Microsoft: Scan more Exchange server items for improved security 3 remark bubble on white

Certain files and processes are removed from the exclusion list by a software giant.

Users of Exchange servers are now advised by Microsoft to scan specific objects for viruses and other risks that had previously been disallowed.

The software behemoth specifically stated this week that system administrators should now add the Temporary ASP.NET files, Inetsrv directories, PowerShell, and w3wp processes to the list of files and folders that antivirus software should be run through.

According to the company, scanning these objects will aid in thwarting threats like IIS webshells and backdoor modules.

The cybersecurity landscape has shifted, according to a post this week from Microsoft's Exchange Team. We've discovered that several current exclusions are no longer necessary.

Given that the systems are a growing target for fraudsters and that they store a significant quantity of sensitive data, this is likely welcome news for many Exchange server customers. This covers anything from business mailboxes to address books, which can include data like employee names, contact information, and organizational charts—all of which might be helpful in phishing and other similar assaults.

Exchange also contains information about Active Directory permissions and access to corporate-connected cloud environments.

Late last month, Microsoft recommended users of Exchange servers to ensure that their systems were protected against assaults by the most recent Cumulative and Security upgrades. The business cautioned that criminals are constantly looking for unpatched software on Shodan and other places.

In November 2022, Redmond patched two ProxyNotShell problems, one of which involved server-side request forgery and the other involved remote code execution (RCE). Four zero-day vulnerabilities were patched by the corporation in March 2021, including ProxyLogon, which had been heavily used by almost a dozen cybercrime gangs, including Hafnium, over the preceding two months.

The Exchange Team claims that removing the most recent objects from the exclusion list will further improve the security of the Exchange server.

The biggest possible issue, according to Microsoft, is that a Windows antivirus product might freeze or quarantine an open log file or database file that Exchange needs to modify. "This may result in 1018 event log errors as well as serious Exchange Server outages. It is crucial to keep these files from being analyzed by the Windows antivirus program."

Also, the company stated that email-based anti-spam and anti-malware products cannot be replaced by Windows antivirus programs. Windows antivirus software that is installed on a Windows server is unable to identify threats like viruses, malware, and spam that are only spread over email.

The Exchange server exclusion list still contains a large number of entries. The possibility that having them inspected by the antivirus system could result in performance issues, failures, or crashes is a major factor in why an object is placed on it.

However, the Exchange Team stated that while using Microsoft Defender on Exchange Server 2019 and running the most recent Exchange server upgrades, removing the aforementioned files and processes from the exclusion list won't affect the stability or performance of the server.

Moreover, for servers running Exchange Server 2016 and 2013, exclusions can also be eliminated (which will hit end-of-support in April). If troubles develop when performing the antivirus scan on those systems with the exclusions removed, system administrators should reinstall the exclusions, according to Microsoft.