Microsoft has urged admins to remove antivirus exclusions it previously recommended to improve security.
Providing an organisation's IT estate is using Microsoft Defender on a fully up-to-date Exchange Server 2019, then the rules it previously recommended can be removed with no risk to performance or stability.
"We also believe that these exclusions can also be safely removed from servers running Exchange Server 2016 and Exchange Server 2013," it said in a blog post.
"When running on Exchange Server 2013 or Exchange Server 2016, keep an eye on the server and watch for issues. If any issues arise on any Exchange Server version, simply put the exclusions back in place, and report the issue to us."
The exclusions in question specifically relate to Temporary ASP.NET Files and Inetsrv folders, and PowerShell and w3wp processes. Now, "it would be much better, Microsoft said, for IT admins to instead scan the files and folders.
The folders that are affected are:
- %SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files
The processes that are affected are:
Keeping the exclusions in place could even prevent detections of backdoor malware and IIS webshells, Microsoft added. Cyber criminals turned to malicious IIS modules in droves last year as a way to gain a more secure foothold in a target's IT environment.
Modernise your server infrastructure for speed and security
Infrastructure lifecycle automation paves the way for an adaptive, resilient organisation
“In most cases, the actual backdoor logic is minimal and cannot be considered malicious without a broader understanding of how legitimate IIS extensions work, which also makes it difficult to determine the source of infection,” said Hardik Suri, senior security researcher at Microsoft, at the time.
The malware, IISpy, was able to evade detection and manipulate the server's logging to perform espionage. It was found present on IIS servers in the US, Canada, and the Netherlands, and was suspected to have affected more servers.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2023.
Zach Marzouk is a former ITPro, CloudPro, and ChannelPro staff writer, covering topics like security, privacy, worker rights, and startups, primarily in the Asia Pacific and the US regions. Zach joined ITPro in 2017 where he was introduced to the world of B2B technology as a junior staff writer, before he returned to Argentina in 2018, working in communications and as a copywriter. In 2021, he made his way back to ITPro as a staff writer during the pandemic, before joining the world of freelance in 2022.