Microsoft says admins should remove some previously recommended antivirus exclusions for Exchange servers to boost the servers’ security.
As the company explained, exclusions targeting the Temporary ASP.NET Files and Inetsrv folders and the PowerShell and w3wp processes are not required since they’re no longer affecting stability or performance.
However, admins should make a point out of scanning these locations and processes because they’re often abused in attacks to deploy malware.
“Keeping these exclusions may prevent detections of IIS webshells and backdoor modules, which represent the most common security issues,” the Exchange Team said.
“We’ve validated that removing these processes and folders doesn’t affect performance or stability when using Microsoft Defender on Exchange Server 2019 running the latest Exchange Server updates.”
You can also safely remove these exclusions from servers running Exchange Server 2016 and Exchange Server 2013 but you should monitor them and be ready to mitigate any issues that might come up.
The list of folder and process exclusions that should be removed from file-level antivirus scanners includes:
%SystemRoot%Microsoft.NETFramework64v4.0.30319Temporary ASP.NET Files %SystemRoot%System32Inetsrv %SystemRoot%System32WindowsPowerShellv1.0PowerShell.exe %SystemRoot%System32inetsrvw3wp.exe
This comes after threat actors have been using malicious Internet Information Services (IIS) web server extensions and modules to backdoor unpatched Microsoft Exchange servers worldwide.
To defend against attacks using similar tactics, you should always keep your Exchange servers up to date, use anti-malware and security solutions, restrict access to IIS virtual directories, prioritize alerts, and regularly inspect config files and bin folders for suspicious files.
Redmond also recently urged customers to keep on-premises Exchange servers up-to-date by applying the latest Cumulative Update (CU) to have them ready to deploy emergency security updates.
It is also recommended to always run the Exchange Server Health Checker script after deploying updates to detect common configuration issues or other issues that can be fixed with a simple environment configuration change.
As security researchers at the Shadowserver Foundation found in January, tens of thousands of Internet-exposed Microsoft Exchange servers (over 60,000 at the time) are still vulnerable to attacks leveraging ProxyNotShell exploits.
Shodan also shows many Exchange servers exposed online, with thousands of them defenseless against attacks targeting the ProxyShell and ProxyLogon flaws, two of the most exploited vulnerabilities of 2021.