Antivirus exclusions for Exchange Server

It is crucial to have the right Antivirus exclusions for Exchange Server 2013/2016/2019. Antivirus/Security will slow down the Exchange Server. Think about excluding the correct folders, processes, and extensions for Exchange Server. Yes, that is a bunch to exclude, but don’t you want the Exchange Server performing fast? In this article, you will learn which Antivirus exclusions need to be made on the Exchange Server.

Table of contents

Download Exchange Server Antivirus exclusions PowerShell script

Download the Set-ExchAVExclusions.ps1 PowerShell script from the official page (GitHub) that supports:

  • Exchange Server 2013
  • Exchange Server 2016
  • Exchange Server 2019

Ensure the file is unblocked to prevent errors when running the script. Read more in the article Not digitally signed error when running PowerShell script.

Get Exchange Server Antivirus exclusions

Place the PowerShell script in path C:\scripts on the Exchange Server and not on any other server.

Run Exchange Management Shell as administrator and change the directory to the scripts folder.

[PS] C:\>cd C:\scripts\

Add the -ListRecommendedExclusions parameter to display the antivirus exclusions for Exchange Server on the screen without setting them.

[PS] C:\scripts>.\Set-ExchAVExclusions.ps1 -ListRecommendedExclusions

This is how it looks.

PowerShell script display

Add the -ListRecommendedExclusions and -FileName parameters to display the antivirus exclusions for Exchange Server on the screen without setting them and export them to a text file.

[PS] C:\scripts>.\Set-ExchAVExclusions.ps1 -ListRecommendedExclusions -FileName "C:\temp\Exclusions.txt"

Then browse to the C:\temp folder and find the Exclusions.txt generated file.

Antivirus exclusions for Exchange Server output txt file

Open the Exclusions.txt file and check the exclusions that must be made for the Exchange Server. The text file will have three sections:

  • Paths
  • Extensions
  • Processes
Antivirus exclusions for Exchange Server txt file

Set Exchange Server Antivirus exclusions (Windows Defender)

Exclude the paths of the directories, extensions, and the process that shows in the text file in the Antivirus/Security application.

Note: If you have a DAG configured, you should sign into the DAG witness server and exclude the DAG folder, as shown in the script output.

Suppose you have Windows Defender as your security product. You can run the script, and it will add the exclusions to Windows Defender.

[PS] C:\scripts>.\Set-ExchAVExclusions.ps1

The Exchange Server exclusions are successfully added in Windows Defender.

Antivirus exclusions for Exchange Server Windows Defender

Do you already have exclusions in Windows Defender, and do you want to remove all the exclusions? Read the article Clear Windows Defender Antivirus exclusions with PowerShell.

Verify Exchange Server exclusions

After adding the exclusions to the Antivirus/Security product, Check Exchange Antivirus exclusions are set correctly.

Conclusion

You learned about Antivirus exclusions for Exchange 2013/2016/2019. Remember to add the exclusions in the Antivirus/Security product. Do this after installing the Exchange Server and configuring the mailbox databases. Do you already have an Exchange Server installed in production? Configure the Antivirus exclusions right now.

Did you enjoy this article? You may also like Turn off Windows Defender in Windows 11 permanently. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

X TwitterLinkedIn

What Others Are Reading

This Post Has 8 Comments

  1. Hello and I appreciate your information.
    One question, I already ran the script for exchange 2019, and I already added the exclusions that it indicates, but I am having problems with the EDR SentinelOne, in the Autodiscover service, it suddenly stops responding and with testconnectivity.microsoft.com it indicates a problem with the autodiscover so the outlook client stops connecting, you will know what dependencies there are with that pool, so I suspect the issue is related to some dependency on C:\Windows, since that is how it works, you will have some idea about it

    thank you so much

    Greetings!!

    Reply

  2. I thought MDE for Windows was clever enough these days to understand the roles that are installed on a server and ignore/exclude by default?

    Reply

  3. These situations are associated with the windows defender side. If we are using a different EPP(KSC), is this still valid?

    Reply

    1. You should add the exclusions to your third-party security product that’s running on Exchange Server.

      The script will add the Exchange Server exclusions to Windows Defender exclusions (optionally). But that doesn’t apply to your environment.

      Reply

  4. hello, i disable WindowsDefender on my server and installed kaspersky for OS Antivirus…what should i do?
    do i remove the folders and tasks manualy?

    Reply

  5. Hello and thank you for this great article.

    I have windows server 2012 r2 (still) and exchange standard 2013 in DAG mode. I am using eset mail security on db servers. Can I follow the instructions and exclude safely files and dirs? Or this article it’s only for windows.defender?

    Thank you

    Reply

    1. Welcome, George.

      The Exchange Server antivirus exclusions are important to be excluded for every security product you have running on Exchange Server.

      You should add the exclusions to ESET Mail Security for Microsoft Exchange Server.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *