[German]On August 20, 2021, Microsoft published recommendations on the subject of virus protection for on-premises Microsoft Exchange Servers. Recommendations are also given there regarding the exclusion of certain folders from virus scanning. On the other hand, we are experiencing waves of attacks on Exchange Servers via vulnerabilities such as ProxyShell and ProxyLogon. The attackers then deposit a WebShell on the infected Exchange systems. Therefore, it is reasonable to ask whether Microsoft's recommendations are good advice.
Antivirus and Exchange Server
Windows antivirus programs running on Microsoft Exchange servers can be used to improve the security and health of these systems. In the support article Running Windows antivirus software on Exchange servers, Microsoft addresses issues surrounding antivirus for securing Exchange servers. The message: if virus scanners are not configured properly, Windows antivirus software can cause problems in Exchange servers.
Microsoft writes, "The biggest potential problem is that a Windows antivirus program can lock or quarantine an open log or database file that Exchange needs to modify. This can cause serious errors in Exchange Server and possibly create 1018 event log errors as well. Therefore, it is very important to exclude these files from Windows antivirus scanning. In the support article Running Windows antivirus software on Exchange servers, Microsoft specifies a range of folders that administrators should exclude from scanning by antivirus programs.
Folder exclusions a good idea?
Microsoft ex employee and security researcher Kevin Beaumont stumbled across the support post and promptly points out in the following tweet that when it comes to ProxyShell and ProxyLogon attacks, it's important to note that Microsoft's own Exchange documentation instructs administrators to exclude all processes and folders used by attackers.
His recommendation is to critically go through the list of folders to exclude and decide what should really be excluded from the scan.
Cookies helps to fund this blog: Cookie settings