Skip to content

Check Exchange Antivirus exclusions

How to test that the Exchange Server exclusions are correctly excluded from the Antivirus? We already showed how to run a PowerShell script and get the Antivirus exclusions for Exchange Server 2013/2016/2019. The script runs on the Exchange Servers, and all the exclusions for Exchange Server will show up as a result in three text files. After that, you need to exclude it from the security product. This can be Microsoft Defender Antivirus or any third-party security product running on the Exchange Server.

What if you want to double-check that the Antivirus exclusions are set correctly? In this article, we will look at how to check the Exchange Antivirus exclusions with a PowerShell script.

Introduction

Most of the time that you set the Antivirus exclusions for Exchange Server, you don’t look back. But isn’t it better to double-check and verify that the exclusions are set correctly? Perhaps you don’t administer the security product and send the exclusions to the security team. How can you confirm that the team did exclude the correct exclusions?

Let’s look at the PowerShell script and check if the Antivirus exclusions on the Exchange Server are correctly set.

Test Exchange Antivirus exclusions PowerShell script

An excellent way to check if the Antivirus exclusions are configured correctly is with the Test-ExchAVExclusions.ps1 PowerShell script.

The Test-ExchAVExclusions.ps1 PowerShell script writes an EICAR test file to all paths that need to be excluded on the Exchange Server. Then, they should not be picked up by the security product. This can be the Microsoft Defender Antivirus or a third-party Antivirus product running on the Exchange Server.

There are two results after running the script:

  1. If the file is removed, then the path is not properly excluded from AV Scanning
  2. If the file is not removed, then it should be properly excluded

Once the script creates the EICAR files, it will wait 60 seconds for AV to “see” and remove the file.

Note: The EICAR Antivirus Test File or EICAR test file is a computer file that was developed by the European Institute for Computer Antivirus Research (EICAR) and Computer Antivirus Research Organization (CARO), to test the response of computer antivirus (AV) programs. Instead of using real malware, which could cause real damage, this test file allows people to test antivirus software without using an actual computer virus.

Download Test Exchange Antivirus exclusions PowerShell script

Download Test-ExchAVExclusions.ps1 PowerShell script from GitHub and place it on the Exchange Server C:\scripts folder. If you don’t have a scripts folder, create one.

Ensure that the file is unblocked to prevent errors when running the script. Read more in the article Not digitally signed error when running PowerShell script.

Check Exchange Antivirus exclusions scripts folder

Run Test Exchange Antivirus exclusions PowerShell script without exclusions set

Run Exchange Management Shell as administrator. Change the directory path to C:\scripts and run the script.

PS C:\> cd C:\scripts
PS C:\scripts> .\Test-ExchAVExclusions.ps1

The script will run for 60 seconds.

Check Exchange Antivirus exclusions running script

After the script is done running, it will show the results on the screen.

[2/7/2022 8:23:45 PM] - Creating EICAR Files
[2/7/2022 8:24:47 PM] - Testing for EICAR files
[2/7/2022 8:24:47 PM] - [FAIL] - Possible AV Scanning: c:\windows\cluster\eicar.com
[2/7/2022 8:24:47 PM] - [FAIL] - Possible AV Scanning: c:\program files\microsoft\exchange server\v15\clientaccess\oab\eicar.com
[2/7/2022 8:24:47 PM] - [FAIL] - Possible AV Scanning: c:\program files\microsoft\exchange server\v15\fip-fs\eicar.com
[2/7/2022 8:24:47 PM] - [FAIL] - Possible AV Scanning: c:\program files\microsoft\exchange server\v15\groupmetrics\eicar.com
[2/7/2022 8:24:47 PM] - [FAIL] - Possible AV Scanning: c:\program files\microsoft\exchange server\v15\logging\eicar.com
[2/7/2022 8:24:47 PM] - [FAIL] - Possible AV Scanning: c:\program files\microsoft\exchange server\v15\mailbox\eicar.com
[2/7/2022 8:24:47 PM] - [FAIL] - Possible AV Scanning: c:\program files\microsoft\exchange server\v15\transportroles\data\ipfilter\eicar.com
[2/7/2022 8:24:47 PM] - [FAIL] - Possible AV Scanning: c:\program files\microsoft\exchange server\v15\transportroles\data\queue\eicar.com
[2/7/2022 8:24:47 PM] - [FAIL] - Possible AV Scanning: c:\program files\microsoft\exchange server\v15\transportroles\data\temp\eicar.com
[2/7/2022 8:24:47 PM] - [FAIL] - Possible AV Scanning: c:\program files\microsoft\exchange server\v15\transportroles\logs\eicar.com
[2/7/2022 8:24:47 PM] - [FAIL] - Possible AV Scanning: c:\program files\microsoft\exchange server\v15\transportroles\pickup\eicar.com
[2/7/2022 8:24:47 PM] - [FAIL] - Possible AV Scanning: c:\program files\microsoft\exchange server\v15\transportroles\replay\eicar.com
[2/7/2022 8:24:47 PM] - [FAIL] - Possible AV Scanning: c:\program files\microsoft\exchange server\v15\working\oleconverter\eicar.com
[2/7/2022 8:24:47 PM] - [FAIL] - Possible AV Scanning: c:\windows\microsoft.net\framework64\v4.0.30319\temporary asp.net files\eicar.com
[2/7/2022 8:24:47 PM] - [FAIL] - Possible AV Scanning: c:\windows\system32\inetsrv\eicar.com
[2/7/2022 8:24:47 PM] - [FAIL] - Possible AV Scanning: e:\db01\eicar.com
[2/7/2022 8:24:47 PM] - [FAIL] - Possible AV Scanning: f:\db01\eicar.com
[2/7/2022 8:24:47 PM] - [FAIL] - Possible AV Scanning: g:\db02\eicar.com
[2/7/2022 8:24:47 PM] - [FAIL] - Possible AV Scanning: h:\db02\eicar.com
WARNING: Found 19 folders that are possibly being scanned!
WARNING: Review C:\Users\administrator.EXOIP\AppData\Local\BadFolders.txt For the full list.

Analyze Exchange Antivirus exclusion log files

The PowerShell script outputs two files in the AppData local path:

  • BadFolders.txt: List of folders scanned by Antivirus
  • ExchAvExclusions.log: Log file

Start File Explorer and go to the path:

%LOCALAPPDATA%
Check Exchange Antivirus exclusions output log

Open and analyze the ExchAvExclusions.log file.

Check Exchange Antivirus exclusions ExchAvExclusions

Open and analyze the BadFolders.txt file.

Exchange Antivirus exclusions BadFolders

Run Test Exchange Antivirus exclusions PowerShell script with exclusions set

Let’s rerun the Test-ExchAVExclusions.ps1 PowerShell script. But, this time with the Exchange Server Antivirus exclusions set.

PS C:\> cd C:\scripts
PS C:\scripts> .\Test-ExchAVExclusions.ps1

After scanning, it did show that Antivirus exclusions are set on the Exchange Server.

[2/7/2022 8:30:10 PM] - Creating EICAR Files
[2/7/2022 8:30:12 PM] - Testing for EICAR files
[2/7/2022 8:30:12 PM] - All EICAR files found; Exclusions appear to be set properly

Everything looks great!

Read more: Turn off Windows Defender in Windows 11 permanently »

Conclusion

You learned how to check the Exchange Server Antivirus exclusions. It’s good to double-check that the Antivirus exclusions are set on the Exchange Server. This can be Microsoft Defender Antivirus or a third-party antivirus product. You might find an exclusion that isn’t set correctly. Ensure that the Exchange Antivirus exclusions are set and rerun the script to test again.

Did you enjoy this article? You may also like Outlook issues due to Exchange Server AMSI integration. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 4 Comments

  1. Hi Ali Tajran

    Do you have any script to check domain controller antivirus exclusions like you did with Exchange server?

    Thanks in advanced

    Manuel

  2. Wow… you think you know some things about IT and Exchange and then find your web site and newsletter. I have used your web site and and tutorials to deploy Microsoft Exchange 2016 thru 2019. Your information is unbelievably accurate and spot on. Thank you so much for all that you do and publish!!

    We use Bitdefender GravityZone to protect Exchange Servers. After adding the exclusions, it passed the retest.

Leave a Reply

Your email address will not be published. Required fields are marked *