Microsoft has released Security Updates (SUs) for vulnerabilities found in:
Exchange Server 2013
Exchange Server 2016
Exchange Server 2019
SUs are available in a self-extracting auto-elev...
Updated Dec 01, 2022
Version 9.0
Blog Post
Hi Nino_Bilic,
I have encountered the same issue as MarcelWie with quarantining of w3wp.exe (amsi:_\Device\HarddiskVolume2\Windows\System32\inetsrv\w3wp.exe). We have followed the updated AV exclusions advice as announced by ScottSchnoll at MEC Tech Airlift, as I suspect that Marcel has also. Consequently, this directory and process are no longer excluded from AV scanning.
We had CU22 with November Exchange Security Update, applied CU23 and then the November Exchange Security Update for CU23. The server was offline throughout the procedure.
We have Emergency Mitigations enabled and have not removed the applied mitigations
However, I am really struggling to absorb your statement. "it does not indicate compromise, rather the scan for vulnerability". W3wp.exe has been quarantined by Defender. That is not an advisory. That is breaking functionality. We are trying our best to follow Microsoft recommendations, but we cannot have key components for Exchange quarantined incorrectly.
I have a case open as we have upgraded 23 servers so far and consider any of those servers as susceptible to the same behaviour, but also need confirmation that the executable has not been infected whilst the relevant protection is in place.