IT admins notified as Microsoft revokes previously recommended Exchange antivirus exclusions
The tech giant warned that using the exclusions may prevent companies from detecting IIS webshells or backdoor modules
Microsoft has urged admins to remove antivirus exclusions it previously recommended to improve security.
Providing an organisation's IT estate is using Microsoft Defender on a fully up-to-date Exchange Server 2019, then the rules it previously recommended can be removed with no risk to performance or stability.
"We also believe that these exclusions can also be safely removed from servers running Exchange Server 2016 and Exchange Server 2013," it said in a blog post.
"When running on Exchange Server 2013 or Exchange Server 2016, keep an eye on the server and watch for issues. If any issues arise on any Exchange Server version, simply put the exclusions back in place, and report the issue to us."
The exclusions in question specifically relate to Temporary ASP.NET Files and Inetsrv folders, and PowerShell and w3wp processes. Now, "it would be much better, Microsoft said, for IT admins to instead scan the files and folders.
The folders that are affected are:
- %SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files
- %SystemRoot%\System32\Inetsrv
The processes that are affected are:
- %SystemRoot%\System32\WindowsPowerShell\v1.0\PowerShell.exe
- %SystemRoot%\System32\inetsrv\w3wp.exe
Keeping the exclusions in place could even prevent detections of backdoor malware and IIS webshells, Microsoft added. Cyber criminals turned to malicious IIS modules in droves last year as a way to gain a more secure foothold in a target's IT environment.
Modernise your server infrastructure for speed and security
Infrastructure lifecycle automation paves the way for an adaptive, resilient organisation
Free Download“In most cases, the actual backdoor logic is minimal and cannot be considered malicious without a broader understanding of how legitimate IIS extensions work, which also makes it difficult to determine the source of infection,” said Hardik Suri, senior security researcher at Microsoft, at the time.
A year earlier in August 2021, researchers discovered malware which was able to install a backdoor on Microsoft's IIS.
The malware, IISpy, was able to evade detection and manipulate the server's logging to perform espionage. It was found present on IIS servers in the US, Canada, and the Netherlands, and was suspected to have affected more servers.
IT best practices for accelerating the journey to carbon neutrality
Considerations and pragmatic solutions for IT executives driving sustainable IT
Free DownloadThe Total Economic Impact™ of IBM Spectrum Virtualize
Cost savings and business benefits enabled by storage built with IBMSpectrum Virtualize
Free downloadUsing application migration and modernisation to supercharge business agility and resiliency
Modernisation can propel your digital transformation to the next generation
Free Download
