ProxyShell, ProxyLogon and Microsoft's contradictious Exchange doc for virus scan exceptions

Posted on 2021-08-25 by guenni

Sicherheit (Pexels, allgemeine Nutzung)[German]On August 20, 2021, Microsoft published recommendations on the subject of virus protection for on-premises Microsoft Exchange Servers. Recommendations are also given there regarding the exclusion of certain folders from virus scanning. On the other hand, we are experiencing waves of attacks on Exchange Servers via vulnerabilities such as ProxyShell and ProxyLogon. The attackers then deposit a WebShell on the infected Exchange systems. Therefore, it is reasonable to ask whether Microsoft's recommendations are good advice.

Advertising

Antivirus and Exchange Server

Windows antivirus programs running on Microsoft Exchange servers can be used to improve the security and health of these systems. In the support article Running Windows antivirus software on Exchange servers, Microsoft addresses issues surrounding antivirus for securing Exchange servers. The message: if virus scanners are not configured properly, Windows antivirus software can cause problems in Exchange servers.

Microsoft writes, "The biggest potential problem is that a Windows antivirus program can lock or quarantine an open log or database file that Exchange needs to modify. This can cause serious errors in Exchange Server and possibly create 1018 event log errors as well. Therefore, it is very important to exclude these files from Windows antivirus scanning. In the support article Running Windows antivirus software on Exchange servers, Microsoft specifies a range of folders that administrators should exclude from scanning by antivirus programs.

Folder exclusions a good idea?

Microsoft ex employee and security researcher Kevin Beaumont stumbled across the support post and promptly points out in the following tweet that when it comes to ProxyShell and ProxyLogon attacks, it's important to note that Microsoft's own Exchange documentation instructs administrators to exclude all processes and folders used by attackers.

Exchange Server virus scan excludes

His recommendation is to critically go through the list of folders to exclude and decide what should really be excluded from the scan.

Advertising

Exchange Server virus scan excludes

Advertising
This entry was posted in Security, Software and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).