Microsoft has recommended that Exchange administrators remove some previously recommended antivirus exclusions for Exchange servers in order to boost their security. The previously recommended exclusions are as follows:
- %SystemRoot%Microsoft.NETFramework64v4.0.30319Temporary ASP.NET Files
- %SystemRoot%System32Inetsrv
- %SystemRoot%System32WindowsPowerShellv1.0PowerShell.exe
- %SystemRoot%System32inetsrvw3wp.exe
These were previously recommended to help with performance and stability when using Microsoft Defender on Exchange servers, but Microsoft has confirmed that removing these will no longer impact performance or stability. This recommendation comes after threat actors have been using malicious Internet Information Services (IIS) web server extensions and modules to backdoor unpatched Exchange servers worldwide. On top of removing these exclusions, Microsoft also recommends that administrators keep Exchange servers up to date and frequently run the Exchange Server Health Checker script.
Analyst Notes
This new recommendation from Microsoft demonstrates how adding over-encompassing AV exclusions can negatively impact and organization’s security. Especially in the current threat landscape, many actors make use of PowerShell and malicious IIS extensions to perform their attacks. Having these exclusions in place allows for a large gap in visibility where the threat actors can go unnoticed. On top of removing these exclusions and following the other recommendations from Microsoft, it is also recommended to frequently review exclusions that are in place to ensure that they are relevant and not too broad. Additionally, it is recommended to ensure that your security teams are aware of the dangers of over-excluding and how it could lead to a breach of the organization.
https://www.bleepingcomputer.com/news/security/microsoft-urges-exchange-admins-to-remove-some-antivirus-exclusions/
