Skip to content

Commit

Permalink
Merge pull request #1761 from microsoft/matt-testavupdate
Browse files Browse the repository at this point in the history
updated language around finding modules.
  • Loading branch information
bill-long authored Jul 18, 2023
2 parents 3534c83 + a8fabaf commit 6a0fb40
Show file tree
Hide file tree
Showing 2 changed files with 39 additions and 12 deletions.
20 changes: 12 additions & 8 deletions Diagnostics/AVTester/Test-ExchAVExclusions.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@
.SYNOPSIS
Uses EICAR files to verify that all Exchange paths that should be excluded from AV scanning are excluded.
Checks Exchange processes for "unknown" modules being loaded into them.
Checks Exchange processes for Non-Default modules being loaded into them.
.DESCRIPTION
Writes an EICAR test file https://en.wikipedia.org/wiki/EICAR_test_file to all paths specified by
Expand All @@ -25,7 +25,10 @@ IF the file is not removed then it should be properly excluded.
Once the files are created it will wait 300 seconds for AV to "see" and remove the file.
Pulls all Exchange processes and their modules.
Excludes known modules and reports all unknown modules.
Excludes known modules and reports all Non-Default modules.
Non-Default modules should be reviewed to ensure they are expected.
AV Modules loaded into Exchange Processes may indicate that AV Process Exclusions are NOT properly configured.
.PARAMETER Recurse
Will test not just the root folders but all SubFolders.
Expand All @@ -38,8 +41,8 @@ $env:LOCALAPPDATA\ExchAvExclusions.log
List of Scanned Folders:
$env:LOCALAPPDATA\BadExclusions.txt
List of Unknown Processes
$env:LOCALAPPDATA UnknownModules.txt
List of Non-Default Processes
$env:LOCALAPPDATA NonDefaultModules.txt
.EXAMPLE
.\Test-ExchAVExclusions.ps1
Expand Down Expand Up @@ -371,8 +374,8 @@ foreach ($process in $ServerProcess) {
# Remove Microsoft modules
$ProcessModules = $ProcessModules | Where-Object { $_.FileVersionInfo.CompanyName -ne "Microsoft Corporation." -and $_.FileVersionInfo.CompanyName -ne "Microsoft" -and $_.FileVersionInfo.CompanyName -ne "Microsoft Corporation" }

# Generate and output path for an unknown modules file:
$OutputProcessPath = Join-Path $env:LOCALAPPDATA UnknownModules.txt
# Generate and output path for an Non-Default modules file:
$OutputProcessPath = Join-Path $env:LOCALAPPDATA NonDefaultModules.txt

# Clear out modules from the allow list
foreach ($module in $ModuleAllowList) {
Expand All @@ -394,8 +397,9 @@ foreach ($process in $ServerProcess) {
# Final output for process detection
if ($UnexpectedModuleFound -gt 0) {
Write-SimpleLogFile -string ("Found $($UnexpectedModuleFound) processes with unexpected modules loaded") -Name $LogFile -OutHost
Write-SimpleLogFile ("AV Modules loaded in Exchange processes may indicate that exclusions are not properly configured.") -Name $LogFile -OutHost
Write-SimpleLogFile ("Non AV Modules loaded into Exchange processes may be expected depending on applications installed.") -Name $LogFile -OutHost
Write-Warning ("Review " + $OutputProcessPath + " For more information.")
Write-SimpleLogFile ("If a module is labeled `"Unexpected`" in error please submit the log file to [email protected]" ) -Name $LogFile -OutHost
} else {
Write-SimpleLogFile -string ("No Unexpected modules found loaded.") -Name $LogFile -OutHost
Write-SimpleLogFile -string ("Did not find any Non-Default modules loaded.") -Name $LogFile -OutHost
}
31 changes: 27 additions & 4 deletions docs/Diagnostics/Test-ExchAVExclusions.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ Download the latest release: [Test-ExchAVExclusions.ps1](https://github.com/micr
Assists with testing Exchange Servers to determine if AV Exclusions have been properly set according to our documentation.

[AV Exclusions Exchange 2016/2019](https://docs.microsoft.com/en-us/Exchange/antispam-and-antimalware/windows-antivirus-software?view=exchserver-2019)

[AV Exclusions Exchange 2013](https://docs.microsoft.com/en-us/exchange/anti-virus-software-in-the-operating-system-on-exchange-servers-exchange-2013-help)

## Usage
Expand All @@ -17,13 +18,35 @@ IF the file is not removed then it should be properly excluded.
Once the files are created it will wait 5 minutes for AV to "see" and remove the file.

After finishing testing directories it will test Exchange Processes.
We pull all Exchange processes and the modules loaded into them.
Those are then compared to a list of known modules and anything "unknown" is reported.
Pulls all Exchange processes and their modules.
Excludes known modules and reports all Non-Default modules.

Non-Default modules should be reviewed to ensure they are expected.
AV Modules loaded into Exchange Processes indicate that AV Process Exclusions are NOT properly configured.

...
.\Test-ExchAVExclusions.ps1
...

## Understanding the Output

### File Output
Review the BadExclusions.txt file to see any file paths were identified as being scanned by AV.
Work with the AV Vendor to determine the best way to exclude these file paths according to our documentation:

[AV Exclusions Exchange 2016/2019](https://docs.microsoft.com/en-us/Exchange/antispam-and-antimalware/windows-antivirus-software?view=exchserver-2019)

### Process Output
Review NonDefaultModules.txt to determine if any Non-Default modules are loaded into Exchange processes. The output should have sufficient information to identity the source of the flagged modules.

```[FAIL] - PROCESS: ExchangeTransport MODULE: scanner.dll COMPANY: Contoso Security LTT.```

If the Module is from an AV or Security software vendor it is a strong indication that process exclusions are not properly configured on the Exchange server. Please work with the vendor to ensure that they are properly configured according to:

[AV Exclusions Exchange 2016/2019](https://docs.microsoft.com/en-us/Exchange/antispam-and-antimalware/windows-antivirus-software?view=exchserver-2019)

[AV Exclusions Update](https://techcommunity.microsoft.com/t5/exchange-team-blog/update-on-the-exchange-server-antivirus-exclusions/ba-p/3751464)


## Parameters

Expand All @@ -40,5 +63,5 @@ $env:LOCALAPPDATA\ExchAvExclusions.log
List of Folders and extensions Scanned by AV:
$env:LOCALAPPDATA\BadExclusions.txt

List of Unknown Processes:
$env:LOCALAPPDATA UnknownModules.txt
List of Non-Default Processes:
$env:LOCALAPPDATA\NonDefaultModules.txt

0 comments on commit 6a0fb40

Please sign in to comment.