Skip to main content
  • EN

My idea:

I have many customers using Veeam with an Advanced Design (virtualized VBR and other components) using separate VLANs in combination with OS hardening and Windows Defender as default antivirus solution. I know only a very few customers that apply AV exclusions as per Veeam best practice which may lead to performance issues and errors during several processes (e.g. FLR - file level restores).

 

My goal is to approach this challenge by script to let end users (and Veeam experts) chose the appropriate Veeam component and let the script apply the Defender AV exclusions and the Defender FW exclusions automatically.

 

Disclaimer:

Important: I do not provide any guarantee that the script, which has been successfully tested by me, will run without errors in every environment. The script is intended solely to simplify and standardize procedures, which may not be suitable for every environment! Additionally, I do not guarantee the completeness of the tests!

 

Requirements and procedure:

The script is designed for new and existing installations (add-on character)!

  • The server should not be a domain member, but it works with domain-joined systems
  • OS: Windows Server 2022 or 2025 Standard oder Datacenter!

 

Procedure for new installations:

  1. Install Windows Server (as required).
  2. Install drivers (VMware Tools or vendor-specific drivers).
  3. Set IP configurations (assign IP address, etc.).
  4. Set server name and workgroup, then restart the server.
  5. Create a folder named “Install” on drive C:.
  6. Perform Windows OS hardening (e.g. by script)
  7. Allow the server to restart (if required) and install Veeam software.
  8. Apply / implement the Veeam Security & Compliance script.
  9. Copy the AV script into the Install folder.
  10. Execute the script with administrative privileges (PowerShell).
  11. Run the script by selecting the appropriate components (multipe component selections - one after the other - are possible!)

Important: I recommend familiarizing yourself with the content listed below, as it introduces changes that may affect the operation of the system!

 

The script can be run multiple times, the script checks the presence of the rules and applies only the not existing rules and exclusions!

 

The script can also be run when an external antivirus software is installed but I cannot guarantee that the exclusions will be set correctly. Ofter the external solutions require to set exclusions and policies separately on a management console (meanwhile often cloud consoles).

 

Script architecture:

I'm working with a dynamic directory scan for most of the components (except Veeam ONE and Veeam for M365) to find Veeam executables that have to be added as Defender exclusion. This has several reasons:

 

Maintainability:

If I listed each .exe one by one, any minor update (e.g. Veeam adds a new helper EXE in the next patch) would require manually updating the script. With a folder scan, you get immediate coverage for all executables.

 

Coverage:

With a dynamic scan I ensure the completeness of the script regarding .exe exclusions. A typo could lead to issues and a not existing exclusion for a specific executable.

 

Veeam ONE and Veeam M365 specify the exact executables and from my experience these two components are a bit more static than e.g. VBR so I followed the KB article straight.

 

Folder creation:

I decided to check if a specific folder exists and in case not, to let the script create it. This avoids future issues with missing rules.

Example: A newly created VBR environment has never performed a FLR so the appropriate folders may not be present at all, that would cause the script to fail and the rules to be missing. The impact may be present the second a FLR is performed so I decided to avoid this by pre-creating the folders before there are needed.

 

Sources:

I used the Veeam KB articles as data source for the script and let some personal best practices and experiences in as well.

KB1999: Antivirus Exclusions for Veeam Backup & Replication

Ports - User Guide for VMware vSphere (and other hypervisor KB articles)

KB2046: Antivirus Exclusions for Veeam ONE

Ports - Veeam ONE Deployment Guide

KB3074: Antivirus Exclusions for Veeam Backup for Microsoft 365

Ports - Veeam Backup for Microsoft 365 Guide

KB2763: Antivirus Exclusions for Veeam Recovery Orchestrator

Ports - Veeam Recovery Orchestrator User Guide

 

Downloading the script:

Here is the corresponding GitHub link:

lukas-kl/veeam-win-av-script: Veeam AV Exclusion Script for Windows)

 

Domain joined vs. Workgroup:

Some Veeam systems might be located within a dedicated domain. I always recommend my customers to avoid joining Veeam systems to a domain to avoid performing any kind of hardening to that backup or DR domain.

This script is basically able to run on both domain-joined and standalone (Workgroup) systems but please keep in mind that existing GPOs might overwrite the rules and policies set by the script!

 

Execution & script contents (ReadMe):

  • Check, if Windows Defender Antivirus is enabled (if not, enable it)
  • Check, if Windows Defender Antivirus real-time protection is enabled (if not, enable it)
  • Check, if Windows Defender Firewall is enabled (if not, enable it)
  • Declaration of function for Defender folder exclusions
  • Declaration of function for Defender process exclusion (dynamically by finding processes within the Veeam folders)
  • Declaration of function for Defender extension exclusion (dynamically by finding executables within the Veeam folders)
  • Declaration of function for Defender firewall rule
  • Adding a main menu to select one of the following components:
    • Veeam Backup Server
    • Veeam Proxy Server
    • Veeam Backup Repository (Windows)
    • Veeam WAN Accelerator
    • Veeam Tape Server
    • Veeam Backup Enterprise Manager
    • Veeam Backup & Replication Console
    • Veeam Cloud Gateway Server
    • Veeam ONE Server
    • Veeam Backup for Microsoft 365 Server
    • Veeam Recovery Orchestrato 
  • Output log file to C:\Install

 

As always I’m very happy to get feedback and develop this script further! I already have 7 production systems running with this script - currently without any issues.

 

If you want you can refer to my blog on this as well:

22 – Automated implementation of AV exclusions – Disaster and Recovery

 

Enjoy!

@lukas.k 

I also created a PowerShell script to automate AV exclusions and import all rules related to the Veaam service.

giuthub link dont work

Great job! Thank you!

 

This is definitely something us that design and support Veeam need.  Always hard to tweak everything manual and get it right without some troubleshooting. 😂 

This will be a great tool.  Thanks and I will definitely give feedback after a few tests.

Would be even better if Veeam would configure this during installation and or include this in the BP check (if it isnt already)

nonetheless this code is very welcome.

Thanks ​@lukas.k for the final publish! This is great.

In the last couple of weeks you gave me a sneak peek to it and I had many successful implementations of it. Both me and my customers do really appreciate it. Thanks for your effort. 👏

Would be even better if Veeam would configure this during installation and or include this in the BP check (if it isnt already)

nonetheless this code is very welcome.

I partially agree here.

The script let’s you select which component you’d like to deploy the rule for. Since an all-in-one deployment get’s out of fashion (which I appreciate!) you manually have to declare which component is present and running.

 

Veeam shouldn’t just whitelist everything on every component even if there won’t be a specific service installed.

 

Thank you for your feedback!

@lukas.k - your GitHub link is not working properly as I just tried to get the script.

@lukas.k - your GitHub link is not working properly as I just tried to get the script.

Thank you Chris! Simply forgot to make it public...Please try again

@lukas.k - your GitHub link is not working properly as I just tried to get the script.

Thank you Chris! Simply forgot to make it public...Please try again

No problem.  That fixed it and it is available.  👍🏼

Too often I see people just disabling the firewall to make things work, with them thinking that that’s an acceptable solution. This is much better step in the right direction.

Thank you for sharing this!

Too often I see people just disabling the firewall to make things work, with them thinking that that’s an acceptable solution. This is much better step in the right direction.

Thank you for sharing this!

Spot on, and this behaviour should be discouraged! 

Great effort, thank you ​@lukas.k. A new request, if possible - We would need a new version that also takes third-party AV into consideration, since Microsoft Defender Antivirus does not automatically switch to passive mode when another antivirus product is installed on Windows Server.

Cheers!!!

Great effort, thank you ​@lukas.k. A new request, if possible - We would need a new version that also takes third-party AV into consideration, since Microsoft Defender Antivirus does not automatically switch to passive mode when another antivirus product is installed on Windows Server.

Cheers!!!

Hi ​@Iams3le,

Thanks for you input.

I also considered this but after reviewing different AV vendors I found it very difficult to “generalize” this. There are so many vendor on the market that I’d have to extend the script and maintain the script for let’s start with 8 vendors - that would be a very heavy workload.

 

Often these AV products not only have AV in focus but also XDR so you also have to pay attention to those exceptions which might be very hard to script.

The customers often use web-based GUIs to maintain and configure these solutions so I always recommend my customers that run such solutions to maintain Veeam exceptions using those web GUIs in combination with Veeam KBs.

 

Hope that’s understandable and somehow get’s agreement.

Lukas

Great effort, thank you ​@lukas.k. A new request, if possible - We would need a new version that also takes third-party AV into consideration, since Microsoft Defender Antivirus does not automatically switch to passive mode when another antivirus product is installed on Windows Server.

Cheers!!!

Hi ​@Iams3le,

Thanks for you input.

I also considered this but after reviewing different AV vendors I found it very difficult to “generalize” this. There are so many vendor on the market that I’d have to extend the script and maintain the script for let’s start with 8 vendors - that would be a very heavy workload.

 

Often these AV products not only have AV in focus but also XDR so you also have to pay attention to those exceptions which might be very hard to script.

The customers often use web-based GUIs to maintain and configure these solutions so I always recommend my customers that run such solutions to maintain Veeam exceptions using those web GUIs in combination with Veeam KBs.

 

Hope that’s understandable and somehow get’s agreement.

Lukas

Absolutely correct! Just thinking how everyone can correctly utilize your excellent script. I thought about determining if a 3-party AV is running via the script, then steps 1 or more steps that will require 3rd party AV tweaking can be skipped due to the effort you mentioned. With CimInstance or WMI, we can easily query the presence of a third party AV. See: https://learn.microsoft.com/en-us/answers/questions/2195080/powershell-get-information-about-antivirus

This enhancement will not only improves the script’s versatility but also ensures that it can be effectively utilized across different customer environments, regardless of the AV solution in use

 

So far testing has been pretty good and this script works well.  Still need to test a few more things but great job 👍 

Great initiative, Lukas! Automating AV and FW exclusions for Veeam components is a much needed step toward reducing manual errors and improving consistency across deployments. I appreciate the dynamic approach you have taken with directory scans.

Great effort, thank you ​@lukas.k. A new request, if possible - We would need a new version that also takes third-party AV into consideration, since Microsoft Defender Antivirus does not automatically switch to passive mode when another antivirus product is installed on Windows Server.

Cheers!!!

Hi ​@Iams3le,

Thanks for you input.

I also considered this but after reviewing different AV vendors I found it very difficult to “generalize” this. There are so many vendor on the market that I’d have to extend the script and maintain the script for let’s start with 8 vendors - that would be a very heavy workload.

 

Often these AV products not only have AV in focus but also XDR so you also have to pay attention to those exceptions which might be very hard to script.

The customers often use web-based GUIs to maintain and configure these solutions so I always recommend my customers that run such solutions to maintain Veeam exceptions using those web GUIs in combination with Veeam KBs.

 

Hope that’s understandable and somehow get’s agreement.

Lukas

Absolutely correct! Just thinking how everyone can correctly utilize your excellent script. I thought about determining if a 3-party AV is running via the script, then steps 1 or more steps that will require 3rd party AV tweaking can be skipped due to the effort you mentioned. With CimInstance or WMI, we can easily query the presence of a third party AV. See: https://learn.microsoft.com/en-us/answers/questions/2195080/powershell-get-information-about-antivirus

This enhancement will not only improves the script’s versatility but also ensures that it can be effectively utilized across different customer environments, regardless of the AV solution in use

 

That’s a nice idea actually! I’ve already written that on my agenda so let’s see if I can implement this for the next version of the script.

Thank you!

I recently discovered a Veeam server that was taking over 60 hours to complete a synthetic full on an ReFS drive. Given that an active full only took 2 hours, I found this to be very strange. I took a look at the resource monitor and found that MsMpEng.exe was reading the synthetic full as it was being created.

After I put in the AV exclusions listed in KB1999, the synthetic full completed in just 5 minutes!

It was pretty tedious adding in exclusions one by one though, so in the future I will definitely consider using this script to speed up that process.

AV exclusions are often overlooked and responsible for a large number of performance related issues.

This looks like it will be a great tool to help to optimise performance.

Terms & Conditions