During Lync health check process I was rightly pointed by fellow PFE Alexander Malkov, that I have to add some exceptions to Microsoft Forefront Client Security (FCS) scanning list in order to be in line with best practices.
Yes, sir! First link in google and here we are at: http://technet.microsoft.com/en-us/library/gg195736.aspx
Looks like this:
![]()
What we can see there is a list of .exe files along with some paths. I took one of Lync servers and open FCS. I was rightfully expecting to see some way of importing a list of processes and bunch of directories to exclusions...
How wrong I was. FCS offers "an easy way" to add exclusions one by one, asking me to provide the full path to every executable! And I have handful of servers to configure!
So I decided to do a lazy man job: I have created one entry, went to registry (I already knew exclusions are stored under
There they are for processes:
![]()
The syntax is clear and I tried to create a new DWORD. So, as you could probably understand I decide to create list of values, export the whole key and import it in all other servers. However it is AV and it heavily protects it's registry tree. After some unsuccessful tries I device to do the thing right and opened powershell window (BTW, powershell 3.0 is out and can be downloaded here) :)
So my new algorithm was the following:
I take a list of executables, save it into file, parse the file and find matching .exe on disk. Now having a list of fullpaths I can create registry values right from the powershell. Ready! Not quiet, yet - I forgot permissions.
In order to solve this problem I'll use psexec from Sysinternals suite to run my script as SYSTEM.
The list of files I came out with (for the file c:\temp\exefiles):
Yes, sir! First link in google and here we are at: http://technet.microsoft.com/en-us/library/gg195736.aspx
Looks like this:
Please note this is not a complete list, check original link when you decide to follow this procedure!
What we can see there is a list of .exe files along with some paths. I took one of Lync servers and open FCS. I was rightfully expecting to see some way of importing a list of processes and bunch of directories to exclusions...
How wrong I was. FCS offers "an easy way" to add exclusions one by one, asking me to provide the full path to every executable! And I have handful of servers to configure!
So I decided to do a lazy man job: I have created one entry, went to registry (I already knew exclusions are stored under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Exclusions
key)There they are for processes:
So my new algorithm was the following:
I take a list of executables, save it into file, parse the file and find matching .exe on disk. Now having a list of fullpaths I can create registry values right from the powershell. Ready! Not quiet, yet - I forgot permissions.
In order to solve this problem I'll use psexec from Sysinternals suite to run my script as SYSTEM.
The list of files I came out with (for the file c:\temp\exefiles):
AVMCUSvc.exeIn a separate file I put list of paths (c:\temp\paths):
DataMCUSvc.exe
DataProxy.exe
FileTransferAgent.exe
IMMCUSvc.exe
MasterReplicatorAgent.exe
MediaRelaySvc.exe
MediationServerSvc.exe
MeetingMCUSvc.exe
MRASSvc.exe
OcsAppServerHost.exe
QmsSvc.exe
ReplicaReplicatorAgent.exe
RTCArch.exe
RtcCdr.exe
RTCSrv.exe
SQLServr.exe
ReportingServicesService.exe
MSMDSrv.exe
c:\windows\System32\LogFilesHere is a script:
c:\windows\SysWow64\LogFiles
c:\windows\Windows\Assembly\GAC_MSIL
c:\program files\Microsoft Lync Server 2010
c:\program files\common files\Microsoft Lync Server 2010
c:\RtcReplicaRoot
Get-ChildItem -Recurse -Path "c:\program files" -Include *.exe | ? {(gc c:\temp\exefiles) -contains $_.name} | % {new-itemproperty "HKLM:\SOFTWARE\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Exclusions\Processes\" -name $_.fullname -value 0 -propertytype "DWORD" }
gc c:\temp\paths | % {new-itemproperty "HKLM:\SOFTWARE\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Exclusions\Paths\" -name $_ -value 0 -propertytype "DWORD" }
I put this code into lync_av_exclusions.ps1 and wrap into run.bat:powershell c:\temp\lync_av_exclusions.ps1and the final command to fire up (-s to run as SYSTEM):
c:\temp\psexec -s c:\temp\run.batCheck that the registry values were created and restart both services:
Get-Service | ? {$_.displayname -like "Microsoft Forefront Client Security*" } | Restart-Service
This is my code, it worked for me, you can use it, but please check it BEFORE running at least with -whatif switch for new-itemproperty cmdlet.
