Microsoft says admins should remove some previously recommended antivirus exclusions for Exchange servers to enhance server security.
As the company explained, exclusions targeting ASP.NET temporary files and Inetsrv folders and PowerShell and w3wp processes are unnecessary because they no longer affect stability or performance.
However, administrators should be careful not to scan these locations and processes, as they are often exploited in attacks to deploy malware.
“Keeping these exclusions can prevent detections of IIS webshells and backdoor modules, which represent the most common security issues,” the Exchange team said. said.
“We have validated that removing these processes and folders does not affect performance or stability when using Microsoft Defender on Exchange Server 2019 running the latest Exchange Server updates.”
You can also safely remove these exclusions from servers running Exchange Server 2016 and Exchange Server 2013, but you should monitor them and be prepared to mitigate any issues that may arise.
The list of folder and process exclusions that should be removed from file-level antivirus scanners include:
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files %SystemRoot%\System32\Inetsrv %SystemRoot%\System32\WindowsPowerShell\v1.0\PowerShell.exe %SystemRoot%\System32\inetsrv\w3wp.exe
To defend against attacks using similar tactics, you should always keep your Exchange servers up to date, use anti-malware and security solutions, restrict access to IIS virtual directories, prioritize alerts, and regularly inspect configuration files and bin folders for suspicious files.
Redmond also recently urged customers to keep on-premises Exchange servers up to date by applying the latest cumulative update (CU) so that they are ready to deploy emergency security updates.
It is also recommended to always run the Exchange Server Health Checker Script after deploying updates to detect common configuration issues or other issues that can be resolved with a simple change to the environment configuration.
As Shadowserver Foundation security researchers discovered in January, tens of thousands of Microsoft Exchange servers exposed to the Internet (more than 60,000 at the time) are always vulnerable to attacks take advantage of ProxyNotShell exploits.