Update on the Exchange Server Antivirus Exclusions

By February 24, 2023Microsoft Exchange

[ad_1]

For years we have been saying how running antivirus (AV) software on your Exchange Servers can enhance the security and health of your Exchange organization. We’ve also said that if you are deploying file-level scanners on Exchange servers, make sure that the appropriate exclusions, such as directory exclusions, process exclusions, and file name extension exclusions, are in place for both scheduled and real-time scanning.

But times have changed, and so has the cybersecurity landscape. We’ve found that some existing exclusions, namely the Temporary ASP.NET Files and Inetsrv folders, and the PowerShell and w3wp processes – are no longer needed, and that it would be much better to scan these files and folders. Keeping these exclusions may prevent detections of IIS webshells and backdoor modules, which represent the most common security issues. So, we now recommend that you remove these exclusions from your file-level AV scanner:

Folders:

%SystemRoot%Microsoft.NETFramework64v4.0.30319Temporary ASP.NET Files
%SystemRoot%System32Inetsrv

Processes:

%SystemRoot%System32WindowsPowerShellv1.0PowerShell.exe
%SystemRoot%System32inetsrvw3wp.exe

We’ve validated that removing these processes and folders doesn’t affect performance or stability when using Microsoft Defender on Exchange Server 2019 running the latest Exchange Server updates.

We also believe that these exclusions can also be safely removed from servers running Exchange Server 2016 and Exchange Server 2013.  When running on Exchange Server 2013 (before decommissioning it in April, right?) or Exchange Server 2016, keep an eye on the server and watch for issues.  If any issues arise on any Exchange Server version, simply put the exclusions back in place, and report the issue to us.

The Exchange Server Team

[ad_2]
Source link

Share this post via

Leave a Reply