Exclusions can be managed by using Group Policy, PowerShell, or systems management tools like Microsoft Endpoint Configuration Manager. Microsoft recommends auditing AV exclusions on Exchange systems and assessing if they can be removed without impacting performance in your environment to ensure the highest level of protection. Many organizations exclude the Exchange directories from antivirus scans for performance reasons. It's highly recommended to ensure these updates are installed and AMSI is working using the guidance provided by the Exchange Team as this integration allows the best ability for Defender Antivirus to detect and block exploitation of Exchange. Your security team should be able to provide specific answers to questions about why exclusions exist.Įxchange has supported integration with the Antimalware Scan Interface (AMSI) since the June 2021 Quarterly Updates for Exchange. Your security team should preserve context around why a certain exclusion was added to avoid confusion later on. Review and audit changes to your list of exclusions. Use exclusions only for specific issues, such as those pertaining to performance or application compatibility that exclusions could mitigate. For example, don't exclude something just because you think it might be a problem in the future. Ideally, avoid defining exclusions in an effort to be proactive. Recheck and re-enforce mitigations as part of your review process. Other options can be as simple as making sure the excluded location has the appropriate access-control lists (ACLs) or setting policies to audit mode at first. Consider all your options when defining exclusions. Keep the following points in mind when you're defining exclusions:Įxclusions are technically a protection gap. Furthermore, the Network Protection and Attack Surface Reduction (ASR) Rules are also impacted by process exclusions specifically, meaning that a process exclusion on any platform will result in Network Protection or ASR being unable to inspect traffic or enforce rules for that specific process.
This means that features which are directly dependent on the AV engine such as protection against malware, file IOCs and certificate IOCs will not be effective. Exclusions directly impact the ability for Microsoft Defender Antivirus to block, remediate or inspect events related to the files, folders or processes that are added to the exclusion list.
0 kommentar(er)
