Script to Set Exchange Server Antivirus Exclusions for Windows Defender

Wednesday, June 30, 2021

Microsoft released the June 2021 Quarterly Exchange Updates which now includes Exchange Server AMSI integration. 

The Antimalware Scan Interface (AMSI) allows antivirus software, such as Windows Defender which is installed by default on Windows Server 2016 and Windows Server 2019, to dynamically scan for malware such as the web shells created by the HAFNIUM attack earlier this year. Here's the Microsoft announcement which includes links to Exchange Server 2019 CU 10 and Exchange Server 2016 CU 21:

Exchange Server AMSI Integration

As mentioned in our recent blog post, the June 2021 CUs include new Exchange Server integration with AMSI (Antimalware Scan Interface). AMSI exists in Windows Server 2016 and Windows Server 2019, and the new integration is available in Exchange 2016 and Exchange 2019 when running on either of those operating systems. For Exchange 2016, AMSI integration is available only when running on Windows Server 2016. It is not available for Exchange 2016 running on Windows Server 2012 or Windows Server 2012 R2.

AMSI integration in Exchange Server provides the ability for an AMSI-capable antivirus/antimalware solution to scan content in HTTP requests sent to Exchange Server and block a malicious request before it is handled by Exchange Server. The scan is performed in real-time by any AMSI-capable antivirus/antimalware solution that runs on the Exchange server as the server begins to process the request. This provides automatic mitigation and protection that compliments the existing antimalware protection in Exchange Server to help make your Exchange servers more secure.

Because we know that some of our customers modify the web.config file on their Exchange Server, we wanted to let you know that installation of the June 2021 CUs will add a new section in the web.config of every HTTP service under <Modules>. The entry will be called "HttpRequestFilteringModule" and it must be present for AMSI integration to work.

AMSI helps keep your Exchange servers protected from malware, but it's still imperative to set the antivirus exclusions for Exchange Server as per the article, Running Windows antivirus software on Exchange servers on Microsoft Docs. This is required to prevent anti-virus/anti-malware solutions from potentially corrupting the Exchange Server installation, worker processes, and databases. Trust me. I've seen this happen many times and it usually ends up with a complete server rebuild.

If you've ever looked at this document, it lists many folder, process, and file name extension exclusions. To ease this configuration for Windows Defender I created the following Set-ExchangeAntivirusExclusionsForDefender.ps1 PowerShell script. 

Please note this script only works for Windows Defender running on Windows Server 2016 or 2019. If you're running another antivirus or antimalware solution, you'll still need to configure these exclusions some other way.

Simply copy the text below to a Set-ExchangeAntivirusExclusionsForDefender.ps1 file on your Exchange server and run it from EMS.
#Sets Exchange 2016/2019 antivirus exclusions for Windows Defender
#Author: Jeff Guillet | MCSM | MVP, jguillet@expta.com
#Ref: https://docs.microsoft.com/en-us/Exchange/antispam-and-antimalware/windows-antivirus-software?view=exchserver-2019

$m = Get-Module -ListAvailable Defender
if ($m -eq $null) {
Write-Host "Windows Defender is not installed on" (Get-WmiObject -class Win32_OperatingSystem).Caption
Exit
}

$ExchangeInstallPath = $Env:ExchangeInstallPath -replace ".$"

$excludedPaths = @( "$Env:SystemDrive\ExchangeSetupLogs", `
"$ExchangeInstallPath", `
"$Env:WinDir\SoftwareDistribution", `
"$Env:SystemRoot\Cluster", `
"$Env:SystemRoot\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files", `
"$Env:SystemRoot\System32\Inetsrv" ), `
"$Env:SystemDrive\inetpub\temp\IIS Temporary Compressed Files"

$excludedExtensions = @( "config", "chk", "edb", "jfm", "jrs", "log", "que", "dsc", "txt", "cfg", "grxml", "lzx" )

$excludedProcesses = @( "$ExchangeInstallPath\Bin\Search\Ceres\Runtime\1.0\noderunner.exe", `
"$ExchangeInstallPath\Bin\EdgeTransport.exe", `
"$ExchangeInstallPath\Bin\Microsoft.Exchange.AntispamUpdateSvc.exe", `
"$ExchangeInstallPath\Bin\Microsoft.Exchange.Diagnostics.Service.exe", `
"$ExchangeInstallPath\Bin\Microsoft.Exchange.Directory.TopologyService.exe", `
"$ExchangeInstallPath\Bin\Microsoft.Exchange.AntispamUpdateSvc.exe", `
"$ExchangeInstallPath\Bin\Microsoft.Exchange.EdgeCredentialSvc.exe", `
"$ExchangeInstallPath\Bin\Microsoft.Exchange.EdgeSyncSvc.exe", `
"$ExchangeInstallPath\Bin\Microsoft.Exchange.Notifications.Broker.exe", `
"$ExchangeInstallPath\Bin\Microsoft.Exchange.ProtectedServiceHost.exe", `
"$ExchangeInstallPath\Bin\Microsoft.Exchange.RPCClientAccess.Service.exe", `
"$ExchangeInstallPath\Bin\Microsoft.Exchange.Search.Service.exe", `
"$ExchangeInstallPath\Bin\Microsoft.Exchange.Servicehost.exe", `
"$ExchangeInstallPath\Bin\Microsoft.Exchange.Store.Service.exe", `
"$ExchangeInstallPath\Bin\Microsoft.Exchange.Store.Worker.exe", `
"$ExchangeInstallPath\Bin\MSExchangeCompliance.exe", `
"$ExchangeInstallPath\Bin\MSExchangeDagMgmt.exe", `
"$ExchangeInstallPath\Bin\MSExchangeDelivery.exe", `
"$ExchangeInstallPath\Bin\MSExchangeFrontendTransport.exe", `
"$ExchangeInstallPath\Bin\MSExchangeHMHost.exe", `
"$ExchangeInstallPath\Bin\MSExchangeHMWorker.exe", `
"$ExchangeInstallPath\Bin\MSExchangeMailboxAssistants.exe", `
"$ExchangeInstallPath\Bin\MSExchangeMailboxReplication.exe", `
"$ExchangeInstallPath\Bin\MSExchangeRepl.exe", `
"$ExchangeInstallPath\Bin\MSExchangeSubmission.exe", `
"$ExchangeInstallPath\Bin\MSExchangeTransport.exe", `
"$ExchangeInstallPath\Bin\MSExchangeTransportLogSearch.exe", `
"$ExchangeInstallPath\Bin\MSExchangeThrottling.exe", `
"$ExchangeInstallPath\Bin\OleConverter.exe", `
"$ExchangeInstallPath\Bin\UmService.exe", `
"$ExchangeInstallPath\Bin\UmWorkerProcess.exe", `
"$ExchangeInstallPath\Bin\wsbexchange.exe", `
"$ExchangeInstallPath\FIP-FS\Bin\fms.exe", `
"$ExchangeInstallPath\Bin\Search\Ceres\HostController\hostcontrollerservice.exe", `
"$ExchangeInstallPath\TransportRoles\agents\Hygiene\Microsoft.Exchange.ContentFilter.Wrapper.exe", `
"$ExchangeInstallPath\FrontEnd\PopImap\Microsoft.Exchange.Imap4.exe", `
"$ExchangeInstallPath\ClientAccess\PopImap\Microsoft.Exchange.Imap4service.exe", `
"$ExchangeInstallPath\FrontEnd\PopImap\Microsoft.Exchange.Pop3.exe", `
"$ExchangeInstallPath\ClientAccess\PopImap\Microsoft.Exchange.Pop3service.exe", `
"$ExchangeInstallPath\FrontEnd\CallRouter\Microsoft.Exchange.UM.CallRouter.exe", `
"$ExchangeInstallPath\Bin\Search\Ceres\ParserServer\ParserServer.exe", `
"$ExchangeInstallPath\FIP-FS\Bin\ScanEngineTest.exe", `
"$ExchangeInstallPath\FIP-FS\Bin\ScanningProcess.exe", `
"$ExchangeInstallPath\FIP-FS\Bin\UpdateService.exe", `
"$Env:SystemRoot\System32\Dsamain.exe", `
"$Env:SystemRoot\System32\inetsrv\inetinfo.exe", `
"$Env:Systemroot\System32\WindowsPowerShell\v1.0\Powershell.exe", `
"$Env:SystemRoot\System32\inetsrv\W3wp.exe" )

$excludedPaths | ForEach {if (!(Test-Path -Path $_ )) {New-Item -ItemType Directory -Path $_ }; Add-MpPreference -ExclusionPath $_ }
$excludedExtensions | ForEach {Add-MpPreference -ExclusionExtension $_ }
$excludedProcesses | ForEach {Add-MpPreference -ExclusionProcess $_ }
Be sure to run this from all your Exchange servers including those used for hybrid and Edge Transport after installation. You do not need to run it again after CU installations, but it won't hurt anything if you do.

No comments:

Post a Comment

Thank you for your comment! It is my hope that you find the information here useful. Let others know if this post helped you out, or if you have a comment or further information.