Blog Post

IIS Support Blog
1 MIN READ

Antivirus Exclusion List for ASP.NET applications hosted on IIS

Jawahar Ganesh S's avatar
Feb 15, 2019

This article includes information about folders that need to be excluded from antivirus scanning in ASP.net applications:

1. The physical file folders for the web sites content, no matter it is a local folder or a network share.

The default location is mentioned below, however please note that your content may reside in a different directory as well. Please check the path to which your website and the virtual directories under it points to, in order to identify the correct path.

C:\inetpub\wwwroot

2. .Net Framework config directory

C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config

3. ASP.net temp file directory

C:\Windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Temporary ASP.NET Files

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files

4. IIS config folder  

In case you are running IIS in shared configuration and your server happens to host the configuration on a different location, ensure to exclude it from the scan. More information about shared config can be found here.

%SystemDrive%\Windows\System32\inetsrv\config\

5. IIS Temporary Compressed Files

%SystemDrive%\inetpub\temp\IIS Temporary Compressed Files

Author: Amol Mehrotra

Published Feb 15, 2019
Version 1.0
  • Hi Jonathan, 

     

    The files and folders are still up to date. 

    The idea is that scanning security tools (such as McAfee, Trellix, CrowdStrike, you name it) should not scan the application (site) content, IIS processes and folders, because they may trigger file change notifications, which may cause w3wp to unexpectedly stop, or strange application behaviour. Also, some other unexpected behaviours may happen with the worker processes (w3wp) when these third-party modules are loaded into them. 

     

    Important fact: if the antivirus is Windows Defender, the files, folders and w3wp = worker processes are automatically excluded from the scanning, see the defender docs here: 

    Microsoft Defender Antivirus exclusions on Windows Server - Microsoft Defender for Endpoint | Microsoft Learn  (web server exclusions section in this article)

    You may also check this, specifically for ASP.NET apps hosted on IIS 

    Exclude folders from antivirus scanning - ASP.NET | Microsoft Learn 

     

    To secure the applications deployed on IIS, you may apply other techniques, and not having the third-party tools loaded into the w3wp. A few resources on securing IIS: 

     

    Secure Content in IIS Through File System ACLs | Microsoft Learn 

    Ensure Security Isolation for Web Sites | Microsoft Learn 

    Windows Server 101: Hardening IIS via Security Control Configuration (microsoft.com)

     

    Of course, you may choose not having the server exposed to the internet, and have a reverse proxy / load balancer directing the clients to the site. 

     

    I find this a very good discussion on how to secure the web server. 

    Does it reply to your query? 

     

    • thintz's avatar
      thintz
      Copper Contributor

      Passing buffers through the AMSI interface seems to never trigger a response from an IIS hosted application.  Is that true, and if so how can AMSI be enabled for an IIS process?

  • Hi, Is this advise still current, and if so
    • Can the antivirus exclusions to certain folders be more specific?
    o Which files in particular require the antivirus exception AND still guarantee optimized application?
    • If the exceptions cannot be specific, and MUST be at that level (wwwroot etc), how are those folders to remain safe from certain targeted attacks?
    The concern is that if antivirus checks on those folders are to keep those files safe from external/virus attacks, doesn’t this make the system vulnerable to attacks if the antivirus software is not checking them?