Published: Feb 24, 2023
Microsoft has published an advisory recommending IT admins to remove select antivirus exclusions in Exchange Servers. The company explained that this configuration change should help IT admins to improve the security posture of their organizations.
Up until now, Microsoft recommended Exchange Server admins to configure antivirus solutions to protect their systems. It is also a good practice to enable exclusions for specific file types, processes, and paths. It helps to reduce the chances of unexpected failures (such as unexpected database dismounts) caused by restricted access to a file or folder.
Microsoft detailed that IT administrators should remove certain objects from the exclusion list. These objects include the PowerShell and w3wp processes as well as the Temporary ASP.NET Files and Inetsrv folders. Microsoft warned that these exclusions could allow attackers to deploy malware in vulnerable Exchange Server environments.
“We’ve found that some existing exclusions, namely the Temporary ASP.NET Files and Inetsrv folders, and the PowerShell and w3wp processes – are no longer needed, and that it would be much better to scan these files and folders. Keeping these exclusions may prevent detections of IIS webshells and backdoor modules, which represent the most common security issues,” the Exchange team explained.
Here’s the list of folder and process exclusions that should be removed from Exchange Server 2016 and Exchange Server 2013.
Folders | 1) %SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files 2) %SystemRoot%\System32\Inetsrv |
Processes | 1) %SystemRoot%\System32\WindowsPowerShell\v1.0\PowerShell.exe 2) %SystemRoot%\System32\inetsrv\w3wp.exe |
Microsoft notes that removing the exclusions should not cause stability or performance issues for customers using Microsoft Defender on Exchange Server 2019. Meanwhile, the company suggests IT Pros to monitor and mitigate potential issues that might occur on Exchange Server 2016 and Exchange Server 2013. Microsoft advises customers who encounter any issues to reconfigure exclusions and share their feedback with the Exchange team.