Paused to Allow Integration with Windows Antimalware Scan Interface
The PR departments of major corporations are addicted to releasing bad news on Friday, preferably the Friday of a holiday weekend. This isn’t to say that Microsoft’s decision to notify customers of a two-week delay in the quarterly cumulative update for Exchange Server is bad news. It’s not, but it is odd that Microsoft chose to release the information on June 11 instead of June 15, when people expected the updates. Instead, the updates will appear on June 29.
I’m puzzled because I think the reason behind the delay is good news. Microsoft obviously struggled to cope with the effect of the Hafnium attack in March and have suffered a huge amount of adverse commentary since, not helped by the link with the ransomware attack on Colonial Pipeline. Colonial’s CEO subsequently said that an old VPN was the vulnerability, but Exchange Server is still tagged in the minds of many when problems emerge.
Linking in Antimalware Scans
Viewed in that context, you’d imagine that taking two extra weeks to complete integrating Exchange Server with the Windows Antimalware Scan Interface (AMSI) is something customers should applaud. AMSI is a standard Windows component, which can connect to any antimalware product supporting AMSI. Its purpose is “to scan content in HTTP requests sent to Exchange Server and block a malicious request before it is handled by Exchange Server. The scan is performed in real-time by any AMSI-capable antivirus/antimalware solution that runs on the Exchange server as the server begins to process the request.” Given that many attacks on Exchange start with HTTP requests to something like the OWA virtual directory, being able to intercept potentially malicious requests is a good thing.
Windows Server 2016 includes Microsoft Defender Antivirus (MDAV) and Exchange can use MDAV via AMSI. Defender is not mandatory, but if it’s enabled and running on the same server, Exchange will use Defender. If not, Exchange can use any other anti-malware service which supports AMSI.
Microsoft points out that it can deploy updated signatures used by MDAV to recognize exploits when new attacks become known. In a situation like Hafnium, this means that servers using MDAV can download updates to recognize the hallmarks of the attack.
Recent Versions Only
The downside is that AMSI is available only on Windows Server 2016 or later, ruling out a bunch of Exchange servers running on Windows Server 2012 R2. Only Exchange 2016 and Exchange 2019 support the integration with AMSI. Microsoft is giving a strong hint here to on-premises customers that they should run recent versions of Exchange on recent operating systems if they expect to take advantage of new technology to avoid attacks. If you run old versions of Exchange server, like Exchange 2010 and 2013, then you’re on your own and you better have a locked-down operation to keep hackers at bay.
Microsoft further notes that after it releases the June cumulative updates, it will only support the March 2021 and June cumulative update for future security updates. I don’t quite understand how any competent on-premises administrator has not updated and secured their Exchange servers by now, but this is another strong hint to get current and stay current (including if you run an hybrid environment).
Watch out for AMSI compatibility with virus scanner settings. It can massiv slow down your Outlook connection and performance.