Script to Set Exchange Server Antivirus Exclusions for Windows Defender

Microsoft released the June 2021 Quarterly Exchange Updates which now includes Exchange Server AMSI integration. 

The Antimalware Scan Interface (AMSI) allows antivirus software, such as Windows Defender which is installed by default on Windows Server 2016 and Windows Server 2019, to dynamically scan for malware such as the web shells created by the HAFNIUM attack earlier this year. Here's the Microsoft announcement which includes links to Exchange Server 2019 CU 10 and Exchange Server 2016 CU 21:

Exchange Server AMSI Integration

As mentioned in our recent blog post, the June 2021 CUs include new Exchange Server integration with AMSI (Antimalware Scan Interface). AMSI exists in Windows Server 2016 and Windows Server 2019, and the new integration is available in Exchange 2016 and Exchange 2019 when running on either of those operating systems. For Exchange 2016, AMSI integration is available only when running on Windows Server 2016. It is not available for Exchange 2016 running on Windows Server 2012 or Windows Server 2012 R2.

AMSI integration in Exchange Server provides the ability for an AMSI-capable antivirus/antimalware solution to scan content in HTTP requests sent to Exchange Server and block a malicious request before it is handled by Exchange Server. The scan is performed in real-time by any AMSI-capable antivirus/antimalware solution that runs on the Exchange server as the server begins to process the request. This provides automatic mitigation and protection that compliments the existing antimalware protection in Exchange Server to help make your Exchange servers more secure.

Because we know that some of our customers modify the web.config file on their Exchange Server, we wanted to let you know that installation of the June 2021 CUs will add a new section in the web.config of every HTTP service under <Modules>. The entry will be called "HttpRequestFilteringModule" and it must be present for AMSI integration to work.

AMSI helps keep your Exchange servers protected from malware, but it's still imperative to set the antivirus exclusions for Exchange Server as per the article, Running Windows antivirus software on Exchange servers on Microsoft Docs. This is required to prevent anti-virus/anti-malware solutions from potentially corrupting the Exchange Server installation, worker processes, and databases. Trust me. I've seen this happen many times and it usually ends up with a complete server rebuild.

If you've ever looked at this document, it lists many folder, process, and file name extension exclusions. To ease this configuration for Windows Defender I created the following Set-ExchangeAntivirusExclusionsForDefender.ps1 PowerShell script. 

Please note this script only works for Windows Defender running on Windows Server 2016 or 2019. If you're running another antivirus or antimalware solution, you'll still need to configure these exclusions some other way.

Simply copy the text below to a Set-ExchangeAntivirusExclusionsForDefender.ps1 file on your Exchange server and run it from EMS.

#Sets Exchange 2016/2019 antivirus exclusions for Windows Defender

#Author: Jeff Guillet | MCSM | MVP, jguillet@expta.com

#Ref: https://docs.microsoft.com/en-us/Exchange/antispam-and-antimalware/windows-antivirus-software?view=exchserver-2019

$m = Get-Module -ListAvailable Defender

if ($m -eq $null) {

Write-Host "Windows Defender is not installed on" (Get-WmiObject -class Win32_OperatingSystem).Caption

Exit

}

$ExchangeInstallPath = $Env:ExchangeInstallPath -replace ".$"

$excludedPaths = @( "$Env:SystemDrive\ExchangeSetupLogs", `

"$ExchangeInstallPath", `

"$Env:WinDir\SoftwareDistribution", `

"$Env:SystemRoot\Cluster", `

"$Env:SystemRoot\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files", `

"$Env:SystemRoot\System32\Inetsrv" ), `

"$Env:SystemDrive\inetpub\temp\IIS Temporary Compressed Files"

$excludedExtensions = @( "config", "chk", "edb", "jfm", "jrs", "log", "que", "dsc", "txt", "cfg", "grxml", "lzx" )

$excludedProcesses = @( "$ExchangeInstallPath\Bin\Search\Ceres\Runtime\1.0\noderunner.exe", `

"$ExchangeInstallPath\Bin\EdgeTransport.exe", `

"$ExchangeInstallPath\Bin\Microsoft.Exchange.AntispamUpdateSvc.exe", `

"$ExchangeInstallPath\Bin\Microsoft.Exchange.Diagnostics.Service.exe", `

"$ExchangeInstallPath\Bin\Microsoft.Exchange.Directory.TopologyService.exe", `

"$ExchangeInstallPath\Bin\Microsoft.Exchange.AntispamUpdateSvc.exe", `

"$ExchangeInstallPath\Bin\Microsoft.Exchange.EdgeCredentialSvc.exe", `

"$ExchangeInstallPath\Bin\Microsoft.Exchange.EdgeSyncSvc.exe", `

"$ExchangeInstallPath\Bin\Microsoft.Exchange.Notifications.Broker.exe", `

"$ExchangeInstallPath\Bin\Microsoft.Exchange.ProtectedServiceHost.exe", `

"$ExchangeInstallPath\Bin\Microsoft.Exchange.RPCClientAccess.Service.exe", `

"$ExchangeInstallPath\Bin\Microsoft.Exchange.Search.Service.exe", `

"$ExchangeInstallPath\Bin\Microsoft.Exchange.Servicehost.exe", `

"$ExchangeInstallPath\Bin\Microsoft.Exchange.Store.Service.exe", `

"$ExchangeInstallPath\Bin\Microsoft.Exchange.Store.Worker.exe", `

"$ExchangeInstallPath\Bin\MSExchangeCompliance.exe", `

"$ExchangeInstallPath\Bin\MSExchangeDagMgmt.exe", `

"$ExchangeInstallPath\Bin\MSExchangeDelivery.exe", `

"$ExchangeInstallPath\Bin\MSExchangeFrontendTransport.exe", `

"$ExchangeInstallPath\Bin\MSExchangeHMHost.exe", `

"$ExchangeInstallPath\Bin\MSExchangeHMWorker.exe", `

"$ExchangeInstallPath\Bin\MSExchangeMailboxAssistants.exe", `

"$ExchangeInstallPath\Bin\MSExchangeMailboxReplication.exe", `

"$ExchangeInstallPath\Bin\MSExchangeRepl.exe", `

"$ExchangeInstallPath\Bin\MSExchangeSubmission.exe", `

"$ExchangeInstallPath\Bin\MSExchangeTransport.exe", `

"$ExchangeInstallPath\Bin\MSExchangeTransportLogSearch.exe", `

"$ExchangeInstallPath\Bin\MSExchangeThrottling.exe", `

"$ExchangeInstallPath\Bin\OleConverter.exe", `

"$ExchangeInstallPath\Bin\UmService.exe", `

"$ExchangeInstallPath\Bin\UmWorkerProcess.exe", `

"$ExchangeInstallPath\Bin\wsbexchange.exe", `

"$ExchangeInstallPath\FIP-FS\Bin\fms.exe", `

"$ExchangeInstallPath\Bin\Search\Ceres\HostController\hostcontrollerservice.exe", `

"$ExchangeInstallPath\TransportRoles\agents\Hygiene\Microsoft.Exchange.ContentFilter.Wrapper.exe", `

"$ExchangeInstallPath\FrontEnd\PopImap\Microsoft.Exchange.Imap4.exe", `

"$ExchangeInstallPath\ClientAccess\PopImap\Microsoft.Exchange.Imap4service.exe", `

"$ExchangeInstallPath\FrontEnd\PopImap\Microsoft.Exchange.Pop3.exe", `

"$ExchangeInstallPath\ClientAccess\PopImap\Microsoft.Exchange.Pop3service.exe", `

"$ExchangeInstallPath\FrontEnd\CallRouter\Microsoft.Exchange.UM.CallRouter.exe", `

"$ExchangeInstallPath\Bin\Search\Ceres\ParserServer\ParserServer.exe", `

"$ExchangeInstallPath\FIP-FS\Bin\ScanEngineTest.exe", `

"$ExchangeInstallPath\FIP-FS\Bin\ScanningProcess.exe", `

"$ExchangeInstallPath\FIP-FS\Bin\UpdateService.exe", `

"$Env:SystemRoot\System32\Dsamain.exe", `

"$Env:SystemRoot\System32\inetsrv\inetinfo.exe", `

"$Env:Systemroot\System32\WindowsPowerShell\v1.0\Powershell.exe", `

"$Env:SystemRoot\System32\inetsrv\W3wp.exe" )

$excludedPaths | ForEach {if (!(Test-Path -Path $_ )) {New-Item -ItemType Directory -Path $_ }; Add-MpPreference -ExclusionPath $_ }

$excludedExtensions | ForEach {Add-MpPreference -ExclusionExtension $_ }

$excludedProcesses | ForEach {Add-MpPreference -ExclusionProcess $_ }

Be sure to run this from all your Exchange servers including those used for hybrid and Edge Transport after installation. You do not need to run it again after CU installations, but it won't hurt anything if you do.

Read more ...

How to Self-Elevate a PowerShell Script

Update: I updated the code below so it works correctly when there are spaces in the path or script name. Thanks to Pat Richard for performance and deprecation improvements.

Most of the scripts I write require elevation -- they must be run from an elevated PowerShell prompt because they make changes to Windows that require Administrator access. The following code snippet will self-elevate a PowerShell script with this added to the beginning of the script. I honestly can't remember where I found the original code, but I updated it to work with Windows 10 and Windows Server 2016 and later build numbers.

Of course, you should ALWAYS confirm that your script is running properly before allowing it to self-elevate. I take no responsibility for the scripts that run using this code.

# Self-elevate the script if required
if (-Not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] 'Administrator')) {
if ([int](Get-CimInstance -Class Win32_OperatingSystem | Select-Object -ExpandProperty BuildNumber) -ge 6000) {
$CommandLine = "-File `"" + $MyInvocation.MyCommand.Path + "`" " + $MyInvocation.UnboundArguments
Start-Process -FilePath PowerShell.exe -Verb Runas -ArgumentList $CommandLine
Exit
}
}

Simply add this snippet at the beginning of a script that requires elevation to run properly. It works by starting a new elevated PowerShell window and then re-executes the script in this new window, if necessary. If User Account Control (UAC) is enabled, you will get a UAC prompt. If the script is already running in an elevated PowerShell session or UAC is disabled, the script will run normally. This code also allows you to right-click the script in File Explorer and select "Run with PowerShell".

Here's how it works:

• The first line checks to see if the script is already running in an elevated environment. This would occur if PowerShell is running as Administrator or UAC is disabled. If it is, the script will continue to run normally in that process.

• The second line checks to see if the Windows operating system build number is 6000 (Windows Vista) or greater. Earlier builds did not support Run As elevation.

• The third line retrieves the command line used to run the original script, including any arguments.

• Finally, the fourth line starts a new elevated PowerShell process where the script runs again. Once the script terminates, the elevated PowerShell window closes.

Pretty slick!

Read more ...

EXPTA Gen6 Home Lab Server Survey Results

I started providing parts lists and instructions for home lab server builds back in 2009. Since then, I've updated my Windows Hyper-V lab server five times - beginning with an AMD-based 16GB server with traditional hard drives to my Gen5 server with an Intel-based 32GB with SSDs for blistering fast performance and high capacity.

I've been asked to update my server build again with the latest hardware, and some have asked for a build with more RAM so they can host more VMs on the same server. That led me to create an EXPTA Gen 6 Lab Server Survey to find out what's most important to you, my readers. As you can imagine, there are competing desires. For example, more RAM translates to higher cost. Here are the results of the survey:

EXPTA Lab Server Survey Results

These survey results show that most respondents are looking to build their first lab server, but most do not need step-by-step instructions and screen shots to build it.

It's almost a tie between those who want a lower price server (~$1,000 USD) and those who want a higher RAM server that can host more VMs (~$1,700 USD). Noise and speed were also important criteria. A common comment from those in the low price camp was that it's easier to justify a $1K purchase to the family.

Almost everyone wants an Intel-based server. It's neck and neck between a lower priced Intel Core i5 4-core 32GB system and a super-fast Intel Core i7 6-core 64GB system. Somewhat surprisingly, only 11% of respondents are interested in a true server-class Intel Xeon E5 64GB system.

In the coming days, I plan to put together new Gen6 server builds. That's right, builds. Plural. Each build will use the best hardware for that solution. The focus will be on reliability and speed in each segment. All builds will use the same storage configuration - SSDs for the OS and running VMs, and a single high capacity hard drive for mass storage of ISOs and base images. This provides insanely fast speed and keeps the noise level to a minimum.

Stay tuned...

Read more ...