Interoperability with Microsoft Exchange Servers
05/01/2023 6 People found this article helpful 452,754 Views
Description
To learn how to exclude files and folders please see
Capture Client Interoperability Issues with Third Party Applications.
Resolution
Background:
Microsoft Exchange Servers have known vulnerabilities. If you have exclusions for Exchange Server processes in your Management, the Capture Client & SentinelOne Agent has limited visibility of attempts to exploit these vulnerabilities.
From S1 Version 21.5 onwards we are not aware of interoperability issues that exist between Microsoft Exchange Servers and SentinelOne Agents.Now Microsoft Exchange is removed from the Exclusions Catalog. We recommend that you remove existing exclusions for Microsoft Exchange Server to improve your security.
Note : - If Exchange is hosted on a cluster server, see Capture Client - Windows Agent with Microsoft Server Clusters.
Recommendation and Suggestions
A: SentinelOne past recommendations to create exclusions for Microsoft Exchange servers were based on Microsoft’s recommendation to add exclusions for all AV vendors.
B: The exclusions that you created earlier would stay in your environment until you remove them. Please remove them at the eariest possible to improve your organization's security.
List of Exclusion that you need to Remove
For recommended Exchange exclusions, see the Microsoft Technet article for your version:
Exchange 2016: Running Windows antivirus software on Exchange 2016 servers
Exchange 2013: Anti-Virus Software in the Operating System on Exchange Servers
Exchange 2010: File-Level Antivirus Scanning on Exchange 2010
Office 2013 (including Office 365): Plan antivirus scanning for Outlook 2013
Exchange 2007: File-Level Antivirus Scanning on Exchange 2007
A summary of the recommendations is to exclude these files and processes for all Exchange Servers:
\Device\HarddiskVolume*\Windows\System32\Dsamain.exe
\Device\HarddiskVolume*\Windows\System32\inetsrv\inetinfo.exe
\Device\HarddiskVolume*\Windows\System32\inetsrv\W3wp.exe
(If it exists) \Device\HarddiskVolume*\Windows\Temp\ExchangeSetup\
(If it exists) \Device\HarddiskVolume*\Windows\Temp\OICE_*\
Exclude these files based on your version:
Exchange 2019 - \Device\HarddiskVolume*\Program Files\Microsoft\Exchange Server\V15\ (including subfolders)
Exchange 2016 - \Device\HarddiskVolume*\Program Files\Microsoft\Exchange Server\V15\ (including subfolders)
Exchange 2013 - \Device\HarddiskVolume*\Program Files\Microsoft\Exchange Server\V15\ (including subfolders)
\Device\HarddiskVolume*\Program Files\Exchsrvr\ (including subfolders)
Exchange 2010 - \Device\HarddiskVolume*\Program Files\Microsoft\Exchange Server\V14\ (including subfolders)
\Device\HarddiskVolume*\Program Files\Exchsrvr\ (including subfolders)
Exchange 2007 - \Device\HarddiskVolume*\Program Files\Microsoft\Exchange Server\ (including subfolders)
Granular, more secure (less aggressive) list for each version:
Exchange 2019:
C:\Program File*\Microsoft\Exchange Server\V15\ClientAccess\OAB\
C:\Program File*\Microsoft\Exchange Server\V15\FIP-FS\
C:\Program File*\Microsoft\Exchange Server\V15\GroupMetrics\
C:\Program File*\Microsoft\Exchange Server\V15\Logging\
C:\Program File*\Microsoft\Exchange Server\V15\Mailbox\
C:\Program File*\Microsoft\Exchange Server\V15\TransportRoles\Data\Adam\
C:\Program File*\Microsoft\Exchange Server\V15\TransportRoles\Data\IpFilter\
C:\Program File*\Microsoft\Exchange Server\V15\TransportRoles\Data\Queue\
C:\Program File*\Microsoft\Exchange Server\V15\TransportRoles\Data\SenderReputation\
C:\Program File*\Microsoft\Exchange Server\V15\TransportRoles\Data\Temp\
C:\Program File*\Microsoft\Exchange Server\V15\TransportRoles\Logs\
C:\Program File*\Microsoft\Exchange Server\V15\TransportRoles\Pickup\
C:\Program File*\Microsoft\Exchange Server\V15\TransportRoles\Replay\
C:\Program File*\Microsoft\Exchange Server\V15\UnifiedMessaging\Grammars\
C:\Program File*\Microsoft\Exchange Server\V15\UnifiedMessaging\Prompts\
C:\Program File*\Microsoft\Exchange Server\V15\UnifiedMessaging\Temp\
C:\Program File*\Microsoft\Exchange Server\V15\UnifiedMessaging\Voicemail\
C:\Program File*\Microsoft\Exchange Server\V15\Working\OleConverter\
C:\Program File*\Microsoft\Exchange Server\V15\Bin\
C:\Program File*\Microsoft\Exchange Server\V15\FrontEnd\
C:\Windows\System32\Dsamain.exe
C:\Windows\System32\System32\inetsrv\W3wp.exe
Exchange 2016:
C:\Program File*\Microsoft\Exchange Server\V15\Bin\msftesql.exe
C:\Program File*\Microsoft\Exchange Server\V15\Bin\store.exe
C:\Program File*\Microsoft\Exchange Server\V15\Bin\mad.exe
C:\Program File*\Microsoft\Exchange Server\V15\Bin\exfba.exe
C:\Program File*\Microsoft\Exchange Server\V15\Bin\msftefd.exe
C:\Program File*\Microsoft\Exchange Server\V15\Bin\MSExchangeADTopologyService.exe
C:\Program File*\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.AddressBook.Service.exe
C:\Program File*\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.AntispamUpdateSvc.exe
C:\Program File*\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.EdgeSyncSvc.exe
C:\Program File*\Microsoft\Exchange Server\V15\Bin\MsExchangeFDS.exe
C:\Program File*\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe
C:\Program File*\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe
C:\Program File*\Microsoft\Exchange Server\V15\Bin\MSExchangeMailSubmission.exe
C:\Program File*\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.ProtectedServiceHost.exe
C:\Program File*\Microsoft\Exchange Server\V15\Bin\msexchangerepl.exe
C:\Program File*\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.RpcClientAccess.Service.exe
C:\Program File*\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Search.ExSearch.exe
C:\Program File*\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.ServiceHost.exe
C:\Program File*\Microsoft\Exchange Server\V15\Bin\MSExchangeThrottling.exe
C:\Program File*\Microsoft\Exchange Server\V15\Bin\MSExchangeTransport.exe
C:\Program File*\Microsoft\Exchange Server\V15\Bin\EdgeTransport.exe
C:\Program File*\Microsoft\Exchange Server\V15\Bin\MSExchangeTransportLogSearch.exe
Exchange 2013:
C:\Windows\System32\Dsamain.exe
C:\Windows\System32\inetsrv\inetinfo.exeC:\Windows\System32\inetsrv\W3wp.exe
C:\Program Files\Microsoft\Exchange Server\v15\Bin\EdgeTransport.exe
C:\Program Files\Microsoft\Exchange Server\v15\FIP-FS\Bin\fms.exe
C:\Program Files\Microsoft\Exchange Server\v15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe
C:\Program Files\Microsoft\Exchange Server\v15\Bin\Microsoft.Exchange.AntispamUpdateSvc.exe
C:\Program Files\Microsoft\Exchange Server\v15\TransportRoles\agents\Hygiene\Microsoft.Exchange.ContentFilter.Wrapper.exe
C:\Program Files\Microsoft\Exchange Server\v15\Bin\Microsoft.Exchange.Diagnostics.Service.exe
C:\Program Files\Microsoft\Exchange Server\v15\Bin\Microsoft.Exchange.Directory.TopologyService.exe
C:\Program Files\Microsoft\Exchange Server\v15\Bin\Microsoft.Exchange.EdgeCredentialSvc.exe
C:\Program Files\Microsoft\Exchange Server\v15\Bin\Microsoft.Exchange.EdgeSyncSvc.exe
C:\Program Files\Microsoft\Exchange Server\v15\FrontEnd\PopImap\Microsoft.Exchange.Imap4.exe
C:\Program Files\Microsoft\Exchange Server\v15\ClientAccess\PopImap\Microsoft.Exchange.Imap4service.exe
C:\Program Files\Microsoft\Exchange Server\v15\FrontEnd\PopImap\Microsoft.Exchange.Pop3.exe
C:\Program Files\Microsoft\Exchange Server\v15\ClientAccess\PopImap\Microsoft.Exchange.Pop3service.exe
C:\Program Files\Microsoft\Exchange Server\v15\Bin\Microsoft.Exchange.ProtectedServiceHost.exe
C:\Program Files\Microsoft\Exchange Server\v15\Bin\Microsoft.Exchange.RPCClientAccess.Service.exe
C:\Program Files\Microsoft\Exchange Server\v15\Bin\Microsoft.Exchange.Search.Service.exe
C:\Program Files\Microsoft\Exchange Server\v15\Bin\Microsoft.Exchange.Servicehost.exe
C:\Program Files\Microsoft\Exchange Server\v15\Bin\Microsoft.Exchange.Store.Service.exe
C:\Program Files\Microsoft\Exchange Server\v15\Bin\Microsoft.Exchange.Store.Worker.exe
C:\Program Files\Microsoft\Exchange Server\v15\FrontEnd\CallRouter\Microsoft.Exchange.UM.CallRouter.exe
C:\Program Files\Microsoft\Exchange Server\v15\Bin\MSExchangeDagMgmt.exe
C:\Program Files\Microsoft\Exchange Server\v15\Bin\MSExchangeDelivery.exe
C:\Program Files\Microsoft\Exchange Server\v15\Bin\MSExchangeFrontendTransport.exe
C:\Program Files\Microsoft\Exchange Server\v15\Bin\MSExchangeHMHost.exe
C:\Program Files\Microsoft\Exchange Server\v15\Bin\MSExchangeHMWorker.exe
C:\Program Files\Microsoft\Exchange Server\v15\Bin\MSExchangeMailboxAssistants.exe
C:\Program Files\Microsoft\Exchange Server\v15\Bin\MSExchangeMailboxReplication.exe
C:\Program Files\Microsoft\Exchange Server\v15\Bin\MSExchangeMigrationWorkflow.exe
C:\Program Files\Microsoft\Exchange Server\v15\Bin\MSExchangeRepl.exe
C:\Program Files\Microsoft\Exchange Server\v15\Bin\MSExchangeSubmission.exe
C:\Program Files\Microsoft\Exchange Server\v15\Bin\MSExchangeTransport.exe
C:\Program Files\Microsoft\Exchange Server\v15\Bin\MSExchangeTransportLogSearch.exe
C:\Program Files\Microsoft\Exchange Server\v15\Bin\MSExchangeThrottling.exe
C:\Program Files\Microsoft\Exchange Server\v15\Bin\Search\Ceres\Runtime\1.0\Noderunner.exe
C:\Program Files\Microsoft\Exchange Server\v15\Bin\OleConverter.exe
C:\Program Files\Microsoft\Exchange Server\v15\Bin\Search\Ceres\ParserServer\ParserServer.exe
C:\Program Files\Microsoft\Exchange Server\v15\FIP-FS\Bin\ScanEngineTest.exe
C:\Program Files\Microsoft\Exchange Server\v15\FIP-FS\Bin\ScanningProcess.exe
C:\Program Files\Microsoft\Exchange Server\v15\ClientAccess\Owa\Bin\DocumentViewing\TranscodingService.exe
C:\Program Files\Microsoft\Exchange Server\v15\Bin\UmService.exe
C:\Program Files\Microsoft\Exchange Server\v15\Bin\UmWorkerProcess.exe
C:\Program Files\Microsoft\Exchange Server\v15\FIP-FS\Bin\UpdateService.exe
Exchange 2010:
C:\Program File*\Microsoft\Exchange Server\V14\Bin\msftesql.exe
C:\Program File*\Microsoft\Exchange Server\V14\Bin\store.exe
C:\Program File*\Microsoft\Exchange Server\V14\Bin\mad.exe
C:\Program File*\Microsoft\Exchange Server\V14\Bin\exfba.exe
C:\Program File*\Microsoft\Exchange Server\V15\Bin\msftefd.exe
C:\Program File*\Microsoft\Exchange Server\V14\Bin\MSExchangeADTopologyService.exe
C:\Program File*\Microsoft\Exchange Server\V14\Bin\Microsoft.Exchange.AddressBook.Service.exe
C:\Program File*\Microsoft\Exchange Server\V14\Bin\Microsoft.Exchange.AntispamUpdateSvc.exe
C:\Program File*\Microsoft\Exchange Server\V14\Bin\Microsoft.Exchange.EdgeSyncSvc.exe
C:\Program File*\Microsoft\Exchange Server\V14\Bin\MsExchangeFDS.exe
C:\Program File*\Microsoft\Exchange Server\V14\Bin\MSExchangeMailboxAssistants.exe
C:\Program File*\Microsoft\Exchange Server\V14\Bin\MSExchangeMailboxReplication.exe
C:\Program File*\Microsoft\Exchange Server\V14\Bin\MSExchangeMailSubmission.exe
C:\Program File*\Microsoft\Exchange Server\V14\Bin\Microsoft.Exchange.ProtectedServiceHost.exe
C:\Program File*\Microsoft\Exchange Server\V14\Bin\msexchangerepl.exe
C:\Program File*\Microsoft\Exchange Server\V14\Bin\Microsoft.Exchange.RpcClientAccess.Service.exe
C:\Program File*\Microsoft\Exchange Server\V14\Bin\Microsoft.Exchange.Search.ExSearch.exe
C:\Program File*\Microsoft\Exchange Server\V14\Bin\Microsoft.Exchange.ServiceHost.exe
C:\Program File*\Microsoft\Exchange Server\V14\Bin\MSExchangeThrottling.exe
C:\Program File*\Microsoft\Exchange Server\V14\Bin\MSExchangeTransport.exe
C:\Program File*\Microsoft\Exchange Server\V14\Bin\EdgeTransport.exe
C:\Program File*\Microsoft\Exchange Server\V14\Bin\MSExchangeTransportLogSearch.exe
Related Articles
Categories