Recommended Folder exclusions for Windows antivirus programs on Exchange 2016 servers

Exclude the following folders from file-level scanning and memory-resident scanning on Exchange 2016 servers.

Folder	Category	Description	Servers
%SystemRoot%\Cluster	DAGs	The cluster quorum database and other files for database availability groups (DAGs).	Mailbox servers
%SystemDrive%\DAGFileShareWitnesses\<DAGFQDN>	DAGs	The witness directory on the witness server that's configured for the DAG. The witness server can be virtually any Microsoft Windows server in the local Active Directory forest that isn't already a member of the DAG. To see the actual location, run the following command: Get-DatabaseAvailabilityGroup <DAGName>| Format-List *Witness*	Any
%ExchangeInstallPath%ClientAccess\OAB	Offline Address Books	Offline Address Book files.	Mailbox servers
%ExchangeInstallPath%FIP-FS	Antimalware and DLP	Content scanning that's used by the Malware agent and data loss prevention (DLP).	Mailbox servers
%ExchangeInstallPath%GroupMetrics	MailTips	Group Metrics files that are used to calculate values for the Large Audience and External Recipients MailTips.	Mailbox servers
%ExchangeInstallPath%Logging	Exchange process logs	This folder contains many different types of Exchange logs in subfolders. For example: Calendar Repair Assistant logs Managed Folder Assistant logs IMAP4 protocol logs POP3 protocol logs To see the actual locations, run the following commands: Get-MailboxServer -Server <ServerName> | Format-List *LogPath* Get-PopSettings <ServerName> | Format-List LogFileLocation Get-ImapSettings <ServerName> | Format-List LogFileLocation
%ExchangeInstallPath%Mailbox	Mailbox databases	Exchange databases, checkpoint files, and log files. By default, these files are located in subfolders based on the name of the database. To see the actual locations, run the following command: Get-MailboxDatabase -Server<ServerName> | Format-List EdbFilePath,LogFolderPath By default, database context index files are located in the same folder as the database files in a subfolder that's named after the GUID of the database.	Mailbox servers
%ExchangeInstallPath%TransportRoles\Data\Adam	EdgeSync	Active Directory Lightweight Directory Services (AD LDS) and log files.	Edge Transport servers
%ExchangeInstallPath%TransportRoles\Data\IpFilter	Connection filtering	IP filter database, checkpoint, and log files.	Edge Transport servers
%ExchangeInstallPath%TransportRoles\Data\Queue	Queues	Queue database, checkpoint, and log files.	Mailbox servers Edge Transport servers
%ExchangeInstallPath%TransportRoles\Data\SenderReputation	Sender reputation	Sender Reputation database, checkpoint, and log files.	Edge Transport servers Mailbox servers
%ExchangeInstallPath%TransportRoles\Data\Temp	Content conversion	Content conversion that's done in the transport pipeline.	Mailbox servers Edge Transport servers
%ExchangeInstallPath%TransportRoles\Logs	Transport logs	Mail flow and transport pipeline logs are located in subfolders, for example: Agent logging Connectivity logging Message tracking Pipeline tracing Send and Receive connector protocol logging To see the actual locations, run the following commands: Get-TransportService <ServerName> | Format-List *LogPath,*TracingPath Get-FrontEndTransportService <ServerName> | Format-List *LogPath Get-MailboxTransportService <ServerName> | Format-List *LogPath,*TracingPath	Mailbox servers Edge Transport servers (Transport service only)
%ExchangeInstallPath%TransportRoles\Pickup	Pickup directory	The Pickup directory is used by administrators for mail flow testing or by applications that need to create and submit their own message files. To see the actual location, run the following command: Get-TransportService <ServerName>| Format-List PickupDirectoryPath	Mailbox servers Edge Transport servers
%ExchangeInstallPath%TransportRoles\Replay	Replay directory	The Replay directory receives messages from foreign gateway servers and can also be used to resubmit messages that administrators export from the queues of Exchange servers. To see the actual location, run the following command: Get-TransportService <ServerName>| Format-List ReplayDirectoryPath	Mailbox servers Edge Transport servers
%ExchangeInstallPath%UnifiedMessaging\Grammars	Unified Messaging	Grammar files for different locales, for example en-EN or es-ES.	Mailbox servers
%ExchangeInstallPath%UnifiedMessaging\Prompts	Unified Messaging	Voice prompts, greetings, and informational message files.	Mailbox servers
%ExchangeInstallPath%UnifiedMessaging\Temp	Unified Messaging	Temporary files generated by Unified Messaging.	Mailbox servers
%ExchangeInstallPath%UnifiedMessaging\Voicemail	Unified Messaging	Voice mail files that are temporarily stored.	Mailbox servers
%ExchangeInstallPath%Working\OleConverter	Content conversion	Transport Neutral Encoding Format (TNEF), also known as Rich Text Format (RTF), to MIME/HTML conversions.	Mailbox servers Edge Transport servers
%SystemDrive%\inetpub\temp\IIS Temporary Compressed Files	Web components	Internet Information Services (IIS) compression folder that's used with Outlook on the web.	Mailbox servers
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files	Web components	Temporary files that are used with Exchange services. These files are located in the following subfolders: autodiscover ecp ews mapi mapi_emsmdb microsoft-server-activesync oab owa owa_calendar powershell root rpc	Mailbox servers
%SystemRoot%\System32\Inetsrv	Web components	IIS system files.	Mailbox servers
%SystemRoot%\Temp\OICE_<GUID>\	Exchange Search	Temporary files used by the Exchange Search service and Microsoft Filter Pack to perform file conversion in a sandboxed environment.	Mailbox servers

REF:https://technet.microsoft.com/en-us/library/bb332342(v=exchg.160).aspx#Folder