topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Wednesday December 11, 2024, 6:47 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Processes and/or folders to exclude from malware scanners for Exchange email  (Read 10154 times)

questorfla

  • Supporting Member
  • Joined in 2012
  • **
  • Posts: 570
  • Fighting Slime all the Time
    • View Profile
    • Donate to Member
I have asked the vendors themselves and gotten almost nowhere.  They usuallytell me to run half a dozen other pieces of software some of which i have never heard of and post on a public forum the results of these scans.  This does not sound very secure or give me a lot of faith in the abilities of the software involved.  It is like those programs that say "Turn off all AV and Mal-ware programs before installing"

Isn't that exactly what a virus or Mal-ware would want you to do?  I can understand the need in some cases but the logic behind the statement that is as if '  Of course you should never use an Antivirus or Mal-ware program before installing OUR software .  Trust us! '  This ongoing issue is creating a serious problem with our email in Exchange 2013 but the same protection software has worked so well for keeping us free of threats that I am hesitant to dump it, yet cannot get any assistance in what needs to be excluded for the mail to get through.  

Has anyone else seen this problem and found any working solutions other than getting another product which may not work any better and could be far worse.  I do not want to be "brand specific" but we all have the same two pieces of protection software and turning 'ONE' of them OFF is >Always< the solution.  It isn't the AV software either so that narrows it down a bit.  If I have posted before about this, sorry to be a repeat offender :)  But the problem won't go away and there are too many people for me to just remove it from everyone even though doing so is an instant fix.  

x16wda

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 888
  • what am I doing in this handbasket?
    • View Profile
    • Read more about this member.
    • Donate to Member
Here are the relevant sections I set up for our Exchange environment. First section for file paths, next is extensions, then processes. Adjust as needed for your environment. Pardon the wrappings, this is for MS System Center Endpoint Protection. (Every bit as good as MSE, mmhm.)

Code: Text [Select]
  1. <AddKey Name="SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Exclusions\Paths" Disabled="false">
  2.         <AddValue Name="%windir%\SoftwareDistribution\Datastore\Datastore.edb" Type="REG_DWORD" Disabled="false">0</AddValue>
  3.         <AddValue Name="%windir%\SoftwareDistribution\Datastore\Logs\Res*.log" Type="REG_DWORD" Disabled="false">0</AddValue>
  4.         <AddValue Name="%windir%\SoftwareDistribution\Datastore\Logs\Res*.jrs" Type="REG_DWORD" Disabled="false">0</AddValue>
  5.         <AddValue Name="%windir%\SoftwareDistribution\Datastore\Logs\Edb.chk" Type="REG_DWORD" Disabled="false">0</AddValue>
  6.         <AddValue Name="%windir%\SoftwareDistribution\Datastore\Logs\Tmp.edb" Type="REG_DWORD" Disabled="false">0</AddValue>
  7.         <AddValue Name="%windir%\Security\Database\*.edb" Type="REG_DWORD" Disabled="false">0</AddValue>
  8.         <AddValue Name="%windir%\Security\Database\*.sdb" Type="REG_DWORD" Disabled="false">0</AddValue>
  9.         <AddValue Name="%windir%\Security\Database\*.log" Type="REG_DWORD" Disabled="false">0</AddValue>
  10.         <AddValue Name="%windir%\Security\Database\*.chk" Type="REG_DWORD" Disabled="false">0</AddValue>
  11.         <AddValue Name="%windir%\Security\Database\*.jrs" Type="REG_DWORD" Disabled="false">0</AddValue>
  12.         <AddValue Name="%ALLUSERSPROFILE%\NTuser.pol" Type="REG_DWORD" Disabled="false">0</AddValue>
  13.         <AddValue Name="%SystemRoot%\System32\GroupPolicy\registry.pol" Type="REG_DWORD" Disabled="false">0</AddValue>
  14.         <AddValue Name="\Program Files\Microsoft\Exchange Server" Type="REG_DWORD" Disabled="false">0</AddValue>
  15.         <AddValue Name="C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14" Type="REG_DWORD" Disabled="false">0</AddValue>
  16.         <AddValue Name="%ProgramData%\Microsoft\Search\Data\Applications\Windows" Type="REG_DWORD" Disabled="false">0</AddValue>
  17.         <AddValue Name="%systemdrive%\System Volume Information\DFSR" Type="REG_DWORD" Disabled="false">0</AddValue>
  18.         <AddValue Name="%systemroot%\System32\DHCP" Type="REG_DWORD" Disabled="false">0</AddValue>
  19.         <AddValue Name="%systemroot%\System32\dns" Type="REG_DWORD" Disabled="false">0</AddValue>
  20.         <AddValue Name="%systemroot%\System32\wins" Type="REG_DWORD" Disabled="false">0</AddValue>
  21.         <AddValue Name="%systemroot%\Sysvol\domain" Type="REG_DWORD" Disabled="false">0</AddValue>
  22.         <AddValue Name="%systemroot%\Sysvol\staging areas" Type="REG_DWORD" Disabled="false">0</AddValue>
  23.         <AddValue Name="%windir%\ntds" Type="REG_DWORD" Disabled="false">0</AddValue>
  24.         <AddValue Name="%windir%\ntfrs" Type="REG_DWORD" Disabled="false">0</AddValue>
  25.         <AddValue Name="%SystemDrive%\DAGFileShareWitnesses\*" Type="REG_DWORD" Disabled="false">0</AddValue>
  26.         <AddValue Name="%ExchangeInstallPath%\Mailbox" Type="REG_DWORD" Disabled="false">0</AddValue>
  27.         <AddValue Name="%ExchangeInstallPath%\GroupMetrics" Type="REG_DWORD" Disabled="false">0</AddValue>
  28.         <AddValue Name="%ExchangeInstallPath%\TransportRoles\Logs" Type="REG_DWORD" Disabled="false">0</AddValue>
  29.         <AddValue Name="%ExchangeInstallPath%\Logging" Type="REG_DWORD" Disabled="false">0</AddValue>
  30.         <AddValue Name="%ExchangeInstallPath%\ExchangeOAB" Type="REG_DWORD" Disabled="false">0</AddValue>
  31.         <AddValue Name="%ExchangeInstallPath%\Mailbox\MDBTEMP" Type="REG_DWORD" Disabled="false">0</AddValue>
  32.         <AddValue Name="%userprofile%\AppData\Local\Microsoft\Outlook" Type="REG_DWORD" Disabled="false">0</AddValue>
  33.         <AddValue Name="%userprofile%\Application Data\Microsoft\Outlook" Type="REG_DWORD" Disabled="false">0</AddValue>
  34.         <AddValue Name="D:\Program Files\Microsoft\Exchange Server" Type="REG_DWORD" Disabled="false">0</AddValue>
  35.         <AddValue Name="E:\Program Files\Microsoft\Exchange Server" Type="REG_DWORD" Disabled="false">0</AddValue>
  36.         <AddValue Name="F:\Program Files\Microsoft\Exchange Server" Type="REG_DWORD" Disabled="false">0</AddValue>
  37.         <AddValue Name="G:\Program Files\Microsoft\Exchange Server" Type="REG_DWORD" Disabled="false">0</AddValue>
  38.         <AddValue Name="H:\Program Files\Microsoft\Exchange Server" Type="REG_DWORD" Disabled="false">0</AddValue>
  39.         <AddValue Name="I:\Program Files\Microsoft\Exchange Server" Type="REG_DWORD" Disabled="false">0</AddValue>
  40.         <AddValue Name="J:\Program Files\Microsoft\Exchange Server" Type="REG_DWORD" Disabled="false">0</AddValue>
  41.         <AddValue Name="K:\Program Files\Microsoft\Exchange Server" Type="REG_DWORD" Disabled="false">0</AddValue>
  42.         <AddValue Name="L:\Program Files\Microsoft\Exchange Server" Type="REG_DWORD" Disabled="false">0</AddValue>
  43.         <AddValue Name="M:\Program Files\Microsoft\Exchange Server" Type="REG_DWORD" Disabled="false">0</AddValue>
  44.         <AddValue Name="N:\Program Files\Microsoft\Exchange Server" Type="REG_DWORD" Disabled="false">0</AddValue>
  45.         <AddValue Name="C:\Windows\Temp" Type="REG_DWORD" Disabled="false">0</AddValue>
  46.       </AddKey>
  47.       <AddKey Name="SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions" Disabled="false">
  48.         <AddValue Name=".db" Type="REG_DWORD" Disabled="false">0</AddValue>
  49.         <AddValue Name=".edb" Type="REG_DWORD" Disabled="false">0</AddValue>
  50.         <AddValue Name=".pst" Type="REG_DWORD" Disabled="false">0</AddValue>
  51.         <AddValue Name=".ost" Type="REG_DWORD" Disabled="false">0</AddValue>
  52.       </AddKey>
  53.       <AddKey Name="SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes" Disabled="false">
  54.         <AddValue Name="EdgeTransport.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
  55.         <AddValue Name="Microsoft.Exchange.AddressBook.Service.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
  56.         <AddValue Name="Microsoft.Exchange.Cluster.ReplayService.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
  57.         <AddValue Name="Microsoft.Exchange.Monitoring.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
  58.         <AddValue Name="Microsoft.Exchange.RpcClientAccess.Service.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
  59.         <AddValue Name="Microsoft.Exchange.Search.ExSearch.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
  60.         <AddValue Name="MSExchangeMailboxReplication.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
  61.         <AddValue Name="MSExchangeMailSubmission.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
  62.         <AddValue Name="MSExchangeRepl.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
  63.         <AddValue Name="MSExchangeTransportLogSearch.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
  64.         <AddValue Name="MSFTEFD.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
  65.         <AddValue Name="msftesql.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
  66.         <AddValue Name="Store.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
  67.         <AddValue Name="MSExchangeFDS.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
  68.       </AddKey>
vi vi vi - editor of the beast

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,649
    • View Profile
    • Donate to Member
I'm a bit confused here... Windows/desktop AV software isn't going to be able to see/catch/prevent hostile Email attachments flowing through an Exchange server. And there shouldn't be that many software installs happening on the Exchange server. So... What problem are we trying to solve?


I'm generally adverse to running AV on an Exchange server, as any of the activities that would cause one to encounter something they would catch should never be happening on a server anyhow. Direct access to any of our servers are stringently controlled (e.g. strictly forbidden). What I do use is a combination Spam and AV filter that sits between the SMTP receivers and the Exchange MB db that deletes or quarantines anything untoward as it comes in before it gets to exchange. In the 3 years we've been running it I've never seen the AV FP yet.

x16wda

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 888
  • what am I doing in this handbasket?
    • View Profile
    • Read more about this member.
    • Donate to Member
Basically - what Stoic said, with caveats.

If you're going to run A/V on Exchange you should exclude the items I listed above so you don't honk your Exchange. The reason you might run it would be to stop some infected box from hitting some vector that your server's attack surface allows, or to satisfy some regulatory or company requirement checkbox. But A/V on the Exchange server isn't going to check inside the emails.

The Exchange server isn't going to open an infected email or follow a link anywhere. Users do that. Whatever you have on the users' boxes should handle that, or better, you should have a filter ahead of Exchange, like Stoic said, that WILL check the emails. Even something like GFI MailEssentials isn't that dear, especially when you think about how much your recent experience cost to recover from.
vi vi vi - editor of the beast

questorfla

  • Supporting Member
  • Joined in 2012
  • **
  • Posts: 570
  • Fighting Slime all the Time
    • View Profile
    • Donate to Member
I seem to always not explains things in the proper context?  We don't HOST an exchange server.  The issue is that all Outlook 365 email DOES go through Exchange Servers maintained by Outlook (Hosted Exchange).  It is my understanding that they Do scan for and remove Malware (or at the least various malicious processes that are know and can be scanned for) as i can easily see in the headers of the emails that  they were scanned and found to be clean.
(I presume if they are NOT clean, they are simply not allowed through?  I never see a header saying "This email was found to be infected but MS decided to let it go through anyway in case you wanted to be infected by it."   :huh:

That being the case, my issue is simply that USERS (even Me) constantly find that they have  message at the bottom of their Outlook Screen saying ".Unable to Contact MS Exchange Servers."  No further explanation given.  This message remain on the screen for up to two hours during which time it may flicker from trying to send to trying to receive to the Unable to connect message.  At some random point in time, this will eventually solve itself, the server connects and all the email that has backed up for the duration of the Unable to connect time span will suddenly flow through.  There is no information given as to why it stopped no why it started back,  No errors listed and it has nothing to do  with internet connectivity.

I have proved to my own satisfaction that it is the Malware scanner that is blocking the Exchange interaction.  Turning it OFF immediately solves the problem.  And does so instantly and without fail.  Nothing else does anything to help but switching the Malware protection to OFF immediately solves the problem.

The reason for my questions is that I must find some way of keeping the protection ON but not blocking the email.  It is that simple.  While i would be very happy to know WHY at this point it is a matter of everyone is turning their protection to OFF and leaving it there so that their email works.  Just as odd are the random few people who do not seem to have this problem which rules out the issue being 100% the Exchange servers, the OS, the email program etc since they ARE all the same.

I have found a few people who mentioned that removing the Malicious Website protection module worked for them but I cannot get anyone at the software company to confirm that this is a good idea.  And I can certainly see why.   When i do find out what works for ME I also would be afraid to "recommend" the same for anyone else.  It is sad that this is the world we live in but it is what it is.  No one wants to risk being wrong.  Better to let each one struggle with their own issues when it comes to things like Malware etc.

One man's Vaccine is another man's Plague.

Still, I had to ask.

Stoic, ( and others)  sorry if my wording led you astray.  we are way to small to host our own email.  We used to but it is no longer practical.  The only hosting we do are a small private web exchange and another small private SQL DB.  the only Server OS in the House is Server 2008R2 for the SQL DB.  All the problems are on Laptops connecting to the internet for Desktop installs of Outlook Exchange Email.

What I am looking for is Specifically what should i exclude from being scanned by Malwarebytes.  Turn it OFF and the mail works, turn it ON and the mail gets flaky.  This Off and On is on the Users (client) systems.  I have no  control over what Microsoft does at their end.  I just would rather not have the users completely turning Malwarebytes OFF, ...Even half "on" is better than NO "on".  I guess I can always just tinker with the options until I hit one that works for us.

Thanks for the list "x16wda" but i imagine that it would apply more to cases where someone was running an AV or Malware program on the "SERVER system" that hosts the Exchange Email not on the Client side which is all I have to deal with :(

Ath

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 3,629
    • View Profile
    • Donate to Member
@questorfla:
Things I can't find in your messages:
- What 'malware scanner' product are you using? (aha! Malwarebytes, it's hidden in the sub-context of the second story/message) and why this product?
- Is that scanner running locally? (I seem to deduce it does)

questorfla

  • Supporting Member
  • Joined in 2012
  • **
  • Posts: 570
  • Fighting Slime all the Time
    • View Profile
    • Donate to Member
What I am looking for is Specifically what should i exclude from being scanned by Malwarebytes.

:)  I hate being BRAND specific when complaining but there is is.

Good Old MBAM  Been around forever and probably the number one Malware program worldwide.
Many people have posted o their forums the EXACT symptoms i posted.  They each get blown off by one of the Moderators too after they have them run exhaustive scans with multiple no-name scanners and then proceed to tell them everyting else that is wrong with their system totally ignoring the fact that the User point blank explained to the techs that removing or disable their product (Malwarebytes) solved the problem.
End of story

My case is identical.  There are several more exactly like my own and each got blown off with such poor attitude that it makes me want to dump the product line. They have JUST NOW renewed about 30 licenses and if i can get those refunded I am at the point where i would gladly do so.  
They must have some competition who works just as well but has a better view toward supporting their customer base.

I am not usually so blunt but these forum techs spend more time looking for excuses as to why their products don't work than they do trying to solve the problems.  Once they hook you on 'Auto-renew' you are stuck.  This time the product is broken for more people than just me so i need to stop wasting time trying to fix their problems and find someone else with a product that works  No one stays #1 forever and MBAM had lost their edge IMHO!
« Last Edit: May 23, 2015, 10:19 AM by questorfla, Reason: spelling »

Ath

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 3,629
    • View Profile
    • Donate to Member
IMHO, products like MBAM should 'Just Work'. Like what you say.

You can give your opinion with your wallet: You either buy the product and use it 'as-is', or you uninstall it, and stop any payments (if/as soon as possible).
One good reason to stop using a product is when major failures don't get fixed. It probably isn't the right product for your situation.

But if Exchange 365 has its own anti-malware solution, why are you adding a local scan to your toolchain? A proper AV solution (free or paid, see the recent related discussions on this forum) should be able to block anything undesired?

Ath

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 3,629
    • View Profile
    • Donate to Member

Ath

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 3,629
    • View Profile
    • Donate to Member
I hate being BRAND specific when complaining but there is is.
Hm, you are having issues with a specific product, so you can't ask a generic question, way too many possible solutions to even try to give a suggestion.

questorfla

  • Supporting Member
  • Joined in 2012
  • **
  • Posts: 570
  • Fighting Slime all the Time
    • View Profile
    • Donate to Member
ATH:  Yes! You have it!  Bought and paid for and I did all the "right things", checked with THEIR tech.  Searched THEIR boards.  Found other people with the exact same problems.  And I DO mean "EXACT Same problems"  and these people also found the "exact same solutions".  The odds of this being a  coincidence are just too high.  I have never been  a believer in "coincidence" when life is full of "cause and effect" situations.  Some of them even posted that they could see where there are other posters with the same problems.

Sure, sports papers love to print the stories where some 80 yr old  'duffer' hits a 'hole-in-one' on a par 4 shot on his first swing of the day but there aren't courses where that happens to multiple aging golfers on the same hole in less than a year.

This is a real 'cause and effect' and MBAM refuses to say what part of their software has any effect on the way Exchange servers work.  Because this loses them sales, I believe they either really don't know' ..... or... they wont tell anyone due to proprietary methods.   I have seen them get people to go off into private chats (on a couple of cases) and the people are probably sworn to secrecy after that.  Maybe they given them a free lifetime subscription.  (now TRUE "paranoia" pokes out its head :)  )
If it IS the active Malicious website detection (which most of us who found this problem have narrowed it down to) they won;t tell anyone as they would not want to be telling any of their clients to "Turn Off" any of their protection

I can also see this having to remain a well kept  secret to avoid the information falling into the "wrong hands" and being used to create a work-around to avoid the very module that currently protects those it works for.  That is why I said I don't really expect to get an answer because "This is the World we now live in".

But if i don't come up with something then we are buying $1000 ever year worth of useless software.  No one runs it because they cant depend on the mail being on time and reliable.  In our business they "eat and breathe" email.  They would go without Anything Else just to be able to have that one thing work.

Since all posters are essentially anonymous except for contacts through the board, there is no way I can ask Any of the other people if they ever solved their problems.   I can only try to connect to them "Through" the board and my posts to try to reach them are removed for "non compliance" with board rules.

About the only thing i got out of their "help" was finding out that an old Windows 7 system that I dug out of the scarp pile had some kind of "hacked" software on it.  They never said what, just told me that was the end of their help.  I guess that is nice to know except the laptop in question was a junker that is the only thing laying around i could just "play with".  But when they start telling me to "turn off all antivirus protection and such and run a bunch of software tools I have never heard of....  I am sure not going to use anything I might need again later.

I guess a lot of people are more desperate than i am because a lot of them actually do it.  I, on the other hand, spend 30 minutes or more researching the "tools" they want me to run (Run with my AV disabled etc ) to create these lists of "possible problems".  I wasn't the only one who complained about that either. :mad:

Oh!  And the option of NO Mal-ware scanner isn't a workable solution.  They DO use the Internet a LOT and DO download and runs apps.  If I could get MBAM to NOT scan the email at all BUT work on everything else, that is exactly what I need to do.  This is exactly what I asked for but cannot get a working reply.
If the people who get a "bug" do so from opening an attachment from some Lawyer in Nigeria telling them they need to collect their money...
Well, i can live with that and they deserve what they get.


« Last Edit: May 23, 2015, 10:16 AM by questorfla, Reason: spelling »

Ath

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 3,629
    • View Profile
    • Donate to Member
And the link I posted in reply #8, does that improve anything?

questorfla

  • Supporting Member
  • Joined in 2012
  • **
  • Posts: 570
  • Fighting Slime all the Time
    • View Profile
    • Donate to Member
Thanks for the quick response Ath.  The answer is that this is what I have been doing but it isn't so easy with Exchange.  If you have used Office 365 you may know what I mean.  The actual exchange servers that handle YOUR specific email are hard to pin down.  There are way of finding it but in tests I have run when connected to different ISP's i discovered that the servers are not always the same servers.
But my original efforts went exactly through the processes you mention.  And YES, it does work .. to an extent.  It depeneds on whether or not the servers you pass-through are the ones in use at that point in time.  

Just like i found out (belatedly) that what you THOUGHT was your real email address isn't.  It is more of an "alias" for some lengthy and weird "xxx.netorg.xxx@abunchof otherwords.net" or some similar.

( found that by accident too)  While the email address as you type it does work, it isn't the one that is used to route the email.  And even this varies depending on whether you own your own domain or are using he normal [email protected] etc.  

Anyway, your link is the doorway to the solution.  If you could figure out what parts of what to use there, I believe it could be done.  The fact that the One Module that causes all the problems is the Active malicious website protection is just plain odd.  So far i did the piece by piece ethod as you showed and as long s you get all the right ones in place, it does work.

I am totally amazed that the whole setup  (IE:  OUTLOOK EXCHANGE not  MBAM)  works as well as it does.  It looks like something that has to be a 4th generation iteration of software that was written by computers, tested by other computers, and had multiple generations of improvements by even more computers.  I am not sure a Human could actually follow the logic

Yet, Work it does and at speeds that are hard to believe.  less than 15 seconds from hitting send on my end to hearing the "ding" on your smartphone (or whatever .. it doesn't seem to matter what you send from or what you receive on nor where in the World you are located.)  Sure beats the Old POP/SMTP by Miles!  We  ran multiple tests trying to see if there was any combination that would NOT get that kind of performance but it all did!

Ath

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 3,629
    • View Profile
    • Donate to Member
If you could figure out what parts of what to use there, I believe it could be done.
It looks like you need to use the "Add Process" button to exclude your local Outlook.exe (or whatever it may be called in Office 365) from being interfered by MBAM. (I'm not using MBAM myself, and with this thread in mind I have no intention to...)

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,649
    • View Profile
    • Donate to Member
Is there any provision for wildcarding in the MBAM exclusions? Because if you could do a wildcard exception for *Outlook.com or 207.46.0.0./16 (the MS owned IP block that Outlook.com runs on) that should cover everything flowing between OL & Ex.

4wd

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 5,644
    • View Profile
    • Donate to Member
Because if you could do a wildcard exception for *Outlook.com or 207.46.0.0./16 (the MS owned IP block that Outlook.com runs on) that should cover everything flowing between OL & Ex.
-Stoic Joker (May 24, 2015, 07:16 AM)

You can exclude a domain, (eg. outlook.com), you can't exclude an IP with mask, (eg. x.x.x.x/24), single IPs only - so no wildcarding of any kind.

If you exclude a process, (eg. outlook.exe), then it doesn't matter what it tries to connect to, MBAM will allow it.

questorfla

  • Supporting Member
  • Joined in 2012
  • **
  • Posts: 570
  • Fighting Slime all the Time
    • View Profile
    • Donate to Member
Thanks 4wd (thought you were on vacation :)  )
Also thanks to others.  What has really been a pain is that no one wants to "say" what to do.  Not MS, not MBAM, not anyone.  I suppose they all assume that the information could be used by "unfriendly parties".  I am well aware that there is supposedly no need for scanning anything sent through exchange email due to all the .. "stated" extreme scanning the mail goes through on the server itself. 
This is OK by me if true.  I can't see whee scanning could possibly speed up anything and The email transfer is priority one around here. 
I wont swear to it but i think i had already tried to exclude outlook.exe but this still did not fix it.  Because Outlook "re-sync" every 15 seconds, some service is running constantly and i assume that is what MBAM objects to.  (why it stops it).
I admit, i have not done the most obvious thing which would be to run process explorer and see what process it is killing but i believe it is a "side-effect" not intentional because there is never a reported issue   no malicious websites found  no nothing.  Just a failure of the exchange servers to connect.
 
Disabling malicious website testing seems to solve the problem ..and not just for me.  I found this "fix" after a heck of a lot of looking.  It is juts amazing how many people reported this exact same problem on the MBAM forums and got totally blown off.  One excuse or another in some cases but in others they were simply ignored.

And I am sure that component does some good I just don't know what.  Turning it off leave you with a nagging reminder at the bottom of the screen but Outlook is happy.
Some days you just can;t win/ :(

4wd

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 5,644
    • View Profile
    • Donate to Member
Thanks 4wd (thought you were on vacation :)  )

Working people have vacations, not being in employment the correct term is "go away"  ;D

Because Outlook "re-sync" every 15 seconds, some service is running constantly and i assume that is what MBAM objects to.

Is anything reported in the MBAM logs?

I have MBAM but I disabled it long ago from any form of real-time monitoring since it was annoying the hell out of me, (as is the case with almost all AV/AM I've run).

questorfla

  • Supporting Member
  • Joined in 2012
  • **
  • Posts: 570
  • Fighting Slime all the Time
    • View Profile
    • Donate to Member
Nope.  Checked the logs.  I did find out their techs refuse to help people because this apparently is only noticed by businesses (those running exchange server) and the Malware bytes we bought and paid for was only Premier./  The best they had (i thought)  but they say it is Not for use in businesses.  (This part is probably true, either way thug, we paid for it so i would have thought they would be polite about it but apparently this (being polite) is not in great supply wherever they are located.

They would rather toss you out of the "Forum" which is all the tech support you get. I am thinking about maybe SuperAntiSpyware but... It is so hard to tel these days what is real and what is a REAL piece of Junkware itself.
I did not even know they had a business version so I bought what i thought was the most expensive (and therefore the best) they had.

Premier probably IS the "BEST" for capabilities but the Business version must have a lot of "holes" in it to allow the Exchange Servers to keep linked.  It is version 1.79 or so compared to the Premier being version 2.16 or there abouts.

Like all that stuff from REASON SOFTWARE.  Is any of "IT" real?  I have tried all of them and some actually look decent but it is hard to get a "good feeling" about a company that gives away so much stuff.  How can they pay the bills?  And stay in business?

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,649
    • View Profile
    • Donate to Member
I did find out their techs refuse to help people because this apparently is only noticed by businesses (those running exchange server) and the Malware bytes we bought and paid for was only Premier./  The best they had (i thought)  but they say it is Not for use in businesses.

O_o That's a hell of a hair to split. If I go to Hotmail.com, I get redirected to Outlook.com...(just like for the full blown hosted MS Exchange)...because that's where everything MS mail is sent these days. So given the behavior you've described it should be just as error prone when mom & pop home user X tries to access their Hotmail/Live/Outlook account.

I say set up a test using a straight-up-free-for-home-use Outlook account...and if/when that fails the same way, nail'em to the door with it.