Update on the Exchange Server Antivirus Exclusions
Published Feb 23 2023 12:21 PM 58.4K Views

For years we have been saying how running security software that does any monitoring (active/passive) or inspection of Exchange processes/file paths (such as Anti-Virus, for example) on your Exchange Servers can enhance the security and health of your Exchange organization. We’ve also said that if you are deploying security software on Exchange servers, make sure that the appropriate exclusions, such as directory exclusions, process exclusions, and file name extension exclusions, are in place for both scheduled and real-time scanning.

But times have changed, and so has the cybersecurity landscape. We’ve found that some existing exclusions, namely the Temporary ASP.NET Files and Inetsrv folders, and the PowerShell and w3wp processes - are no longer needed, and that it would be much better to scan these files and folders. Keeping these exclusions may prevent detections of IIS webshells and backdoor modules, which represent the most common security issues. So, we now recommend that you remove these exclusions from your file-level AV scanner:

Folders:

 

%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files
%SystemRoot%\System32\Inetsrv

 

Processes:

 

%SystemRoot%\System32\WindowsPowerShell\v1.0\PowerShell.exe
%SystemRoot%\System32\inetsrv\w3wp.exe

 

We’ve validated that removing these processes and folders doesn’t affect performance or stability when using Microsoft Defender on Exchange Server 2019 running the latest Exchange Server updates.

We also believe that these exclusions can also be safely removed from servers running Exchange Server 2016 and Exchange Server 2013 (decommissioning before April, right?).  So, feel free to remove the exclusions from those versions, as well. If any issues arise, simply put the exclusions back in place, and report the issue to us.

The Exchange Server Team

36 Comments
Co-Authors
Version history
Last update:
‎Jan 12 2024 01:22 PM
Updated by: