My idea:
I have many customers using Veeam with an Advanced Design (virtualized VBR and other components) using separate VLANs in combination with OS hardening and Windows Defender as default antivirus solution. I know only a very few customers that apply AV exclusions as per Veeam best practice which may lead to performance issues and errors during several processes (e.g. FLR – file level restores).
My goal is to approach this challenge by script to let end users (and Veeam experts) chose the appropriate Veeam component and let the script apply the Defender AV exclusions and the Defender FW exclusions automatically.
Disclaimer:
Important: I do not provide any guarantee that the script, which has been successfully tested by me, will run without errors in every environment. The script is intended solely to simplify and standardize procedures, which may not be suitable for every environment! Additionally, I do not guarantee the completeness of the tests!
Requirements and procedure:
The script is designed for new and existing installations (add-on character)!
- The server should not be a domain member, but it works with domain-joined systems
- OS: Windows Server 2022 or 2025 Standard oder Datacenter
Procedure for new installations:
- Install Windows Server (as required).
- Install drivers (VMware Tools or vendor-specific drivers).
- Set IP configurations (assign IP address, etc.).
- Set server name and workgroup, then restart the server.
- Create a folder named “Install” on drive C:.
- Perform Windows OS hardening (e.g. by script)
- Allow the server to restart (if required) and install Veeam software.
- Apply / implement the Veeam Security & Compliance script.
- Copy the AV script into the Install folder.
- Execute the script with administrative privileges (PowerShell).
- Run the script by selecting the appropriate components (multipe component selections – one after the other – are possible!)
Important: I recommend familiarizing yourself with the content listed below, as it introduces changes that may affect the operation of the system!
The script can be run multiple times, the script checks the presence of the rules and applies only the not existing rules and exclusions!
The script can also be run when an external antivirus software is installed but I cannot guarantee that the exclusions will be set correctly. Ofter the external solutions require to set exclusions and policies separately on a management console (meanwhile often cloud consoles).
Script architecture:
I’m working with a dynamic directory scan for most of the components (except Veeam ONE and Veeam for M365) to find Veeam executables that have to be added as Defender exclusion. This has several reasons:
Maintainability:
If I listed each .exe one by one, any minor update (e.g. Veeam adds a new helper EXE in the next patch) would require manually updating the script. With a folder scan, you get immediate coverage for all executables.
Coverage:
With a dynamic scan I ensure the completeness of the script regarding .exe exclusions. A typo could lead to issues and a not existing exclusion for a specific executable.
Veeam ONE and Veeam M365 specify the exact executables and from my experience these two components are a bit more static than e.g. VBR so I followed the KB article straight.
Folder creation:
I decided to check if a specific folder exists and in case not, to let the script create it. This avoids future issues with missing rules.
Example: A newly created VBR environment has never performed a FLR so the appropriate folders may not be present at all, that would cause the script to fail and the rules to be missing. The impact may be present the second a FLR is performed so I decided to avoid this by pre-creating the folders before there are needed.
Sources:
I used the Veeam KB articles as data source for the script and let some personal best practices and experiences in as well.
KB1999: Antivirus Exclusions for Veeam Backup & Replication
Ports – User Guide for VMware vSphere (and other hypervisor KB articles)
KB2046: Antivirus Exclusions for Veeam ONE
Ports – Veeam ONE Deployment Guide
KB3074: Antivirus Exclusions for Veeam Backup for Microsoft 365
Ports – Veeam Backup for Microsoft 365 Guide
KB2763: Antivirus Exclusions for Veeam Recovery Orchestrator
Ports – Veeam Recovery Orchestrator User Guide
Downloading the script:
Within the Veeam Community, the script, including all related information, is available for download at:
v1.0: Veeam Windows AV Script v1.0 – Automated implementation of AV and FW exclusions | Veeam Community Resource Hub
Here is the corresponding GitHub link:
lukas-kl/veeam-win-av-script: Veeam AV Exclusion Script for Windows)
Domain joined vs. Workgroup:
Some Veeam systems might be located within a dedicated domain. I always recommend my customers to avoid joining Veeam systems to a domain to avoid performing any kind of hardening to that backup or DR domain.
This script is basically able to run on both domain-joined and standalone (Workgroup) systems but please keep in mind that existing GPOs might overwrite the rules and policies set by the script!
Execution & script contents (ReadMe):
- Check, if Windows Defender Antivirus is enabled (if not, enable it)
- Check, if Windows Defender Antivirus real-time protection is enabled (if not, enable it)
- Check, if Windows Defender Firewall is enabled (if not, enable it)
- Declaration of function for Defender folder exclusions
- Declaration of function for Defender process exclusion (dynamically by finding processes within the Veeam folders)
- Declaration of function for Defender extension exclusion (dynamically by finding executables within the Veeam folders)
- Declaration of function for Defender firewall rule
- Adding a main menu to select one of the following components:
- Veeam Backup Server
- Veeam Proxy Server
- Veeam Backup Repository (Windows)
- Veeam WAN Accelerator
- Veeam Tape Server
- Veeam Backup Enterprise Manager
- Veeam Backup & Replication Console
- Veeam Cloud Gateway Server
- Veeam ONE Server
- Veeam Backup for Microsoft 365 Server
- Veeam Recovery Orchestrator
- Output log file to C:\Install