Microsoft says admins ought to take away some beforehand really helpful antivirus exclusions for Exchange servers to spice up the servers’ safety.
As the corporate defined, exclusions concentrating on the Temporary ASP.NET Files and Inetsrv folders and the PowerShell and w3wp processes are usually not required since they’re not affecting stability or efficiency.
However, admins ought to make a degree out of scanning these places and processes as a result of they’re usually abused in assaults to deploy malware.
“Keeping these exclusions could stop detections of IIS webshells and backdoor modules, which symbolize the most typical safety points,” the Exchange Team stated.
“We’ve validated that eradicating these processes and folders would not have an effect on efficiency or stability when utilizing Microsoft Defender on Exchange Server 2019 working the newest Exchange Server updates.”
You may also safely take away these exclusions from servers working Exchange Server 2016 and Exchange Server 2013 however it is best to monitor them and be able to mitigate any points which may come up.
The listing of folder and course of exclusions that ought to be faraway from file-level antivirus scanners contains:
%SystemRoot%Microsoft.NETFramework64v4.0.30319Temporary ASP.NET Files
%SystemRootpercentSystem32Inetsrv
%SystemRootpercentSystem32WindowsPowerShellv1.0PowerShell.exe
%SystemRootpercentSystem32inetsrvw3wp.exeThis comes after menace actors have been utilizing malicious Internet Information Services (IIS) internet server extensions and modules to backdoor unpatched Microsoft Exchange servers worldwide.
To defend towards assaults utilizing comparable techniques, it is best to at all times hold your Exchange servers updated, use anti-malware and safety options, limit entry to IIS digital directories, prioritize alerts, and recurrently examine config information and bin folders for suspicious information.
Redmond additionally not too long ago urged clients to hold on-premises Exchange servers up-to-date by making use of the newest Cumulative Update (CU) to have them able to deploy emergency safety updates.
It can also be really helpful to at all times run the Exchange Server Health Checker script after deploying updates to detect widespread configuration points or different points that may be mounted with a easy setting configuration change.
As safety researchers on the Shadowserver Foundation present in January, tens of 1000’s of Internet-exposed Microsoft Exchange servers (over 60,000 on the time) are nonetheless susceptible to assaults leveraging ProxyNotShell exploits.
Shodan additionally exhibits many Exchange servers uncovered on-line, with 1000’s of them defenseless towards assaults concentrating on the ProxyShell and ProxyLogon flaws, two of the most exploited vulnerabilities of 2021.