[German]Microsoft's Exchange Server team has revised its recommendations regarding antivirus scan exceptions and is asking administrators to review and adjust antivirus software settings as necessary. It's all the result of changes in the cyber threat landscape.
Antivirus-Software auf Exchange Server
Antivirus software on Microsoft Exchange servers can improve the security and health of an Exchange installation. However, incorrect configuration of Windows antivirus programs can cause problems in Exchange Server. Antivirus programs for Windows perform two checks:
- Memory-resident scanning, or real-time protection, monitors all files and processes loaded and running in a computer's active memory.
- At file level, a scan checks the files on the hard disk for viruses manually or at regular intervals. This can also be done automatically with some antivirus programs as an on-demand scan when the virus signature is updated.
Microsoft writes in its article Running Windows antivirus software on Exchange servers, updated on February 23, 2023, that the biggest potential problem is that a Windows antivirus program can lock or quarantine an open log or database file that Exchange needs to modify. This can cause serious errors in Exchange Server and potentially create 1018 event log errors as well. Therefore, it is very important to exclude these files from scanning by the Windows antivirus program.
Another problem is that Windows antivirus programs cannot replace email-based antispam and antimalware solutions, because Windows antivirus programs running on Windows servers cannot detect viruses, malware and spam that are spread only via email. The document then specifies exceptions of various folders as well as the Exchange installation path that should be excluded from the scan.
Microsoft adjusts recommendations
In a tech community post Update on the Exchange Server Antivirus Exclusions, Microsoft addressed this on Feb. 23, 2023, writing that the cybersecurity landscape has changed. It noted that the previous scan exclusion exceptions for the following folders may no longer apply:
- Temporary ASP.NET Files
and the processes
Microsoft writes that it would be much better to scan these files and folders by now. Keeping these exclusions may prevent detection of the most common security issues in the form of IIS webshells and backdoor modules. Microsoft therefore recommends that Exchange administrators remove the exclusions of the following folders from their file-level AV scanner:
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files %SystemRoot%\System32\Inetsrv %SystemRoot%\System32\WindowsPowerShell\v1.0\PowerShell.exe %SystemRoot%\System32\inetsrv\w3wp.exe
Microsoft developers write that they have verified this: Removing these processes and folders from scanning by antivirus software has no impact on performance or stability when using Microsoft Defender on Exchange Server 2019 with the latest Exchange Server updates.
Microsoft also believes that these exclusions can be safely removed even on servers running Exchange Server 2016 and Exchange Server 2013. To the extent that this is applied to Exchange Server 2013 (support ends in April 2023, see Microsoft advises end of support for Exchange Server 2013 on April 11, 2023) or Exchange Server 2016, administrators should keep an eye on these on-premises servers and watch for issues.
If unexpected problems occur with an Exchange Server version, the exceptions can simply be set again. Microsoft asks to report the problem in these cases. Has anyone already implemented this and encountered problems?
Exchange Server Security Updates (February 14, 2023)
Microsoft's February 2023 Patchday: Incorrect updates in WSUS, Exchange and Windows
Microsoft recommends patching Exchange Server (Jan. 2023)
February 2023 Patchday: EWS problems after Exchange Server security update
Microsoft advises end of support for Exchange Server 2013 on April 11, 2023
Exchange 2019: Does the January 2023 SU with CU 12 trigger the index problem again?
Microsoft Exchange January 2023 patchday issues
Cookies helps to fund this blog: Cookie settings