Last active
October 4, 2022 14:38
-
-
Save fluggelgleckheimlen/1730e3b60623fd091b595b978f52462d to your computer and use it in GitHub Desktop.
Recommended exclusions for SCEP antivirus on Exchange servers
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Windows Registry Editor Version 5.00 | |
| ; Recommended exclusions for Windows antivirus programs on Exchange servers: | |
| ; https://docs.microsoft.com/en-us/exchange/antispam-and-antimalware/windows-antivirus-software?view=exchserver-2019 | |
| [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions] | |
| "config"=dword:00000000 | |
| "chk"=dword:00000000 | |
| "edb"=dword:00000000 | |
| "jfm"=dword:00000000 | |
| "jrs"=dword:00000000 | |
| "log"=dword:00000000 | |
| "que"=dword:00000000 | |
| "dsc"=dword:00000000 | |
| "txt"=dword:00000000 | |
| "cfg"=dword:00000000 | |
| "grxml"=dword:00000000 | |
| "lzx"=dword:00000000 | |
| [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Exclusions\Paths] | |
| "%SystemRoot%\\Cluster"=dword:00000000 | |
| "%ExchangeInstallPath%ClientAccess\\OAB"=dword:00000000 | |
| "%ExchangeInstallPath%FIP-FS"=dword:00000000 | |
| "%ExchangeInstallPath%GroupMetrics"=dword:00000000 | |
| "%ExchangeInstallPath%Logging"=dword:00000000 | |
| "%ExchangeInstallPath%Mailbox"=dword:00000000 | |
| "%ExchangeInstallPath%TransportRoles\\Data\\Queue"=dword:00000000 | |
| "%ExchangeInstallPath%TransportRoles\\Data\\SenderReputation"=dword:00000000 | |
| "%ExchangeInstallPath%TransportRoles\\Data\\Temp"=dword:00000000 | |
| "%ExchangeInstallPath%TransportRoles\\Logs"=dword:00000000 | |
| "%ExchangeInstallPath%TransportRoles\\Pickup"=dword:00000000 | |
| "%SystemDrive%\\DAGFileShareWitnesses\\*"=dword:00000000 | |
| "%ExchangeInstallPath%TransportRoles\\Data\\Adam"=dword:00000000 | |
| "%ExchangeInstallPath%TransportRoles\\Data\\IpFilter"=dword:00000000 | |
| "%ExchangeInstallPath%TransportRoles\\Replay"=dword:00000000 | |
| "%ExchangeInstallPath%UnifiedMessaging\\Grammars"=dword:00000000 | |
| "%ExchangeInstallPath%UnifiedMessaging\\Prompts"=dword:00000000 | |
| "%ExchangeInstallPath%UnifiedMessaging\\Temp"=dword:00000000 | |
| "%ExchangeInstallPath%UnifiedMessaging\\Voicemail"=dword:00000000 | |
| "%ExchangeInstallPath%Working\\OleConverter"=dword:00000000 | |
| "%SystemDrive%\\inetpub\\temp\\IIS Temporary Compressed Files"=dword:00000000 | |
| "%SystemRoot%\\Microsoft.NET\\Framework64\\v4.0.30319\\Temporary ASP.NET Files"=dword:00000000 | |
| "%SystemRoot%\\System32\\Inetsrv"=dword:00000000 | |
| "%SystemRoot%\\Temp\\OICE_*"=dword:00000000 | |
| [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes] | |
| "%ExchangeInstallPath%Bin\\ComplianceAuditService.exe"=dword:00000000 | |
| "%ExchangeInstallPath%Bin\\EdgeTransport.exe"=dword:00000000 | |
| "%ExchangeInstallPath%FIP-FS\\Bin\\fms.exe"=dword:00000000 | |
| "%ExchangeInstallPath%Bin\\Search\\Ceres\\HostController\\hostcontrollerservice.exe"=dword:00000000 | |
| "%ExchangeInstallPath%Bin\\Microsoft.Exchange.AntispamUpdateSvc.exe"=dword:00000000 | |
| "%ExchangeInstallPath%TransportRoles\\agents\\Hygiene\\Microsoft.Exchange.ContentFilter.Wrapper.exe"=dword:00000000 | |
| "%ExchangeInstallPath%Bin\\Microsoft.Exchange.Diagnostics.Service.exe"=dword:00000000 | |
| "%ExchangeInstallPath%Bin\\Microsoft.Exchange.Directory.TopologyService.exe"=dword:00000000 | |
| "%ExchangeInstallPath%Bin\\Microsoft.Exchange.EdgeCredentialSvc.exe"=dword:00000000 | |
| "%ExchangeInstallPath%Bin\\Microsoft.Exchange.EdgeSyncSvc.exe"=dword:00000000 | |
| "%ExchangeInstallPath%FrontEnd\\PopImap\\Microsoft.Exchange.Imap4.exe"=dword:00000000 | |
| "%ExchangeInstallPath%ClientAccess\\PopImap\\Microsoft.Exchange.Imap4service.exe"=dword:00000000 | |
| "%ExchangeInstallPath%Bin\\Microsoft.Exchange.Notifications.Broker.exe"=dword:00000000 | |
| "%ExchangeInstallPath%FrontEnd\\PopImap\\Microsoft.Exchange.Pop3.exe"=dword:00000000 | |
| "%ExchangeInstallPath%ClientAccess\\PopImap\\Microsoft.Exchange.Pop3service.exe"=dword:00000000 | |
| "%ExchangeInstallPath%Bin\\Microsoft.Exchange.ProtectedServiceHost.exe"=dword:00000000 | |
| "%ExchangeInstallPath%Bin\\Microsoft.Exchange.RPCClientAccess.Service.exe"=dword:00000000 | |
| "%ExchangeInstallPath%Bin\\Microsoft.Exchange.Search.Service.exe"=dword:00000000 | |
| "%ExchangeInstallPath%Bin\\Microsoft.Exchange.Servicehost.exe"=dword:00000000 | |
| "%ExchangeInstallPath%Bin\\Microsoft.Exchange.Store.Service.exe"=dword:00000000 | |
| "%ExchangeInstallPath%Bin\\Microsoft.Exchange.Store.Worker.exe"=dword:00000000 | |
| "%ExchangeInstallPath%FrontEnd\\CallRouter\\Microsoft.Exchange.UM.CallRouter.exe"=dword:00000000 | |
| "%ExchangeInstallPath%Bin\\MSExchangeCompliance.exe"=dword:00000000 | |
| "%ExchangeInstallPath%Bin\\MSExchangeDagMgmt.exe"=dword:00000000 | |
| "%ExchangeInstallPath%Bin\\MSExchangeDelivery.exe"=dword:00000000 | |
| "%ExchangeInstallPath%Bin\\MSExchangeFrontendTransport.exe"=dword:00000000 | |
| "%ExchangeInstallPath%Bin\\MSExchangeHMHost.exe"=dword:00000000 | |
| "%ExchangeInstallPath%Bin\\MSExchangeHMWorker.exe"=dword:00000000 | |
| "%ExchangeInstallPath%Bin\\MSExchangeMailboxAssistants.exe"=dword:00000000 | |
| "%ExchangeInstallPath%Bin\\MSExchangeMailboxReplication.exe"=dword:00000000 | |
| "%ExchangeInstallPath%Bin\\MSExchangeRepl.exe"=dword:00000000 | |
| "%ExchangeInstallPath%Bin\\MSExchangeSubmission.exe"=dword:00000000 | |
| "%ExchangeInstallPath%Bin\\MSExchangeTransport.exe"=dword:00000000 | |
| "%ExchangeInstallPath%Bin\\MSExchangeTransportLogSearch.exe"=dword:00000000 | |
| "%ExchangeInstallPath%Bin\\MSExchangeThrottling.exe"=dword:00000000 | |
| "%ExchangeInstallPath%Bin\\Search\\Ceres\\Runtime\\1.0\\Noderunner.exe"=dword:00000000 | |
| "%ExchangeInstallPath%Bin\\OleConverter.exe"=dword:00000000 | |
| "%ExchangeInstallPath%Bin\\Search\\Ceres\\ParserServer\\ParserServer.exe"=dword:00000000 | |
| "%ExchangeInstallPath%FIP-FS\\Bin\\ScanEngineTest.exe"=dword:00000000 | |
| "%ExchangeInstallPath%FIP-FS\\Bin\\ScanningProcess.exe"=dword:00000000 | |
| "%ExchangeInstallPath%Bin\\UmService.exe"=dword:00000000 | |
| "%ExchangeInstallPath%Bin\\UmWorkerProcess.exe"=dword:00000000 | |
| "%ExchangeInstallPath%FIP-FS\\Bin\\UpdateService.exe"=dword:00000000 | |
| "%ExchangeInstallPath%Bin\\wsbexchange.exe"=dword:00000000 | |
| "%SystemRoot%\\System32\\Dsamain.exe"=dword:00000000 | |
| "%SystemRoot%\\System32\\WindowsPowerShell\\v1.0\\Powershell.exe"=dword:00000000 | |
| "%SystemRoot%\\System32\\inetsrv\\inetinfo.exe"=dword:00000000 | |
| "%SystemRoot%\\System32\\inetsrv\\W3wp.exe"=dword:00000000 |
В последних рекомендациях убрали IIS из исключений:
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Тоже неидеальный вариант после CVE-2021-27065, но хотя бы в соответствии с рекомендациями из доки:
Там ещё были такие пути:
C:\inetpub\wwwroot\aspnet_client\aspnet_client.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\DAFWiProv.aspx
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\owa\fd2d54b6\3f9056bc\App_Web_athhanvu.dll