Microsoft urges Exchange Admins to remove some antivirus exclusions
Microsoft recently issued a new security advisory urging Exchange Server administrators to remove certain antivirus software exclusions that could expose systems to attacks. According to the advisory, some antivirus programs have been found to have overly broad exclusions, which can pose security risks.
The antivirus software exclusions were initially implemented to improve server performance, according to Microsoft. However, attackers can take advantage of these exclusions to circumvent security measures and gain unauthorized access to sensitive data. Attackers could use these flaws to install malware or ransomware on a vulnerable Exchange Server.
Exclusions targeting the Temporary ASP.NET Files and Inetsrv folders, as well as the PowerShell and w3wp processes, are no longer required, according to the company, because they no longer affect stability or performance. However, admins should make a point out of scanning these locations and processes because often they’re abused in attacks to deploy malware.
Microsoft recommends that Exchange administrators remove exclusions for the following file paths: %SYSTEMDRIVE%\inetpub\logs\LogFiles, %SYSTEMDRIVE%\Program Files\Microsoft\Exchange Server\V15, and %SYSTEMDRIVE%\Program Files\Microsoft\Exchange Server\V14. Exchange administrators should also configure antivirus software to exclude only specific file types rather than entire directories.
“Keeping these exclusions may prevent detections of IIS webshells and backdoor modules, which represent the most common security issues,” the Exchange Team said.
In addition, the company updated its recommended exclusions list for antivirus software used with Exchange Server. The new list excludes Exchange Server 2019, 2016, 2013, and 2010. The exclusions are intended to improve Exchange Server performance and stability when antivirus software is running on the same server. Additionally, the update includes additional instructions for configuring antivirus software to work with Exchange Server.
To reduce the risk of attacks, Microsoft also recommends that Exchange administrators use multi-factor authentication and the most recent version of Exchange Server. Microsoft recommends that Exchange administrators keep their systems up to date with the latest security patches, as attackers frequently target vulnerabilities in outdated software.
Exchange administrators should also keep a close eye on their systems for any unusual activity and have a plan in place for dealing with security incidents. Administrators should immediately disconnect the affected system from the network in the event of a security breach to prevent further damage.
The sources for this piece include an article in BleepingComputer.