IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

IT admins notified as Microsoft revokes previously recommended Exchange antivirus exclusions

The tech giant warned that using the exclusions may prevent companies from detecting IIS webshells or backdoor modules

Microsoft has urged admins to remove antivirus exclusions it previously recommended to improve security.

Providing an organisation's IT estate is using Microsoft Defender on a fully up-to-date Exchange Server 2019, then the rules it previously recommended can be removed with no risk to performance or stability.

"We also believe that these exclusions can also be safely removed from servers running Exchange Server 2016 and Exchange Server 2013," it said in a blog post.

"When running on Exchange Server 2013 or Exchange Server 2016, keep an eye on the server and watch for issues. If any issues arise on any Exchange Server version, simply put the exclusions back in place, and report the issue to us."

The exclusions in question specifically relate to Temporary ASP.NET Files and Inetsrv folders, and PowerShell and w3wp processes. Now, "it would be much better, Microsoft said, for IT admins to instead scan the files and folders.

The folders that are affected are:

  • %SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files
  • %SystemRoot%\System32\Inetsrv

The processes that are affected are:

  • %SystemRoot%\System32\WindowsPowerShell\v1.0\PowerShell.exe
  • %SystemRoot%\System32\inetsrv\w3wp.exe

Keeping the exclusions in place could even prevent detections of backdoor malware and IIS webshells, Microsoft added. Cyber criminals turned to malicious IIS modules in droves last year as a way to gain a more secure foothold in a target's IT environment.

Related Resource

Modernise your server infrastructure for speed and security

Infrastructure lifecycle automation paves the way for an adaptive, resilient organisation

Whitepaper cover with title and block dark green rectangle with grey and white arrow graphicsFree Download

“In most cases, the actual backdoor logic is minimal and cannot be considered malicious without a broader understanding of how legitimate IIS extensions work, which also makes it difficult to determine the source of infection,” said Hardik Suri, senior security researcher at Microsoft, at the time.

A year earlier in August 2021, researchers discovered malware which was able to install a backdoor on Microsoft's IIS.

The malware, IISpy, was able to evade detection and manipulate the server's logging to perform espionage. It was found present on IIS servers in the US, Canada, and the Netherlands, and was suspected to have affected more servers.

Featured Resources

IT best practices for accelerating the journey to carbon neutrality

Considerations and pragmatic solutions for IT executives driving sustainable IT

Free Download

The Total Economic Impact™ of IBM Spectrum Virtualize

Cost savings and business benefits enabled by storage built with IBMSpectrum Virtualize

Free download

Using application migration and modernisation to supercharge business agility and resiliency

Modernisation can propel your digital transformation to the next generation

Free Download

The strategic CFO

Why finance transformation propels business value

Free Download

Recommended

Microsoft 365 Copilot aims to transform meeting prep and productivity
artificial intelligence (AI)

Microsoft 365 Copilot aims to transform meeting prep and productivity

17 Mar 2023
Bing exceeds 100m daily users in AI-driven surge
artificial intelligence (AI)

Bing exceeds 100m daily users in AI-driven surge

9 Mar 2023
The 2022 Hornetsecurity ransomware attacks analysis
Whitepaper

The 2022 Hornetsecurity ransomware attacks analysis

8 Mar 2023
Microsoft 365 security checklist
Whitepaper

Microsoft 365 security checklist

8 Mar 2023

Most Popular

HMRC lost nearly 50% more devices in 2022
Hardware

HMRC lost nearly 50% more devices in 2022

17 Mar 2023
The big PSTN switch off: What’s happening between now and 2025?
Sponsored

The big PSTN switch off: What’s happening between now and 2025?

13 Mar 2023
Outlook zero day patch causes headaches for Windows admins
Security

Outlook zero day patch causes headaches for Windows admins

15 Mar 2023