Microsoft
MicrosoftHi Jonathan,
The files and folders are still up to date.
The idea is that scanning security tools (such as McAfee, Trellix, CrowdStrike, you name it) should not scan the application (site) content, IIS processes and folders, because they may trigger file change notifications, which may cause w3wp to unexpectedly stop, or strange application behaviour. Also, some other unexpected behaviours may happen with the worker processes (w3wp) when these third-party modules are loaded into them.
Important fact: if the antivirus is Windows Defender, the files, folders and w3wp = worker processes are automatically excluded from the scanning, see the defender docs here:
Microsoft Defender Antivirus exclusions on Windows Server - Microsoft Defender for Endpoint | Microsoft Learn (web server exclusions section in this article)
You may also check this, specifically for ASP.NET apps hosted on IIS
Exclude folders from antivirus scanning - ASP.NET | Microsoft Learn
To secure the applications deployed on IIS, you may apply other techniques, and not having the third-party tools loaded into the w3wp. A few resources on securing IIS:
Secure Content in IIS Through File System ACLs | Microsoft Learn
Ensure Security Isolation for Web Sites | Microsoft Learn
Windows Server 101: Hardening IIS via Security Control Configuration (microsoft.com)
Of course, you may choose not having the server exposed to the internet, and have a reverse proxy / load balancer directing the clients to the site.
I find this a very good discussion on how to secure the web server.
Does it reply to your query?
Passing buffers through the AMSI interface seems to never trigger a response from an IIS hosted application. Is that true, and if so how can AMSI be enabled for an IIS process?
