Skip to content

Test-ExchAVExclusions

Download the latest release: Test-ExchAVExclusions.ps1

Assists with testing Exchange Servers to determine if AV Exclusions have been properly set according to our documentation.

AV Exclusions Exchange 2016/2019

AV Exclusions Exchange 2013

Usage

Writes an EICAR test file to all paths specified in our AV Exclusions documentation and verifies all extensions in the documentation in a temporary folder.

If the file is removed then the path is not properly excluded from AV Scanning. IF the file is not removed then it should be properly excluded.

Once the files are created it will wait 5 minutes for AV to "see" and remove the file.

After finishing testing directories it will test Exchange Processes. Pulls all Exchange processes and their modules. Excludes known modules and reports all Non-Default modules.

Non-Default modules should be reviewed to ensure they are expected. AV Modules loaded into Exchange Processes indicate that AV Process Exclusions are NOT properly configured.

... .\Test-ExchAVExclusions.ps1 ...

Understanding the Output

File Output

Review the BadExclusions.txt file to see any file paths were identified as being scanned by AV. Work with the AV Vendor to determine the best way to exclude these file paths according to our documentation:

AV Exclusions Exchange 2016/2019

Process Output

Review NonDefaultModules.txt to determine if any Non-Default modules are loaded into Exchange processes. The output should have sufficient information to identity the source of the flagged modules.

[FAIL] - PROCESS: ExchangeTransport MODULE: scanner.dll COMPANY: Contoso Security LTT.

If the Module is from an AV or Security software vendor it is a strong indication that process exclusions are not properly configured on the Exchange server. Please work with the vendor to ensure that they are properly configured according to:

AV Exclusions Exchange 2016/2019

AV Exclusions Update

Parameters

Parameter Description
WaitingTimeForAVAnalysisInMinutes Set the waiting time for AV to analyze the EICAR files. Default is 5 minutes.
Recurse Places an EICAR file in all SubFolders as well as the root.
SkipVersionCheck Skip script version verification.
ScriptUpdateOnly Just update script version to latest one.

Outputs

Log file: $PSScriptRoot\Test-ExchAvExclusions-#DateTime#.txt

List of Folders, extensions Scanned by AV and List of Non-Default Processes: $PSScriptRoot\BadExclusions-#DateTime#.txt