IT admins notified as Microsoft revokes previously recommended Exchange antivirus exclusions

By Zach Marzouk
published

The tech giant warned that using the exclusions may prevent companies from detecting IIS webshells or backdoor modules

Digital umbrella in neon blue blocking rainfall made up of neon red binary code, connoting antivirus
(Image credit: Getty Images)

Microsoft has urged admins to remove antivirus exclusions it previously recommended to improve security.

Providing an organisation's IT estate is using Microsoft Defender on a fully up-to-date Exchange Server 2019, then the rules it previously recommended can be removed with no risk to performance or stability.

Actively exploited server backdoor remains undetected in most organisations' networks Microsoft warns hackers turning to IIS exploits to create backdoors in businesses Undetectable PowerShell backdoor discovered hiding as Windows update

"We also believe that these exclusions can also be safely removed from servers running Exchange Server 2016 and Exchange Server 2013," it said in a blog post.

"When running on Exchange Server 2013 or Exchange Server 2016, keep an eye on the server and watch for issues. If any issues arise on any Exchange Server version, simply put the exclusions back in place, and report the issue to us."

The exclusions in question specifically relate to Temporary ASP.NET Files and Inetsrv folders, and PowerShell and w3wp processes. Now, "it would be much better, Microsoft said, for IT admins to instead scan the files and folders.

The folders that are affected are:

  • %SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files
  • %SystemRoot%\System32\Inetsrv

The processes that are affected are:

  • %SystemRoot%\System32\WindowsPowerShell\v1.0\PowerShell.exe
  • %SystemRoot%\System32\inetsrv\w3wp.exe

Keeping the exclusions in place could even prevent detections of backdoor malware and IIS webshells, Microsoft added. Cyber criminals turned to malicious IIS modules in droves last year as a way to gain a more secure foothold in a target's IT environment.

RELATED RESOURCE

Modernise your server infrastructure for speed and security

Infrastructure lifecycle automation paves the way for an adaptive, resilient organisation

FREE DOWNLOAD

“In most cases, the actual backdoor logic is minimal and cannot be considered malicious without a broader understanding of how legitimate IIS extensions work, which also makes it difficult to determine the source of infection,” said Hardik Suri, senior security researcher at Microsoft, at the time.

A year earlier in August 2021, researchers discovered malware which was able to install a backdoor on Microsoft's IIS.

The malware, IISpy, was able to evade detection and manipulate the server's logging to perform espionage. It was found present on IIS servers in the US, Canada, and the Netherlands, and was suspected to have affected more servers.

Zach Marzouk
Zach Marzouk

Zach Marzouk is a former ITPro, CloudPro, and ChannelPro staff writer, covering topics like security, privacy, worker rights, and startups, primarily in the Asia Pacific and the US regions. Zach joined ITPro in 2017 where he was introduced to the world of B2B technology as a junior staff writer, before he returned to Argentina in 2018, working in communications and as a copywriter. In 2021, he made his way back to ITPro as a staff writer during the pandemic, before joining the world of freelance in 2022.