Since I started to work with Outlook and Exchange in 1999, I am still seeing Outlook clients used or configured with bad practices in 2018. And I have to repeat or resend the same links. That’s why I think it useful to re-write a more recent post about what we, as Microsoft on-site, hands-on engineers, recommend regarding how to configure Outlook regarding the use of PSTs, file-level anti-virus exclusions, and some add-ins that scan e-mails already in Outlook or scan e-mail as users are writing them, or as users are attaching files to it, or as users are clicking on the “Send” button.
Microsoft do not recommend using an Outlook Antivirus Add-In (confirmed at the bottom of this article), as not only it is known to badly impact the user experience, but also it’s redundant not only to file level antivirus that is already installed on the Windows Desktop, that will already scan any unwanted files reaching your hard-drive wherever these are : downloaded from a browser, downloaded from Outlook via saving an attachment, etc… . It’s also redundant to the following Anti-Virus that we hope you usually have at the server and gateway level:
- At the Exchange server level –> Server e-mail based antivirus engines are scanning e-mails in the database as well as e-mails in transit, outgoing and incoming
- At the Gateway level –> Gateway level (SMTP appliances, Exchange Edge servers, etc…) anti-malware engines are scanning outgoing and incoming e-mails as well – Microsoft recommends using Exchange Online Protection to scan your incoming / outgoing e-mails. On Exchange Online Protection, we use at least 3 different Anti-Virus engines that are constantly updated to block threats.
Also, using Outlook-side DLP add-ins can affect the responsiveness of the Outlook client and lead to bad user experience – in Exchange 2013 and forward, DLP functionality is also included on the server side. The advice here would be to work with your security team to shift any custom DLP requirements you have to the Server side. Here’s an overview of DLP on Exchange 2013, and an overview of DLP in Exchange 2016.
Finally, here are some general recommendation regarding Outlook configuration and behavior – some include the above to highlight the importance of these recommendations :
- Ensure no PST files hosted on a network share
- Sometimes “My Documents” are redirected to a network share for backup purposes
- Also ensure you don’t have too big PST files as the biggest these are, the most sensitive to corruption these are as well – choose smaller PSTs, or best : no PSTs at all – rely on Exchange Archiving (archive your e-mails On Prem using In-Place archiving servers or online using Exchange Online O365 servers) or any other archiving solution you may already have.
- Consequences having PSTs on a network share: at best, outlook freezes and crashes, at worst PST corruption, between these, weird behaviors like messages staying in the Outbox …
- Anti-Virus / general e-mail scanning Outlook Add-Ins are known to cause user experience issues
- Client side DLP or anti-virus Add-ins : scans e-mail and attachments while attaching and/or sending => slows down user experience
- DLP functions are already included in Exchange 2013/2016
- Microsoft recommends scanning e-mails at the server and at the gateway level, and best of the best, use Exchange Online Protection (see the schema and links above)
- On top of that, you most likely already have file level anti-virus scanning enabled on workstations, scanning files in real time (“on-file created” scan) which protects already your company in case a malicious attachments makes its way up to the Desktop file system.
- Recommendation: rely on Exchange Data Leak Protection and Antimalware included in Exchange 2013/2016 and your gateway(s) and/or Exchange Online Protection if you want to scan your messages multiple times.
- Check Outlook file exclusions by the File level antivirus – there are plenty of articles explaining that you have to exclude Outlook files, especially if you’re using Outlook cache mode. Here are the main ones:
- Recommendation is to NOT use any other e-mail desktop indexing software than Windows indexing engine
- If you use 3rd party Desktop general purposes indexing software, exclude e-mails indexing
- Outlook 2013 blocks the ability to search for Outlook items by using Windows Desktop Search – but it uses Windows indexing capabilities for instant search – users just don’t access Outlook search through Windows Desktop Search, but Outlook interface directly instead
- Reference: article explaining what to do when Outlook instant search is not working
- OST : Outlook cache mode is recommended to improve client experience.
- As part of Outlook files exclusions for the File Level antivirus, OST must NOT be scanned
- OST file must NOT be stored on a Network Share as well (check that your user profile – pointed by the %UserProfile% environment variable – is not on a network share)
Also a place to start to investigate about outlook issues – a bit old but some points are still applicable in 2018…
Hope this helps,