Kaspersky Endpoint Security for Windows and Exchange Server

[jetb2]

I'm going to start migrating our servers to Kaspersky Endpoint Security for Windows and I have concerns about putting it on our Exchange Server.  Are there any best practices I need to know before installing?  I don't need any Exchange specific features - I just want it to ignore it and not break it. 

[JIABP]

Hey there!

I have an experience with installing latest KES on Exchange Server 2016/2019.

First what you should know, that if you have 1 server (no DAG), you could use KES without any customizations. But if you have DAG (2 or more servers) and you have, e.g. 1 active base and 1 passive base, you must add an exclusions for some extensions and folders to prevent replication failure.

Here's my findings:

?:\LON-DB*\*.chk - this exclude exchange transactions log checkpoint (index) from scanning on any disk in folder have name LON-DB1, LON-DB2 ... LON-DB99, LON-DBAlpha7
?:\LON-DB*\*.edb - exchange database
?:\LON-DB*\*.jrs - exchange reserve transaction log files
?:\LON-DB*\*.log - most important - exchange transaction log. If you do not add this exclusion, your passive copies would stop replicate from active copy and would be in state FailedAndSuspended
?:\LON-DB*\*.jsl - exchange jet shadow logs
C:\Program Files\Microsoft\Exchange Server\**\*.log - do not scan any *log files in exchange install directory. There is no mistake when you notice that i forgot V15 catalog. No, all is correct. If malware would be found in C:\Program Files\Microsoft\Exchange Server so KES would catch it. But all subfolders, like V15 or NewFolder123 would be excluded from on-access / on-demand scan.

Where add this exclusions?
Open KES Policy-> General Settings-> Exclusions-> Scan Exclusions and trusted applications. You need "Scan Exclusions" tab. You need choose in Properties "File or folder" and then "Scan" and "File threat protection" and then add path's above.

P.S. It's just only my experience and there is no official recommendations or any documentation about this

Edited December 13, 2022 by JIABP

[jetb2]

We have just the one installation of Exchange 2016 but it's just the head unit for our MS365 installation.  

[JIABP]

@jetb2 if you do not have databases replication between exchange servers, so you could skip adding this exclusions I guess.