Microsoft Exchange admins advised to expand antivirus scanning

After having stressed the importance of keeping Exchange servers updated last month, Microsoft is advising administrators to widen the scope of antivirus scanning on those servers.

Microsoft Exchange antivirus scanning

Microsoft Exchange servers in attackers’ crosshairs

Cyber attackers love to target Microsoft Exchange servers, often via zero-day vulnerabilities , but also via known ones.

Microsoft Exchange servers are mail servers, so they hold a lot of sensitive corporate information, including information about employees that could be exploited to mount spear-phishing attacks. Also, as the Exchange team pointed out, “Exchange has deep hooks into and permissions within Active Directory, and in a hybrid environment, access to the connected cloud environment.”

Which exclusions should you remove?

Microsoft encourages the use of antivirus software (Microsoft Defender) on Microsoft Exchange servers – if some directories, processes and file name extensions are excluded from the scanning.

“The biggest potential problem is a Windows antivirus program might lock or quarantine an open log file or database file that Exchange needs to modify. This can cause severe failures in Exchange Server, and it might also generate 1018 event log errors. Therefore, excluding these files from being scanned by the Windows antivirus program is very important,” the company explains.

The exclusions should be configured for both memory-resident and file-level scanning.

The list is long, but from now on it does not contain:

  • The Temporary ASP.NET Files and Inetsrv folders (%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files and %SystemRoot%\System32\Inetsrv)
  • The Powershell and w3wp processes (%SystemRoot%\System32\WindowsPowerShell\v1.0\PowerShell.exe and %SystemRoot%\System32\inetsrv\w3wp.exe)

The cybersecurity landscape has changed, Microsoft noted, and “keeping these exclusions may prevent detections of IIS webshells and backdoor modules, which represent the most common security issues.”

Webshells and backdoors provide attackers with (persistent) remote access to and code execution capabilities on the server.

The removal of the exclusions should not lead to stability issues on Exchange Server 2019, 2016 and 2013 but if any should arise they can be put back into place.

OPIS

Subscribe to the Help Net Security breaking news e-mail alerts:

OPIS

Don't miss