Some Microsoft Exchange folders and processes that the company previously suggested were excluded from the antivirus (opens in a new tab) scans for stability reasons should no longer be excluded, he announced.
Explaining the change of heart, Microsoft said that the processes no longer affect the stability or performance of Exchange servers, adding that this could even be beneficial as some cybercriminals may also have a hidden backdoor there.
Some processes and folders include temporary ASP.NET files, Inetsrv folders, as well as PowerShell and w3wp processes.
Don’t exclude any more
“The behavior of these exceptions can prevent detection of IIS web shells and backdoor modules, which are the most common security issues,” said the Exchange team. “We have found that removing these processes and folders does not affect performance or stability when using Microsoft Defender on Exchange Server 2019 with the latest Exchange Server updates.”
The new recommendations apply to Exchange Server 2016 and Exchange Server 2013. However, Microsoft added that IT teams should monitor these processes in case something goes wrong.
Here is the full list of exclusions that are no longer needed:
- %SystemRoot%Microsoft.NETFramework64v4.0.30319Temporary ASP.NET Files
- %SystemRoot%System32Inetsrv
- %SystemRoot%System32WindowsPowerShellv1.0PowerShell.exe
- %SystemRoot%System32inetsrvw3wp.exe
Cybercriminals have been observed using malicious Internet Information Services (IIS) extensions and modules to add backdoors to unpatched Microsoft Exchange servers.
The best way to stay safe is to always apply the latest Exchange patches and updates, use antivirus programs, restrict access to IIS virtual directories, prioritize alerts, and constantly check configuration files and bin folders for suspicious files.
IT teams should always run the Exchange Server Health Checker script after updates to resolve possible misconfiguration issues.
Exchange servers are one of the most popular targets for cybercriminals around the world because they are often unprotected or misconfigured. At the same time, many of them offer a veritable treasury of confidential information that can be sold on the black market or used as leverage in ransom negotiations.
By: Beeping Computer (opens in a new tab)