Gregecslo 8 Posted October 6, 2022 Posted October 6, 2022 Hi all! With all ProxyNotShell and proxyshell stuff in mind, can you clarify something for all of us. If I have ESS (latest V9) configured like this: Does ESET scan for webshells in http frontend folders? According to: https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/ Quote Many organizations exclude Exchange directories from antivirus scans for performance reasons. It’s highly recommended to audit AV exclusions on Exchange systems and assess if they can be removed without impacting performance and still ensure the highest level of protection. So what exactly is excluded if we use above option? Only DB files and logs, or entire folders of Exchange? Thanks!
ESET Staff M.K. 22 Posted October 10, 2022 ESET Staff Posted October 10, 2022 Hi, with automatic exclusions for Exchange Servers we have followed recommendations from Microsoft, i.e. https://learn.microsoft.com/en-us/exchange/antispam-and-antimalware/windows-antivirus-software?view=exchserver-2019 Peter Randziak 1
Gregecslo 8 Posted October 10, 2022 Author Posted October 10, 2022 Huh, so basically with this enabled eset dont scan common webshell folders and they can run almost unrestricted since you also dont scan w3wp proccess. MS wording has changed dramatically since last years proxylogon and proxyshell, have you adopted any of their recommendations from their offical blogs? Thanks! stevenv 1
stevenv 0 Posted October 10, 2022 Posted October 10, 2022 1 hour ago, Gregecslo said: Huh, so basically with this enabled eset dont scan common webshell folders and they can run almost unrestricted since you also dont scan w3wp proccess. MS wording has changed dramatically since last years proxylogon and proxyshell, have you adopted any of their recommendations from their offical blogs? Thanks! I would also like to know, as from wat I see ESET's documentation is limited on this topic. Most vendors have provided some information on signature updates etc. for CVE-2022-41040 and CVE-2022-41082
Administrators Marcos 5,451 Posted October 10, 2022 Administrators Posted October 10, 2022 1 hour ago, Gregecslo said: eset dont scan common webshell folders and they can run almost unrestricted since you also dont scan w3wp proccess. Which folders do you mean? Automatic exclusions are not applied for processes as stated in https://support.eset.com/en/kb3078: ESET Mail Security for Microsoft Exchange Server applies "Directory/Folder exclusions" only ("Process exclusions" and "File name extension exclusions" are not applied) 1 hour ago, Gregecslo said: MS wording has changed dramatically since last years proxylogon and proxyshell, have you adopted any of their recommendations from their offical blogs? This KB was last updated by MS on July 7, 2022 and automatic exclusions should be in concordance with the latest recommendations: https://learn.microsoft.com/en-us/exchange/antispam-and-antimalware/windows-antivirus-software?view=exchserver-2019
Recommended Posts