How to Configure CrowdStrike Exclusions for Microsoft Exchange Server

Last Updated: February 2025

Overview

Running antivirus software on Microsoft Exchange servers requires careful configuration to maintain optimal mail flow performance and prevent service disruptions. Incorrect antivirus configuration can cause severe Exchange issues including mail flow delays, database corruption, and potential data loss.

This guide provides comprehensive exclusion recommendations for CrowdStrike Falcon when protecting Exchange Server 2016, 2019, and Subscription Edition, based on Microsoft’s official Windows antivirus software guidance for Exchange servers.

⚠️ Critical Security Notice: While these exclusions optimize Exchange performance and prevent operational conflicts, they reduce CrowdStrike’s security coverage. The biggest potential problem is that antivirus programs might lock or quarantine open log or database files that Exchange needs to modify, potentially causing data loss. This recommendation supersedes any vendor guidance due to the unique nature of Exchange servers.

Common Issues Without Proper Exclusions

Without appropriate exclusions, you may experience:

Database files locked or quarantined during active use
Mail flow disruptions and queue buildup
Database dismount or corruption
Transport service failures
DAG replication issues
Client connectivity problems
Search index corruption
Performance degradation under load
Backup and restore failures
Edge synchronization problems
Unified Messaging service interruptions (Exchange 2016)
Content conversion failures

Important Considerations

Windows Antivirus Limitations on Exchange

Windows antivirus programs on Exchange servers cannot replace email-based antispam and antimalware solutions because:

They can’t detect viruses distributed only through email
They don’t scan message content in transit
They can’t perform spam filtering
They don’t integrate with Exchange’s transport pipeline

Antivirus Scanning Types

Memory-resident/Real-time scanning: Monitors all files and processes in active memory
File-level scanning: Checks files on disk manually or on schedule
Process scanning: Scans running processes (can adversely affect Exchange)

Prerequisites

CrowdStrike Falcon administrative access
Access to the Falcon Console: https://falcon.crowdstrike.com or https://falcon.us-2.crowdstrike.com/ (varies by tenant)
Exchange Server installation paths documented
Exchange Management Shell access
Understanding of your Exchange topology (standalone, DAG, hybrid)
List of all Exchange server roles deployed

Step 1: Access CrowdStrike Falcon Console

Open your browser and navigate to your Falcon Console:
- Primary: https://falcon.crowdstrike.com
- US-2: https://falcon.us-2.crowdstrike.com/
- (Contact your CrowdStrike administrator if unsure of your tenant location)
Sign in using your admin credentials
Navigate to Endpoint Security > Configure > Exclusions

Step 2: Identify Exchange Installation Paths

Before configuring exclusions, identify your Exchange paths:

Default values:

%ExchangeInstallPath% = C:\Program Files\Microsoft\Exchange Server\V15\ (includes trailing “\”)
%SystemRoot% = C:\Windows (no trailing “\”)
%SystemDrive% = C: (no trailing “\”)

To verify actual paths, open the Exchange Management Shell and run:

# Get Exchange installation path
$env:ExchangeInstallPath

# Get mailbox database locations
Get-MailboxDatabase -Server <ServerName> | Format-List Name,EdbFilePath,LogFolderPath

# Get transport service paths
Get-TransportService <ServerName> | Format-List *Path*

Step 3: Configure Folder Exclusions

Database Availability Group (DAG) Exclusions

On Mailbox servers:

%SystemRoot%\Cluster\*

On DAG witness servers:

%SystemDrive%\DAGFileShareWitnesses\<DAGFQDN>\*

To find the witness directory:

Get-DatabaseAvailabilityGroup <DAGName> | Format-List *Witness*

Mailbox Database Exclusions

Critical – Must be excluded:

%ExchangeInstallPath%Mailbox\*

This includes all database files (.edb), transaction logs (.log), and checkpoint files (.chk).

To find actual database paths:

Get-MailboxDatabase -Server <ServerName> | Format-List EdbFilePath,LogFolderPath

Client Access Exclusions

%ExchangeInstallPath%ClientAccess\OAB\*

Content Scanning Exclusions

%ExchangeInstallPath%FIP-FS\*

Group Metrics Exclusions

%ExchangeInstallPath%GroupMetrics\*

Exchange Logging Exclusions

%ExchangeInstallPath%Logging\*

To find specific log paths:

Get-MailboxServer -Identity <ServerName> | Format-List *LogPath*
Get-PopSettings <ServerName> | Format-List LogFileLocation
Get-ImapSettings <ServerName> | Format-List LogFileLocation

Transport Service Exclusions

On Mailbox servers:

%ExchangeInstallPath%TransportRoles\Data\Queue\*
%ExchangeInstallPath%TransportRoles\Data\SenderReputation\*
%ExchangeInstallPath%TransportRoles\Data\Temp\*
%ExchangeInstallPath%TransportRoles\Logs\*
%ExchangeInstallPath%TransportRoles\Pickup\*
%ExchangeInstallPath%TransportRoles\Replay\*

On Edge Transport servers (additional):

%ExchangeInstallPath%TransportRoles\Data\Adam\*
%ExchangeInstallPath%TransportRoles\Data\IpFilter\*

To find actual transport paths:

Get-TransportService <ServerName> | Format-List *LogPath,*TracingPath,PickupDirectoryPath,ReplayDirectoryPath
Get-FrontEndTransportService <ServerName> | Format-List *LogPath
Get-MailboxTransportService <ServerName> | Format-List *LogPath,*TracingPath

Unified Messaging Exclusions (Exchange 2016 only)

%ExchangeInstallPath%UnifiedMessaging\Grammars\*
%ExchangeInstallPath%UnifiedMessaging\Prompts\*
%ExchangeInstallPath%UnifiedMessaging\Temp\*
%ExchangeInstallPath%UnifiedMessaging\Voicemail\*

Note: Unified Messaging is not available in Exchange 2019 or later.

Content Conversion Exclusions

%ExchangeInstallPath%Working\OleConverter\*

IIS Temporary Files

%SystemDrive%\inetpub\temp\IIS Temporary Compressed Files\*

Exchange Search Temporary Files

%SystemRoot%\Temp\OICE_*

Step 4: Configure Process Exclusions

Add the following Exchange processes to CrowdStrike process exclusions:

Core Exchange Processes

ComplianceAuditService.exe
EdgeTransport.exe
fms.exe
hostcontrollerservice.exe
inetinfo.exe
Microsoft.Exchange.AntispamUpdateSvc.exe
Microsoft.Exchange.ContentFilter.Wrapper.exe
Microsoft.Exchange.Diagnostics.Service.exe
Microsoft.Exchange.Directory.TopologyService.exe
Microsoft.Exchange.EdgeCredentialSvc.exe
Microsoft.Exchange.EdgeSyncSvc.exe
Microsoft.Exchange.Imap4.exe
Microsoft.Exchange.Imap4service.exe
Microsoft.Exchange.Notifications.Broker.exe
Microsoft.Exchange.Pop3.exe
Microsoft.Exchange.Pop3service.exe
Microsoft.Exchange.ProtectedServiceHost.exe
Microsoft.Exchange.RPCClientAccess.Service.exe
Microsoft.Exchange.Search.Service.exe
Microsoft.Exchange.Servicehost.exe
Microsoft.Exchange.Store.Service.exe
Microsoft.Exchange.Store.Worker.exe
MSExchangeCompliance.exe
MSExchangeDagMgmt.exe
MSExchangeDelivery.exe
MSExchangeFrontendTransport.exe
MSExchangeHMHost.exe
MSExchangeHMWorker.exe
MSExchangeMailboxAssistants.exe
MSExchangeMailboxReplication.exe
MSExchangeRepl.exe
MSExchangeSubmission.exe
MSExchangeTransport.exe
MSExchangeTransportLogSearch.exe
MSExchangeThrottling.exe
Noderunner.exe
OleConverter.exe
ParserServer.exe
ScanEngineTest.exe
ScanningProcess.exe
UpdateService.exe
wsbexchange.exe

Unified Messaging Processes (Exchange 2016 only)

Microsoft.Exchange.UM.CallRouter.exe
UmService.exe
UmWorkerProcess.exe

Edge Transport Server Processes

Dsamain.exe

Important: All processes should include their full paths from %ExchangeInstallPath%Bin or respective directories.

Step 5: Configure File Extension Exclusions

Add the following file extensions to global exclusions:

Application-related Extensions

.config

Database-related Extensions

.chk
.edb
.jfm
.jrs
.log
.que

Group Metrics Extensions

.dsc
.txt (in GroupMetrics folder only)

Unified Messaging Extensions (Exchange 2016)

.cfg
.grxml

Offline Address Book Extensions

.lzx

Step 6: Server Role-Specific Configuration

Mailbox Servers

Apply all exclusions listed above except Edge Transport specific paths.

Edge Transport Servers

Focus on:

Transport service exclusions
AD LDS exclusions
Connection filtering exclusions
Basic Exchange processes

Hybrid Deployments

For servers in hybrid configurations:

Apply all on-premises exclusions
Consider Azure AD Connect paths if co-located
Exclude hybrid configuration wizard logs

Step 7: Apply and Test Exclusions

Save Configuration: Click Save in the CrowdStrike Console
Policy Propagation: Allow 5-10 minutes for policies to propagate
Verification Steps:

# Test database mount/dismount
Dismount-Database -Identity "DatabaseName" -Confirm:$false
Mount-Database -Identity "DatabaseName"

# Check transport queues
Get-Queue

# Verify services
Get-Service MSExchange* | Select Name, Status

# Test mail flow
Test-Mailflow

Performance Testing:
- Send test emails through the system
- Monitor queue lengths
- Check database latency
- Verify client connectivity
- Test backup operations
DAG Testing (if applicable):
- Test database failover
- Verify replication health
- Check copy and replay queue lengths

Step 8: Configure for High Availability

Database Availability Groups (DAGs)

Primary Exclusions:
- All database and log paths
- Cluster directories
- Witness directories
Replication Monitoring:

Get-MailboxDatabaseCopyStatus * | Format-Table Name,Status,CopyQueueLength,ReplayQueueLength

Network Paths:
- Exclude replication network paths
- Consider bandwidth impact

Load Balanced Environments

Apply identical exclusions across all servers
Test failover scenarios
Verify client access continuity

Security Best Practices

Compensating Controls for Exchange

Email Security Gateway:
- Deploy dedicated email security solution
- Enable Exchange Online Protection (EOP) if hybrid
- Configure anti-spam and anti-malware policies
Transport Rules:
- Implement mail flow rules for security
- Block dangerous attachments
- Configure DLP policies
Authentication Security:
- Enforce multi-factor authentication
- Implement certificate-based authentication
- Disable basic authentication
Network Security:
- Properly configure firewalls
- Use Exchange hybrid secure mail flow
- Enable TLS for all connections
Monitoring and Alerting:
- Enable Exchange audit logging
- Monitor excluded directories with SIEM
- Set up performance counter alerts
- Track failed login attempts

Risk Assessment Matrix

Component	Performance Impact if Scanned	Security Risk if Excluded	Recommendation
Database files (.edb)	Critical – Service failure	Medium	Required exclusion
Transaction logs (.log)	Critical – Data loss risk	Medium	Required exclusion
Transport queue	High – Mail flow delays	Low-Medium	Required exclusion
IIS temp files	Medium	Low	Recommended
Process executables	High	High	Use carefully
Content conversion	High	Medium	Required exclusion
Search indexes	Medium	Low	Recommended

Troubleshooting

Common Issues and Solutions

Database fails to mount:
- Verify all .edb, .log, and .chk files are excluded
- Check for locked files using Process Explorer
- Review Application event log
Mail stuck in queues:
- Confirm transport folders are excluded
- Check EdgeTransport.exe process exclusion
- Review transport logs
Search not returning results:
- Verify search service exclusions
- Check NodeRunner.exe process exclusion
- Rebuild search index if needed
DAG replication lagging:
- Confirm all database paths excluded on all nodes
- Check cluster directory exclusions
- Verify network latency
Performance degradation:
- Review exclusion syntax
- Verify both ML and Sensor Visibility tabs
- Check CrowdStrike sensor CPU usage

Diagnostic Commands

# Check database status
Get-MailboxDatabase -Status | Format-Table Name,Mounted,DatabaseSize

# Monitor queue health
Get-Queue | Where {$_.MessageCount -gt 100}

# Check replication health (DAG)
Test-ReplicationHealth

# Review service health
Test-ServiceHealth

# Check protocol logs for errors
Get-ProtocolLogStatistics

# Monitor disk I/O
Get-Counter "\LogicalDisk(*)\Avg. Disk Queue Length"

Maintenance and Review

Regular Tasks

Weekly: Review queue statistics and mail flow
Monthly: Check exclusion effectiveness
Quarterly: Audit exclusion list
After Updates:
Exchange cumulative updates
CrowdStrike sensor updates
Windows updates
Certificate renewals

Documentation Requirements

Maintain records of:

All configured exclusions with justification
Performance baseline metrics
Service level agreements (SLAs)
Incident history
Change management records
Risk acceptance documentation

Special Considerations

Third-Party Software Interactions

Warning: Using third-party security software on Exchange servers might introduce unexpected behaviors even when following this guidance. Remote scanning can also contribute to file locks that interfere with Exchange functionality.

When troubleshooting issues, Microsoft might recommend temporarily disabling or uninstalling such software to confirm baseline Exchange behavior.

Exchange Online Protection Integration

For hybrid deployments:

Leverage EOP for email scanning
Configure connector security
Use centralized mail flow if possible
Consider Directory Based Edge Blocking (DBEB)

Backup Software Considerations

Exclude backup staging directories
Coordinate backup schedules with scans
Use VSS-aware backup solutions
Test restore procedures regularly

Additional Resources

Disclaimer

⚠️ Security Warning: Implementing these exclusions reduces CrowdStrike Falcon’s ability to detect and prevent threats in excluded locations. This creates potential security vulnerabilities that could be exploited by malicious actors.

Organizations must:

Deploy dedicated email security solutions
Implement comprehensive compensating controls
Maintain detailed audit trails
Perform regular security assessments
Obtain formal risk acceptance from stakeholders
Consider the unique security requirements of email systems

These exclusions are based on Microsoft’s recommendations for Exchange Server 2016, 2019, and Subscription Edition. Your environment may require additional exclusions. Always test thoroughly in a non-production environment before implementing in production. Remember that Windows antivirus on Exchange servers cannot replace dedicated email security solutions.

Last reviewed: February 2025
Applies to: Exchange Server 2016, 2019, Subscription Edition, CrowdStrike Falcon