Microsoft: For better security, scan more Exchange server objects
Software giant takes some files and processes off the exclusion list
Microsoft is recommending that Exchange server users scan certain objects for viruses and other threats that until now had been excluded.
In particular, the software giant said this week that sysadmins should now include the Temporary ASP.NET files, Inetsrv folders, and the PowerShell and w3wp processes on the list of files and folders to be run through antivirus systems.
Scanning these objects will help fend off such threats as IIS webshells and backdoor modules, said the vendor.
"Times have changed, and so has the cybersecurity landscape," Microsoft's Exchange Team wrote in a post this week. "We've found that some existing exclusions … are no longer needed."
That likely will come as good news to many Exchange server users, now that the systems are becoming an increasingly popular target of cybercriminals given the large amount of critical data housed on the systems. That includes corporate mailboxes to address books, which can hold such information as employee titles and contact information and organizational structures, all of which can be useful in phishing and similar attacks.
Exchange also has data involving permissions in Active Directory and access to cloud environments connected to the enterprise.
Microsoft late last month urged Exchange server users to make sure their systems are up-to-date with the latest Cumulative and Security updates and hardened against cyberattacks. The company warned that miscreants are always searching Shodan and other sources for unpatched Enterprise servers to exploit.
Redmond in November 2022 fixed two ProxyNotShell flaws, one of which was a remote code execution (RCE) bug and the other a server-side request forgery flaw. In March 2021, the company released out-of-band patches for four zero-day vulnerabilities being exploited, including ProxyLogon that had been widely abused by a dozen or so cybercrime gangs – including Hafnium – during the previous two months.
Removing the latest objects from the exclusion list will further increase Exchange server security, according to the Exchange Team.
There are still a lot of items on the Exchange server exclusion list. A key reason an object is put on it is that having them scanned by the antivirus system could cause performance problems, errors, or crashes.
"The biggest potential problem is a Windows antivirus program might lock or quarantine an open log file or database file that Exchange needs to modify," Microsoft wrote in another post this week. "This can cause severe failures in Exchange Server, and it might also generate 1018 event log errors. Therefore, excluding these files from being scanned by the Windows antivirus program is very important."
In addition, Windows antivirus programs can't replace email-based anti-spam and anti-malware tools, the company wrote. Windows antivirus programs running on Windows servers can't detect such threats as viruses, malware, and spam that are distributed only via email.
- Microsoft to enterprises: Patch your Exchange servers
- FBI smokes ransomware Hive after secretly buzzing around gang's network for months
- First Patch Tuesday of the year explodes with in-the-wild exploit fix
- Notorious Emotet botnet returns after a few months off
That said, the Exchange Team wrote that removing the aforementioned files and processes from the exclusion list won't affect the stability or performance of the server when using Microsoft Defender on Exchange Server 2019 and running the latest Exchange server updates.
In addition, exclusions can also be removed from systems running Exchange Server 2016 and 2013 (which will hit end-of-support in April). When running the antivirus scan on those systems with the exclusions removed, if problems arise, sysadmins should put the exclusions back in place and report the issues to Microsoft, the company said. ®