From 8ce9cdc949112d6d9ee9f879bf2aab1a0f1f2760 Mon Sep 17 00:00:00 2001 From: canthv0 Date: Mon, 17 Jul 2023 12:33:00 -0400 Subject: [PATCH 1/8] updated language around finding modules. --- Diagnostics/AVTester/Test-ExchAVExclusions.ps1 | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 b/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 index ea4c13a232..17b0ebf3cc 100644 --- a/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 +++ b/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 @@ -27,6 +27,9 @@ Once the files are created it will wait 300 seconds for AV to "see" and remove t Pulls all Exchange processes and their modules. Excludes known modules and reports all unknown modules. +Unknown modules should be reviewed to ensure they are expected. +AV Modules loaded into Exchange Processes indicate that AV Process Exclusions are NOT properly configured. + .PARAMETER Recurse Will test not just the root folders but all SubFolders. Generally should not be needed unless all folders pass without -Recuse but AV is still suspected. @@ -394,8 +397,10 @@ foreach ($process in $ServerProcess) { # Final output for process detection if ($UnexpectedModuleFound -gt 0) { Write-SimpleLogFile -string ("Found $($UnexpectedModuleFound) processes with unexpected modules loaded") -Name $LogFile -OutHost + Write-SimpleLogFile ("AV Modules loaded in Exchange processess generally indicates that exclusions are not set properly.") -Name $LogFile -OutHost + Write-SimpleLogFile ("Non AV Modules loaded into Exchange processes maybe expected depending on applications installed.") -Name $LogFile -OutHost Write-Warning ("Review " + $OutputProcessPath + " For more information.") - Write-SimpleLogFile ("If a module is labeled `"Unexpected`" in error please submit the log file to ExToolsFeedback@microsoft.com" ) -Name $LogFile -OutHost + } else { Write-SimpleLogFile -string ("No Unexpected modules found loaded.") -Name $LogFile -OutHost } From 3843ded4a33d5e824bdc49449fec82147d7faacd Mon Sep 17 00:00:00 2001 From: canthv0 Date: Mon, 17 Jul 2023 12:47:46 -0400 Subject: [PATCH 2/8] Spelling fix --- Diagnostics/AVTester/Test-ExchAVExclusions.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 b/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 index 17b0ebf3cc..1dcf766375 100644 --- a/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 +++ b/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 @@ -397,7 +397,7 @@ foreach ($process in $ServerProcess) { # Final output for process detection if ($UnexpectedModuleFound -gt 0) { Write-SimpleLogFile -string ("Found $($UnexpectedModuleFound) processes with unexpected modules loaded") -Name $LogFile -OutHost - Write-SimpleLogFile ("AV Modules loaded in Exchange processess generally indicates that exclusions are not set properly.") -Name $LogFile -OutHost + Write-SimpleLogFile ("AV Modules loaded in Exchange processes generally indicates that exclusions are not set properly.") -Name $LogFile -OutHost Write-SimpleLogFile ("Non AV Modules loaded into Exchange processes maybe expected depending on applications installed.") -Name $LogFile -OutHost Write-Warning ("Review " + $OutputProcessPath + " For more information.") From 8130fe99c9858fef05f8c30a0cd4575cfb9535f1 Mon Sep 17 00:00:00 2001 From: canthv0 Date: Mon, 17 Jul 2023 13:04:21 -0400 Subject: [PATCH 3/8] Format Fix --- Diagnostics/AVTester/Test-ExchAVExclusions.ps1 | 1 - 1 file changed, 1 deletion(-) diff --git a/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 b/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 index 1dcf766375..f3e241c52c 100644 --- a/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 +++ b/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 @@ -400,7 +400,6 @@ if ($UnexpectedModuleFound -gt 0) { Write-SimpleLogFile ("AV Modules loaded in Exchange processes generally indicates that exclusions are not set properly.") -Name $LogFile -OutHost Write-SimpleLogFile ("Non AV Modules loaded into Exchange processes maybe expected depending on applications installed.") -Name $LogFile -OutHost Write-Warning ("Review " + $OutputProcessPath + " For more information.") - } else { Write-SimpleLogFile -string ("No Unexpected modules found loaded.") -Name $LogFile -OutHost } From 9e84c742aa4b17d181bf26631e505fb18fb2f02c Mon Sep 17 00:00:00 2001 From: canthv0 Date: Mon, 17 Jul 2023 14:28:16 -0400 Subject: [PATCH 4/8] Updated from unknown to non-default --- .../AVTester/Test-ExchAVExclusions.ps1 | 16 +++++----- docs/Diagnostics/Test-ExchAVExclusions.md | 31 ++++++++++++++++--- 2 files changed, 35 insertions(+), 12 deletions(-) diff --git a/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 b/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 index f3e241c52c..fd53f3fc63 100644 --- a/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 +++ b/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 @@ -11,7 +11,7 @@ .SYNOPSIS Uses EICAR files to verify that all Exchange paths that should be excluded from AV scanning are excluded. -Checks Exchange processes for "unknown" modules being loaded into them. +Checks Exchange processes for Non-Default modules being loaded into them. .DESCRIPTION Writes an EICAR test file https://en.wikipedia.org/wiki/EICAR_test_file to all paths specified by @@ -25,9 +25,9 @@ IF the file is not removed then it should be properly excluded. Once the files are created it will wait 300 seconds for AV to "see" and remove the file. Pulls all Exchange processes and their modules. -Excludes known modules and reports all unknown modules. +Excludes known modules and reports all Non-Default modules. -Unknown modules should be reviewed to ensure they are expected. +Non-Default modules should be reviewed to ensure they are expected. AV Modules loaded into Exchange Processes indicate that AV Process Exclusions are NOT properly configured. .PARAMETER Recurse @@ -41,8 +41,8 @@ $env:LOCALAPPDATA\ExchAvExclusions.log List of Scanned Folders: $env:LOCALAPPDATA\BadExclusions.txt -List of Unknown Processes -$env:LOCALAPPDATA UnknownModules.txt +List of Non-Default Processes +$env:LOCALAPPDATA NonDefaultModules.txt .EXAMPLE .\Test-ExchAVExclusions.ps1 @@ -374,8 +374,8 @@ foreach ($process in $ServerProcess) { # Remove Microsoft modules $ProcessModules = $ProcessModules | Where-Object { $_.FileVersionInfo.CompanyName -ne "Microsoft Corporation." -and $_.FileVersionInfo.CompanyName -ne "Microsoft" -and $_.FileVersionInfo.CompanyName -ne "Microsoft Corporation" } - # Generate and output path for an unknown modules file: - $OutputProcessPath = Join-Path $env:LOCALAPPDATA UnknownModules.txt + # Generate and output path for an Non-Default modules file: + $OutputProcessPath = Join-Path $env:LOCALAPPDATA NonDefaultModules.txt # Clear out modules from the allow list foreach ($module in $ModuleAllowList) { @@ -401,5 +401,5 @@ if ($UnexpectedModuleFound -gt 0) { Write-SimpleLogFile ("Non AV Modules loaded into Exchange processes maybe expected depending on applications installed.") -Name $LogFile -OutHost Write-Warning ("Review " + $OutputProcessPath + " For more information.") } else { - Write-SimpleLogFile -string ("No Unexpected modules found loaded.") -Name $LogFile -OutHost + Write-SimpleLogFile -string ("No Non-Default modules found loaded.") -Name $LogFile -OutHost } diff --git a/docs/Diagnostics/Test-ExchAVExclusions.md b/docs/Diagnostics/Test-ExchAVExclusions.md index 71ffd18b39..15dbd3b701 100644 --- a/docs/Diagnostics/Test-ExchAVExclusions.md +++ b/docs/Diagnostics/Test-ExchAVExclusions.md @@ -5,6 +5,7 @@ Download the latest release: [Test-ExchAVExclusions.ps1](https://github.com/micr Assists with testing Exchange Servers to determine if AV Exclusions have been properly set according to our documentation. [AV Exclusions Exchange 2016/2019](https://docs.microsoft.com/en-us/Exchange/antispam-and-antimalware/windows-antivirus-software?view=exchserver-2019) + [AV Exclusions Exchange 2013](https://docs.microsoft.com/en-us/exchange/anti-virus-software-in-the-operating-system-on-exchange-servers-exchange-2013-help) ## Usage @@ -17,13 +18,35 @@ IF the file is not removed then it should be properly excluded. Once the files are created it will wait 5 minutes for AV to "see" and remove the file. After finishing testing directories it will test Exchange Processes. -We pull all Exchange processes and the modules loaded into them. -Those are then compared to a list of known modules and anything "unknown" is reported. +Pulls all Exchange processes and their modules. +Excludes known modules and reports all Non-Default modules. + +Non-Default modules should be reviewed to ensure they are expected. +AV Modules loaded into Exchange Processes indicate that AV Process Exclusions are NOT properly configured. ... .\Test-ExchAVExclusions.ps1 ... +## Understanding the Output + +### File Output +Review the BadExclusions.txt file to see any file paths were identified as being scanned by AV. +Work with the AV Vendor to determine the best way to exclude these file paths according to our documentation: + +[AV Exclusions Exchange 2016/2019](https://docs.microsoft.com/en-us/Exchange/antispam-and-antimalware/windows-antivirus-software?view=exchserver-2019) + +### Process Output +Review NonDefaultModules.txt to determine if any Non-Default modules are loaded into Exchange processes. The output should have sufficient information to identity the souce of the flagged modules. + +```[FAIL] - PROCESS: msexchangerepl MODULE: scanner.dll COMPANY: Contoso Security LTT.``` + +If the Module is from an AV or Security software vendor it is a strong indication that process exclusions are not properly configured on the Exchange server. Please work with the security software vendor to ensure that they are properly configured according to: + +[AV Exclusions Exchange 2016/2019](https://docs.microsoft.com/en-us/Exchange/antispam-and-antimalware/windows-antivirus-software?view=exchserver-2019) + +[AV Exclusions Update](https://techcommunity.microsoft.com/t5/exchange-team-blog/update-on-the-exchange-server-antivirus-exclusions/ba-p/3751464) + ## Parameters @@ -40,5 +63,5 @@ $env:LOCALAPPDATA\ExchAvExclusions.log List of Folders and extensions Scanned by AV: $env:LOCALAPPDATA\BadExclusions.txt -List of Unknown Processes: -$env:LOCALAPPDATA UnknownModules.txt +List of Non-Default Processes: +$env:LOCALAPPDATA\NonDefaultModules.txt From c8db5853f58b464e84b043ecf281d075a2d72838 Mon Sep 17 00:00:00 2001 From: canthv0 Date: Mon, 17 Jul 2023 14:49:11 -0400 Subject: [PATCH 5/8] Spelling fix --- docs/Diagnostics/Test-ExchAVExclusions.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/Diagnostics/Test-ExchAVExclusions.md b/docs/Diagnostics/Test-ExchAVExclusions.md index 15dbd3b701..8c972679c8 100644 --- a/docs/Diagnostics/Test-ExchAVExclusions.md +++ b/docs/Diagnostics/Test-ExchAVExclusions.md @@ -37,9 +37,9 @@ Work with the AV Vendor to determine the best way to exclude these file paths ac [AV Exclusions Exchange 2016/2019](https://docs.microsoft.com/en-us/Exchange/antispam-and-antimalware/windows-antivirus-software?view=exchserver-2019) ### Process Output -Review NonDefaultModules.txt to determine if any Non-Default modules are loaded into Exchange processes. The output should have sufficient information to identity the souce of the flagged modules. +Review NonDefaultModules.txt to determine if any Non-Default modules are loaded into Exchange processes. The output should have sufficient information to identity the source of the flagged modules. -```[FAIL] - PROCESS: msexchangerepl MODULE: scanner.dll COMPANY: Contoso Security LTT.``` +```[FAIL] - PROCESS: ExchangeTransport MODULE: scanner.dll COMPANY: Contoso Security LTT.``` If the Module is from an AV or Security software vendor it is a strong indication that process exclusions are not properly configured on the Exchange server. Please work with the security software vendor to ensure that they are properly configured according to: From c3b0adb58470c421379783379facc287973b8915 Mon Sep 17 00:00:00 2001 From: canthv0 Date: Tue, 18 Jul 2023 13:22:39 -0400 Subject: [PATCH 6/8] Spelling and grammer changes --- Diagnostics/AVTester/Test-ExchAVExclusions.ps1 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 b/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 index fd53f3fc63..8e39c11bc5 100644 --- a/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 +++ b/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 @@ -28,7 +28,7 @@ Pulls all Exchange processes and their modules. Excludes known modules and reports all Non-Default modules. Non-Default modules should be reviewed to ensure they are expected. -AV Modules loaded into Exchange Processes indicate that AV Process Exclusions are NOT properly configured. +AV Modules loaded into Exchange Processes may indicate that AV Process Exclusions are NOT properly configured. .PARAMETER Recurse Will test not just the root folders but all SubFolders. @@ -397,8 +397,8 @@ foreach ($process in $ServerProcess) { # Final output for process detection if ($UnexpectedModuleFound -gt 0) { Write-SimpleLogFile -string ("Found $($UnexpectedModuleFound) processes with unexpected modules loaded") -Name $LogFile -OutHost - Write-SimpleLogFile ("AV Modules loaded in Exchange processes generally indicates that exclusions are not set properly.") -Name $LogFile -OutHost - Write-SimpleLogFile ("Non AV Modules loaded into Exchange processes maybe expected depending on applications installed.") -Name $LogFile -OutHost + Write-SimpleLogFile ("AV Modules loaded in Exchange processes may indicate that exclusions are not properly configured.") -Name $LogFile -OutHost + Write-SimpleLogFile ("Non AV Modules loaded into Exchange processes may be expected depending on applications installed.") -Name $LogFile -OutHost Write-Warning ("Review " + $OutputProcessPath + " For more information.") } else { Write-SimpleLogFile -string ("No Non-Default modules found loaded.") -Name $LogFile -OutHost From ff5ee9124cc6aacf49988baca22e2d4892878f4b Mon Sep 17 00:00:00 2001 From: canthv0 Date: Tue, 18 Jul 2023 13:30:52 -0400 Subject: [PATCH 7/8] Grammer Update --- Diagnostics/AVTester/Test-ExchAVExclusions.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 b/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 index 8e39c11bc5..7042f63f57 100644 --- a/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 +++ b/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 @@ -401,5 +401,5 @@ if ($UnexpectedModuleFound -gt 0) { Write-SimpleLogFile ("Non AV Modules loaded into Exchange processes may be expected depending on applications installed.") -Name $LogFile -OutHost Write-Warning ("Review " + $OutputProcessPath + " For more information.") } else { - Write-SimpleLogFile -string ("No Non-Default modules found loaded.") -Name $LogFile -OutHost + Write-SimpleLogFile -string ("Did not find any Non-Default modules loaded.") -Name $LogFile -OutHost } From a8fabaf913820dfb05495ead8f421790d1adbebb Mon Sep 17 00:00:00 2001 From: canthv0 Date: Tue, 18 Jul 2023 13:35:06 -0400 Subject: [PATCH 8/8] grammar update --- docs/Diagnostics/Test-ExchAVExclusions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/Diagnostics/Test-ExchAVExclusions.md b/docs/Diagnostics/Test-ExchAVExclusions.md index 8c972679c8..5ee01cfef1 100644 --- a/docs/Diagnostics/Test-ExchAVExclusions.md +++ b/docs/Diagnostics/Test-ExchAVExclusions.md @@ -41,7 +41,7 @@ Review NonDefaultModules.txt to determine if any Non-Default modules are loaded ```[FAIL] - PROCESS: ExchangeTransport MODULE: scanner.dll COMPANY: Contoso Security LTT.``` -If the Module is from an AV or Security software vendor it is a strong indication that process exclusions are not properly configured on the Exchange server. Please work with the security software vendor to ensure that they are properly configured according to: +If the Module is from an AV or Security software vendor it is a strong indication that process exclusions are not properly configured on the Exchange server. Please work with the vendor to ensure that they are properly configured according to: [AV Exclusions Exchange 2016/2019](https://docs.microsoft.com/en-us/Exchange/antispam-and-antimalware/windows-antivirus-software?view=exchserver-2019)