Proper virus exclusions for servers hosting the OAB

I often run in to situations where customers are seeing the following events in the application log:

Event Type: Error
Event Source: MSExchangeSA
Event Category: OAL Generator
Event ID: 9373
Description: OALGen detected that the file '\\<SERVER name>\ExchangeOAB\<folder name>\a58e388b-7b23-4944-b042-58a7d0c6590f-data-1.lzx' is corrupted or missing. This indicates data tampering or disk problems. Restore files in this folder from the recent backup or clean up folder content and force a full OAB generation. - Default Offline Address Book

You must exclude specific directories for each Exchange server or server role on which you run a file-level antivirus scanner. This section describes the directories that you should exclude from file-level scanning for each server or server role.

• Mailbox server role

  • Exchange databases, checkpoint files, and log files across all storage groups. By default, these are located in sub-folders under the %Program Files%\Microsoft\Exchange Server\Mailbox folder. You can obtain the directory location by running the following commands in the Exchange Management Shell:
    • To determine the location of a transaction log and checkpoint file, run the following command: Get-StorageGroup -server <servername>| fl *path*
    • To determine the location of a mailbox database, run the following command: Get-MailboxDatabase -server <servername>| fl *path*
    • To determine the location of a public folder database, run the following command: Get-PublicFolderDatabase -server <servername>| fl *path*
  • Database content indexes. By default, these are located in storage group sub-folders under the %Program Files%\Microsoft\Exchange Server\Mailbox folder.
  • General log files, such as message tracking log files. These files are located in subfolders under the %Program Files%\Microsoft\Exchange Server\TransportRoles\Logs folder and %Program Files%\Microsoft\Exchange Server\Logging folder. To determine the log paths being used, run the following command in the Exchange Management Shell: Get-MailboxServer <servername>| fl *path*
  • The Offline Address Book files that are located in subfolders under the %Program Files%\Microsoft\Exchange Server\ExchangeOAB folder
  • IIS system files in the %SystemRoot%\System32\Inetsrv folder
  • The temporary folder that is used with offline maintenance utilities, such as Eseutil.exe. By default, this folder is the location where the .exe file is run from. However, you can configure where you perform the operation from when you run the utility.
  • The temporary folders that are used to perform conversions:
    • Content conversions are performed in the server’s TMP folder.
    • OLE conversions are performed in %Program Files%\Microsoft\Exchange Server\Working\OleConvertor folder.
    • The Mailbox database temporary folder: %Program Files%\Microsoft\Exchange Server\Mailbox\MDBTEMP
  • Any Exchange-aware antivirus program folders

Client Access server role

• The Internet Information Services (IIS) 6.0 compression folder that is used with Microsoft Outlook Web Access. By default, the compression folder in IIS 6.0 is located at %systemroot%\IIS Temporary Compressed Files.
  For more information, see the Microsoft Knowledge Base article 817442, A 0-byte file may be returned when compression is enabled on a server that is running IIS.
• IIS system files in the %SystemRoot%\System32\Inetsrv folder
• The Internet-related files that are stored in the sub-folders of the %Program Files%\Microsoft\Exchange Server\ClientAccess folder
• The temporary folder that is used to perform content conversion. By default, this is the server’s TMP folder.

For more information please see: https://technet.microsoft.com/en-us/library/bb332342(EXCHG.80).aspx

For more information on how to restore the contents of your OAB directories please see this blog: https://blogs.msdn.com/dgoldman/archive/2009/08/28/event-id-9373-is-logged-in-the-application-log-when-you-update-the-offline-address-book-in-exchange-server-2007.aspx

Dave