Microsoft urges Exchange admins to remove some antivirus exclusions

Microsoft says admins should remove some  antivirus exclusions for Exchange servers to boost the servers’ security.

As the company explained, exclusions targeting the Temporary ASP.NET Files and Inetsrv folders and the PowerShell and w3wp processes are not required since they’re no longer affecting stability or performance.

However, admins should make a point out of scanning these locations and processes because they’re often abused in attacks to deploy malware.

“Keeping these exclusions may prevent detections of IIS webshells and backdoor modules, which represent the most common security issues,” the Exchange Team .

“We’ve validated that removing these processes and folders doesn’t affect performance or stability when using Microsoft Defender on Exchange Server 2019 running the latest Exchange Server updates.”

You can also safely remove these exclusions from servers running Exchange Server 2016 and Exchange Server 2013 but you should monitor them and be ready to mitigate any issues that might come up.

The list of folder and process exclusions that should be removed from file-level antivirus scanners includes:

%SystemRoot%Microsoft.NETFramework64v4.0.30319Temporary ASP.NET Files
%SystemRoot%System32Inetsrv
%SystemRoot%System32WindowsPowerShellv1.0PowerShell.exe
%SystemRoot%System32inetsrvw3wp.exe

This comes after threat actors  malicious Internet Information Services (IIS) web server  and  to backdoor unpatched Microsoft Exchange servers worldwide.

To defend against attacks using similar tactics, you should always keep your Exchange servers up to date, use anti-malware and security solutions, restrict access to IIS virtual directories, prioritize alerts, and regularly inspect config files and bin folders for suspicious files.

Redmond also recently urged customers to  by applying the latest Cumulative Update (CU) to have them ready to deploy emergency security updates.

It is also recommended to always run the  after deploying updates to detect common configuration issues or other issues that can be fixed with a simple environment configuration change.

As security researchers at the Shadowserver Foundation found in January, tens of thousands of Internet-exposed Microsoft Exchange servers (over 60,000 at the time) leveraging ProxyNotShell exploits.

Shodan also shows many , with thousands of them defenseless against attacks targeting the ProxyShell and ProxyLogon flaws, two of the .