" Disabled="false">0</AddValue> <AddValue Name="D:\Program Files\Microsoft\Exchange Server" Type="REG_DWORD" Disabled="false">0</AddValue> <AddValue Name="E:\Program Files\Microsoft\Exchange Server" Type="REG_DWORD" Disabled="false">0</AddValue> <AddValue Name="F:\Program Files\Microsoft\Exchange Server" Type="REG_DWORD" Disabled="false">0</AddValue> <AddValue Name="G:\Program Files\Microsoft\Exchange Server" Type="REG_DWORD" Disabled="false">0</AddValue> <AddValue Name="H:\Program Files\Microsoft\Exchange Server" Type="REG_DWORD" Disabled="false">0</AddValue> <AddValue Name="I:\Program Files\Microsoft\Exchange Server" Type="REG_DWORD" Disabled="false">0</AddValue> <AddValue Name="J:\Program Files\Microsoft\Exchange Server" Type="REG_DWORD" Disabled="false">0</AddValue> <AddValue Name="K:\Program Files\Microsoft\Exchange Server" Type="REG_DWORD" Disabled="false">0</AddValue> <AddValue Name="L:\Program Files\Microsoft\Exchange Server" Type="REG_DWORD" Disabled="false">0</AddValue> <AddValue Name="M:\Program Files\Microsoft\Exchange Server" Type="REG_DWORD" Disabled="false">0</AddValue> <AddValue Name="N:\Program Files\Microsoft\Exchange Server" Type="REG_DWORD" Disabled="false">0</AddValue> <AddValue Name="C:\Windows\Temp" Type="REG_DWORD" Disabled="false">0</AddValue> </AddKey> <AddKey Name="SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions" Disabled="false"> <AddValue Name=".db" Type="REG_DWORD" Disabled="false">0</AddValue> <AddValue Name=".edb" Type="REG_DWORD" Disabled="false">0</AddValue> <AddValue Name=".pst" Type="REG_DWORD" Disabled="false">0</AddValue> <AddValue Name=".ost" Type="REG_DWORD" Disabled="false">0</AddValue> </AddKey> <AddKey Name="SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes" Disabled="false"> <AddValue Name="EdgeTransport.exe" Type="REG_DWORD" Disabled="false">0</AddValue> <AddValue Name="Microsoft.Exchange.AddressBook.Service.exe" Type="REG_DWORD" Disabled="false">0</AddValue> <AddValue Name="Microsoft.Exchange.Cluster.ReplayService.exe" Type="REG_DWORD" Disabled="false">0</AddValue> <AddValue Name="Microsoft.Exchange.Monitoring.exe" Type="REG_DWORD" Disabled="false">0</AddValue> <AddValue Name="Microsoft.Exchange.RpcClientAccess.Service.exe" Type="REG_DWORD" Disabled="false">0</AddValue> <AddValue Name="Microsoft.Exchange.Search.ExSearch.exe" Type="REG_DWORD" Disabled="false">0</AddValue> <AddValue Name="MSExchangeMailboxReplication.exe" Type="REG_DWORD" Disabled="false">0</AddValue> <AddValue Name="MSExchangeMailSubmission.exe" Type="REG_DWORD" Disabled="false">0</AddValue> <AddValue Name="MSExchangeRepl.exe" Type="REG_DWORD" Disabled="false">0</AddValue> <AddValue Name="MSExchangeTransportLogSearch.exe" Type="REG_DWORD" Disabled="false">0</AddValue> <AddValue Name="MSFTEFD.exe" Type="REG_DWORD" Disabled="false">0</AddValue> <AddValue Name="msftesql.exe" Type="REG_DWORD" Disabled="false">0</AddValue> <AddValue Name="Store.exe" Type="REG_DWORD" Disabled="false">0</AddValue> <AddValue Name="MSExchangeFDS.exe" Type="REG_DWORD" Disabled="false">0</AddValue> </AddKey>
Stoic Joker:
I'm a bit confused here... Windows/desktop AV software isn't going to be able to see/catch/prevent hostile Email attachments flowing through an Exchange server. And there shouldn't be that many software installs happening on the Exchange server. So... What problem are we trying to solve?
I'm generally adverse to running AV on an Exchange server, as any of the activities that would cause one to encounter something they would catch should never be happening on a server anyhow. Direct access to any of our servers are stringently controlled (e.g. strictly forbidden). What I do use is a combination Spam and AV filter that sits between the SMTP receivers and the Exchange MB db that deletes or quarantines anything untoward as it comes in before it gets to exchange. In the 3 years we've been running it I've never seen the AV FP yet.
x16wda:
Basically - what Stoic said, with caveats.
If you're going to run A/V on Exchange you should exclude the items I listed above so you don't honk your Exchange. The reason you might run it would be to stop some infected box from hitting some vector that your server's attack surface allows, or to satisfy some regulatory or company requirement checkbox. But A/V on the Exchange server isn't going to check inside the emails.
The Exchange server isn't going to open an infected email or follow a link anywhere. Users do that. Whatever you have on the users' boxes should handle that, or better, you should have a filter ahead of Exchange, like Stoic said, that WILL check the emails. Even something like GFI MailEssentials isn't that dear, especially when you think about how much your recent experience cost to recover from.
questorfla:
I seem to always not explains things in the proper context? We don't HOST an exchange server. The issue is that all Outlook 365 email DOES go through Exchange Servers maintained by Outlook (Hosted Exchange). It is my understanding that they Do scan for and remove Malware (or at the least various malicious processes that are know and can be scanned for) as i can easily see in the headers of the emails that they were scanned and found to be clean.
(I presume if they are NOT clean, they are simply not allowed through? I never see a header saying "This email was found to be infected but MS decided to let it go through anyway in case you wanted to be infected by it." :huh:
That being the case, my issue is simply that USERS (even Me) constantly find that they have message at the bottom of their Outlook Screen saying ".Unable to Contact MS Exchange Servers." No further explanation given. This message remain on the screen for up to two hours during which time it may flicker from trying to send to trying to receive to the Unable to connect message. At some random point in time, this will eventually solve itself, the server connects and all the email that has backed up for the duration of the Unable to connect time span will suddenly flow through. There is no information given as to why it stopped no why it started back, No errors listed and it has nothing to do with internet connectivity.
I have proved to my own satisfaction that it is the Malware scanner that is blocking the Exchange interaction. Turning it OFF immediately solves the problem. And does so instantly and without fail. Nothing else does anything to help but switching the Malware protection to OFF immediately solves the problem.
The reason for my questions is that I must find some way of keeping the protection ON but not blocking the email. It is that simple. While i would be very happy to know WHY at this point it is a matter of everyone is turning their protection to OFF and leaving it there so that their email works. Just as odd are the random few people who do not seem to have this problem which rules out the issue being 100% the Exchange servers, the OS, the email program etc since they ARE all the same.
I have found a few people who mentioned that removing the Malicious Website protection module worked for them but I cannot get anyone at the software company to confirm that this is a good idea. And I can certainly see why. When i do find out what works for ME I also would be afraid to "recommend" the same for anyone else. It is sad that this is the world we live in but it is what it is. No one wants to risk being wrong. Better to let each one struggle with their own issues when it comes to things like Malware etc.
One man's Vaccine is another man's Plague.
Still, I had to ask.
Stoic, ( and others) sorry if my wording led you astray. we are way to small to host our own email. We used to but it is no longer practical. The only hosting we do are a small private web exchange and another small private SQL DB. the only Server OS in the House is Server 2008R2 for the SQL DB. All the problems are on Laptops connecting to the internet for Desktop installs of Outlook Exchange Email.
What I am looking for is Specifically what should i exclude from being scanned by Malwarebytes. Turn it OFF and the mail works, turn it ON and the mail gets flaky. This Off and On is on the Users (client) systems. I have no control over what Microsoft does at their end. I just would rather not have the users completely turning Malwarebytes OFF, ...Even half "on" is better than NO "on". I guess I can always just tinker with the options until I hit one that works for us.
Thanks for the list "x16wda" but i imagine that it would apply more to cases where someone was running an AV or Malware program on the "SERVER system" that hosts the Exchange Email not on the Client side which is all I have to deal with :(
Navigation
[0] Message Index
[#] Next page
Go to full version