Jump to content

Exchange server exclusions - clarification


Recommended Posts

Hi all!

With all ProxyNotShell and proxyshell stuff in mind, can you clarify something for all of us.

If I have ESS (latest V9) configured like this:
image.png.d12fee3c5623a903ac89aab05dbb5f62.png

Does ESET scan for webshells in http frontend folders?

According to: https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/

Quote

Many organizations exclude Exchange directories from antivirus scans for performance reasons. It’s highly recommended to audit AV exclusions on Exchange systems and assess if they can be removed without impacting performance and still ensure the highest level of protection.

So what exactly is excluded if we use above option? Only DB files and logs, or entire folders of Exchange?

 

Thanks!

Link to comment
Share on other sites

Huh, so basically with this enabled eset dont scan common webshell folders and they can run almost unrestricted since you also dont scan w3wp proccess.

MS wording has changed dramatically since last years proxylogon and proxyshell, have you adopted any of their recommendations from their offical blogs?

Thanks!

Link to comment
Share on other sites

1 hour ago, Gregecslo said:

Huh, so basically with this enabled eset dont scan common webshell folders and they can run almost unrestricted since you also dont scan w3wp proccess.

MS wording has changed dramatically since last years proxylogon and proxyshell, have you adopted any of their recommendations from their offical blogs?

Thanks!

I would also like to know, as from wat I see ESET's documentation is limited on this topic. Most vendors have provided some information on signature updates etc. for CVE-2022-41040 and CVE-2022-41082

Link to comment
Share on other sites

  • Administrators
1 hour ago, Gregecslo said:

eset dont scan common webshell folders and they can run almost unrestricted since you also dont scan w3wp proccess.

Which folders do you mean? Automatic exclusions are not applied for processes as stated in https://support.eset.com/en/kb3078:

ESET Mail Security for Microsoft Exchange Server applies "Directory/Folder exclusions" only ("Process exclusions" and "File name extension exclusions" are not applied)

1 hour ago, Gregecslo said:

MS wording has changed dramatically since last years proxylogon and proxyshell, have you adopted any of their recommendations from their offical blogs?

This KB was last updated by MS on July 7, 2022 and automatic exclusions should be in concordance with the latest recommendations:

https://learn.microsoft.com/en-us/exchange/antispam-and-antimalware/windows-antivirus-software?view=exchserver-2019

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...