Remove AV Exclusions for Microsoft’s Exchange
February 27, 2023
Remove AV Exclusions for Microsoft’s Exchange
According to Microsoft’s Exchange Team, it is recommended to remove specific folders and processes exclusions from the file-level Antivirus (AV) scanner.
The Issue:
Keeping the exclusions may prevent detections of Internet Information Services (IIS) webshells and backdoor modules. Threat actors might exploit malicious IIS web server extensions and modules to backdoor unpatched Microsoft Exchange servers.
Products:
Microsoft Exchange Server: All Products.
- Exchange Server 2019
Removing these processes and folders doesn’t affect performance or stability when using Microsoft Defender on Exchange Server 2019 running the latest Exchange Server updates.
- Exchange Server 2016 & Exchange Server 2013
It is safe to remove these exclusions from servers running Exchange Server 2016 and Exchange Server 2013, but they should be monitored due to the fact that additional mitigation might be required.
Mitigation:
CYREBRO recommends removing the following folders and processes exclusions from the file-level Antivirus (AV) scanner.
In case the below processes and folders are not excluded, there is no need to make any changes.
Folders:
- %SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files
- %SystemRoot%\System32\Inetsrv
Processes:
- %SystemRoot%\System32\WindowsPowerShell\v1.0\PowerShell.exe
- %SystemRoot%\System32\inetsrv\w3wp.exe
Additional Recommendations
- Keep your Exchange servers up to date.
- Keep on-premises Exchange servers up-to-date by applying the latest Cumulative Update (CU) to have them ready to deploy emergency security updates.
- Restrict access to IIS virtual directories.
- Regularly inspect config files and bin folders for suspicious files.
- Always run the Exchange Server Health Checker Script after deploying updates to detect common configuration issues or other issues that can be fixed with a simple environment configuration change.
References: Microsoft Exchange Team
