Windows Defender is activated by default on Windows Server 2016. As Exchange Server requires some exclusions from the virus scanner, these must also be stored accordingly in Windows Defender. The same applies to virus scanners from other manufacturers.
The following information can be found on the Exchange Team Blog:
Windows Defender is on by default in Windows Server 2016. Attention to malware settings is particularly important with Exchange to avoid long processing times during installation and upgrade, as well as unexpected performance issues. The Exchange team recommends the Exchange installation and setup log folders be excluded from scanning in Windows Defender and other Anti-Virus software. Exchange noderunner processes should also be excluded from Windows Defender.
Source: Exchange Team Blog
The exclusions for Exchange 2016 are documented here in Technet:
However, the list is long, so Exchange MVP Paul Cunningham has published a script that clearly sorts the folders, processes and file types into 3 files. You can download the script here:
Generate Antivirus Exclusions for Exchange 2013 and 2016 Servers
Determine virus scanner exclusions via script
Nachdem Paul’s Script auf dem Exchange Server mittels Exchange Management Shell ausgeführt wurde, finden sich die 3 Dateien im Ordner des Scripts:
Das Script selbst, erzeugt nur den Hinweis „Done“ als Ausgabe:
The 3 files now contain all exceptions for Exchange Server. Here are the file types as an example:
All exclusions (file types, paths and processes) must now be excluded in the virus scanner. How this works is different for each virus scanner. For Windows Defender it is simple:
Add exclusions to Windows Defender
Wie eingangs bereits erwähnt ist Windows Defender auf Windows Server 2016 standardmäßig aktiviert. Da sich Windows Defender aber mit der PowerShell konfigurieren lässt, geht es besonders schnell die Ausschlüsse zu konfigurieren. Das folgende kleine Script verwendet die 3 Dateien von „Get-Exchange2016AVExclusions.ps1“ und fügt die Ausschlüsse hinzu:
[array]$ExcludeExtensions = (Import-Csv .\*extensions.txt -Header Extension).Extension Set-MpPreference -ExclusionExtension $ExcludeExtensions [array]$ExcludePaths = (Import-Csv .\*paths.txt -Header Paths).Paths Set-MpPreference -ExclusionPath $ExcludePaths [array]$ExcludeProcesses = (Import-Csv .\*procs.txt -Header Processes ).Processes Set-MpPreference -ExclusionProcess $ExcludeProcesses write-host "Exluded extensions: " -foregroundcolor green Get-MpPreference | fl ExclusionExtension write-host "Exluded pathes: " -foregroundcolor green Get-MpPreference | fl ExclusionPath write-host "Exluded processes: " -foregroundcolor green Get-MpPreference | fl ExclusionProcess
Das Script kann einfach als .PS1 Datei im gleichen Verzeichnis wie „Get-Exchange2016AVExclusions.ps1“ gespeichert werden und danach als Administrator ausgeführt werden:
Done. :-)