Search code examples
asp.netiisantivirus

Antivirus Exclusion List for ASP.NET applications hosted on IIS

Microsoft recommend to exclude a set of folders from anit-virus when running asp.net apps on iis, this seems quite dangerous and I wonder if it is still recommended.

https://learn.microsoft.com/en-us/troubleshoot/developer/webapps/aspnet/www-administration-management/exclude-folders-antivirus-scanning

https://techcommunity.microsoft.com/t5/iis-support-blog/antivirus-exclusion-list-for-asp-net-applications-hosted-on-iis/bc-p/4153826#M856

  • Can the antivirus exclusions to certain folders be more specific?
  • Which files in particular require the antivirus exception AND still guarantee optimized application?
  • If the exceptions cannot be specific, and MUST be at that level (wwwroot etc), how are those folders to remain safe from certain targeted attacks?
  • The concern is that if antivirus checks on those folders are to keep those files safe from external/virus attacks, doesn’t this make the system vulnerable to attacks if the antivirus software is not checking them?

I've tried looking for advice from Microsoft beyond these articles and found nothing concrete.

Solution

  • Just because you don't run an antivirus program on said files/folders, it does not mean that they are open to attacks. The web server should be properly configured to prevent unauthorized access as needed. Everything should be locked down except for what users are allowed to access (minimum access policy). IIS and Windows already know how to do this well. You just need to make sure you configure it properly. Check out this article for best practices.

    It is however your application's responsibility to enforce certain levels of security. For instance, if you are allowing file uploads, you should exercise care on what extensions you allow, how you save those files locally and where you save them. You can then have your antivirus scan your target upload folder without having to affect other parts that may trigger AppDomain unloads as mentioned in the links you provided.

    Lastly, if you are really worried about this, you can always schedule scans of the whole structure every so often at a time that is convenient to you based on usage in order to minimize the impact on performance (e.g. full scan once every 24 hours at 2am).