There are lots of articles on configuring Trend OfficeScan on an Exchange Server. They should all be based on the definitive article at http://technet.microsoft.com/en-us/library/bb332342(v=exchg.141).aspx which covers the exclusions needed, but one thing I found typically missing from the configuration.
If you use mount points to map the Exchange database disks to the server, then you need to configure OfficeScan to avoid scanning the \Device\ path. This covers all mount points and is needed in addition to the above exclusions such as C:\Program Files\Microsoft\Exchange Server etc. The path \Device\ is needed and not the longer \Device\HardDiskVolume1\ as it is not always possible to know what number will be used.
At my current client there are 10 mount points into C:\ExchangeDatabases, and on some servers this is seen by Trend OfficeScan as \Device\HardDiskVolume1\ through \Device\HardDiskVolume10\ but on other servers this is seen as every even number between \Device\HardDiskVolume30\ and \Device\HardDiskVolume48\. So rather than exclude every individual path from \Device\HardDiskVolume1\ to \Device\HardDiskVolume48\ we tested \Device\ and found that to do the same. Adding \Device\ does not include volumes that are mapped to drive letters, so if I had a virus in C:\Users\administrator\Desktop then it would still get picked up.
Finally, and here is a tip I recommend – go to www.eicar.com and get the string that you can use to create a test virus. Create this “virus” and place it in folders that should be excluded from scanning. The test virus should not be deleted/quarantined etc. Now you know that your Exchange Server databases logs etc are not being scanned as well and its a great way to prove that the scan configuration that you the Exchange administrator requested from the security team is actually correct and working.
Leave a Reply