Although deploying an antivirus solution in your Exchange Server environment is a good practice recommended by Microsoft, the company also has some guidance about folder and process exclusions. Objects listed as exclusions are not scanned by the antivirus system. The main reason for having certain objects in the exclusions list is that any files due to be scanned by the antivirus may be locked for quarantine and if Exchange Server tries to utilize them for legitimate purposes, it will result in errors and failures.
However, the Redmond tech firm has now shared updated guidance about which objects to mark as exclusions. Interestingly, it has recommended organizations to remove Temporary ASP.NET Files, Inetsrv folders, and PowerShell and w3wp processes from the exclusions list. Basically, it now wants these objects to be a part of the real-time and scheduled scanning performed by an antivirus solution. Microsoft's rationale is that times have now changed in the cybersecurity world and it's better to scan these objects for the detection of IIS webshells and backdoor modules.
Microsoft has recommended the removal of the following objects from the exclusions list:
Folders
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files
%SystemRoot%\System32\Inetsrv
Processes
%SystemRoot%\System32\WindowsPowerShell\v1.0\PowerShell.exe
%SystemRoot%\System32\inetsrv\w3wp.exe
Through its own validation process, Microsoft has confirmed that if you use Microsoft Defender in Exchange Server 2019, removing the aforementioned exclusions will not have a negative impact on performance. It has also noted that the configuration change should not adversely affect Exchange Server 2013 or 2016 either, but if you do run into issues, add the exclusions back and report your findings to Microsoft.
0 Comments - Add comment