{"id":2235,"date":"2018-11-27T11:02:00","date_gmt":"2018-11-27T10:02:00","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/lavanack\/?p=2235"},"modified":"2022-05-30T13:52:25","modified_gmt":"2022-05-30T11:52:25","slug":"exclusions-antivirus-pour-iis-antivirus-exclusions-for-iis","status":"publish","type":"post","link":"https:\/\/laurentvanacker.com\/index.php\/2018\/11\/27\/exclusions-antivirus-pour-iis-antivirus-exclusions-for-iis\/","title":{"rendered":"Exclusions antivirus pour IIS \/ Antivirus exclusions for IIS"},"content":{"rendered":"<div id=\"fr-FR\"><a href=\"#en-US\">English version<\/a><\/div>\n<p align=\"justify\">Dans le cadre d\u2019un audit IIS ou d\u2019un <a href=\"http:\/\/go.microsoft.com\/fwlink\/?LinkID=393865\">IIS RaaS<\/a>, l\u2019un des points de v\u00e9rification et la pr\u00e9sence d\u2019un antivirus et le cas \u00e9ch\u00e9ant de sa configuration. Un antivirus peut \u00eatre un alli\u00e9 pr\u00e9cieux dans la s\u00e9curisation de votre serveur\u00a0 mais peut \u00e9galement \u00eatre votre pire ennemi en termes de performances<\/p>\n<p align=\"justify\">Une configuration inappropri\u00e9e (souvent par d\u00e9faut) r\u00e9duira significativement la performance de votre serveur. Je propos dans cette article de lister quelques bonnes pratiques et de voir les exclusions \u00e0 mettre en place pour optimiser votre serveur. Bien s\u00fbr toutes ces reommendations doivent \u00eatre replac\u00e9es dans votre contexte et discut\u00e9es avec votre \u00e9quipe s\u00e9curit\u00e9 ou votre <a href=\"https:\/\/fr.wikipedia.org\/wiki\/Responsable_de_la_s\u00e9curit\u00e9_des_syst\u00e8mes_d%27information\">RSSI<\/a>.<\/p>\n<p align=\"justify\">Les emplacements sp\u00e9cifi\u00e9s ici sont les emplacements par d\u00e9faut (il est parfois recommand\u00e9 d\u2019utiliser un autre emplacement : fichiers de logs, contenu web ..)<\/p>\n<p align=\"justify\"><strong>Solution Anti-Virus <\/strong><\/p>\n<p align=\"justify\">Les anti-virus, utiles dans la pr\u00e9vention des malwares et autres virus sur vos serveurs Web, peuvent \u00e9galement fonctionner en mode de d\u00e9tection et de suppression. Il est recommand\u00e9 de disposer d\u2019un antivirus sur les serveurs de production pour analyser r\u00e9guli\u00e8rement les dossiers de contenu et le syst\u00e8me en g\u00e9n\u00e9ral, \u00e0 la recherche de programmes malveillants qui pourraient s&rsquo;y trouver. L&rsquo;antivirus doit toutefois \u00eatre configur\u00e9 avec soin afin d&rsquo;\u00e9viter toute surcharge inutile du syst\u00e8me. L\u2019absence d\u2019anti-virus offre un avantage en termes de performances mais rendre votre syst\u00e8me vuln\u00e9rable aux attaques et aux logiciels malveillants.<\/p>\n<p align=\"justify\"><strong>Scan en temps r\u00e9el<\/strong><\/p>\n<p align=\"justify\">Un scan en temps r\u00e9el assure une protection continue du serveur contre le contenu mal intentionn\u00e9 qui pourrait affecter votre syst\u00e8me. Toutefois, il est recommand\u00e9 de le configurer de mani\u00e8re appropri\u00e9 afin de r\u00e9duire la surcharge associ\u00e9e sur les serveurs.<\/p>\n<p align=\"justify\"><b>Scan en lecture<\/b><\/p>\n<p align=\"justify\">L&rsquo;analyse en temps r\u00e9el rajoute une surcharge parfois non n\u00e9gligeable sur votre serveur. L&rsquo;une des optimisations possibles consiste \u00e0 d\u00e9sactiver l&rsquo;analyse en lecture. Toutefois, la probl\u00e9matique d\u2019une cl\u00e9 USB branch\u00e9e (ou tout lecteur amovible) sur le serveur demeure. Elle pourrait \u00eatre la source d\u2019ex\u00e9cution de programmes potentiellement dangereux et ceux-ci ne seraient pas intercept\u00e9s par l\u2019anti-virus. Il est donc recommand\u00e9 de ne pas connecter de p\u00e9riph\u00e9riques externes aux serveurs pour att\u00e9nuer ce probl\u00e8me.<\/p>\n<p align=\"justify\"><strong>Scan en \u00e9criture<\/strong><\/p>\n<p align=\"justify\">L&rsquo;une des principales actions pouvant rendre un serveur vuln\u00e9rable, est l&rsquo;introduction de logiciels malveillants dans le syst\u00e8me. Cette op\u00e9ration est g\u00e9n\u00e9ralement r\u00e9alis\u00e9e en copiant le contenu infect\u00e9 sur le serveur. Effectuer un scan en temps r\u00e9el des \u00e9critures sur le serveur vous aidera \u00e0 prot\u00e9ger le serveur contre de tels vecteurs d\u2019attaque (intentionnels ou non). Etant donn\u00e9 que les \u00e9critures ne sont pas fr\u00e9quentes dans les dossiers de contenu et les dossiers syst\u00e8me, il est recommand\u00e9 de l&rsquo;activer sur ces emplacements.<\/p>\n<p align=\"justify\"><strong>Exclusions<\/strong><\/p>\n<ul>\n<li>\n<div align=\"justify\"><b>Worker processes<\/b><\/div>\n<\/li>\n<\/ul>\n<p>Le contenu web est servi par les processus des \u201cApplication Pools\u201d. Ils sont appel\u00e9s \u201cworker processes\u201d (w3wp.exe). Si vous \u00eates confiant dans le contenu g\u00e9n\u00e9r\u00e9 par votre code vous pouvez ajouter ces binaires\u00a0 dans les exclusions de votre antivirus :<\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li><strong><em>64-bit worker process : %SYSTEMROOT%\\system32\\inetsrv\\w3wp.exe<\/em><\/strong><\/li>\n<li><strong><em>32-bit worker process : <\/em><\/strong><strong><em>%SYSTEMROOT%\\SysWOW64\\inetsrv\\w3wp.exe<\/em><\/strong><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li>\n<div align=\"justify\"><b>Fichiers de Log<\/b><\/div>\n<\/li>\n<\/ul>\n<p align=\"justify\">L\u2019un des r\u00e9pertoires les plus actifs sur un serveur Web d\u2019un point de vue \u00e9criture est le r\u00e9pertoire des logs des applications et sites h\u00e9b\u00e9rg\u00e9s sur le serveur. Id\u00e9alement, ces emplacements doivent \u00eatre d\u00e9plac\u00e9s sur un disque\/partition en dehors du dissque syst\u00e8me. Il est d\u2019ailleurs recommand\u00e9 d\u2019exclure ces r\u00e9pertoire du scan en \u00e9criture en temps r\u00e9el afin de ne pas surcharger inutilement le serveur.<\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li><strong><em>Default Logging Location : %SYSTEMDRIVE%\\Inetpub\\Logs\\LogFiles<\/em><\/strong><\/li>\n<li><strong><em>Default FREB Logging Location : %SYSTEMDRIVE%\\inetpub\\logs\\FailedReqLogFiles<\/em><\/strong><\/li>\n<li><strong><em>Default HTTP.SYS Logging Location : %WINDIR%\\System32\\LogFiles\\HTTPERR<\/em><\/strong><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li>\n<div align=\"justify\"><b>Temporary Compressed Files<\/b><\/div>\n<\/li>\n<\/ul>\n<p align=\"justify\">Le r\u00e9pertoire IIS Temporary Compressed Files est constamment utilis\u00e9 en \u00e9criture par le le worker process lors de la gestion du contenu statique. La surcharge engendr\u00e9e sur le syst\u00e8me peut \u00eatre r\u00e9duite en excluant les \u00e9critures sur ce dossier (en particulier sur un syst\u00e8me d\u00e9j\u00e0 charg\u00e9).<\/p>\n<p align=\"justify\"><strong><em>%SYSTEMDRIVE%\\Inetpub\\temp\\IIS Temporary Compressed Files<\/em><\/strong><\/p>\n<p align=\"justify\"><strong>\u00a0<\/strong><\/p>\n<ul>\n<li>\n<div align=\"justify\"><strong>Temporary ASP.NET Files<\/strong><\/div>\n<\/li>\n<\/ul>\n<p align=\"justify\">Lorsque vous utilisez ASP.NET, le dossier \u201cTemporary ASP.NET Files\u201d est utilis\u00e9 par .NET Framework pour stocker la sortie compil\u00e9e des pages servies par l&rsquo;application. En fonction de la configuration de l&rsquo;application et de son utilisation, ce dossier risque de g\u00e9n\u00e9rer beaucoup de trafic en \u00e9criture. La surcharge induite pourrait \u00eatre r\u00e9duite en excluant les \u00e9critures sur ce r\u00e9pertoire dans la configuration de la solution anti-virus.<\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li><strong><em>Default folder for x86 compiled ASP.Net Code : %WINDIR%\\Microsoft.NET\\Framework\\{version}\\Temporary ASP.NET Files<\/em><\/strong><\/li>\n<li><strong><em>Default folder for x64 compiled ASP.Net Code : %WINDIR%\\Microsoft.NET\\Framework64\\{version}\\Temporary ASP.NET Files<\/em><\/strong><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li>\n<div align=\"justify\"><b>Temporary ASP Files<\/b><\/div>\n<\/li>\n<\/ul>\n<p align=\"justify\">Lors de l\u2019utilisation de code ASP classique (vs. .Net), le r\u00e9pertoire \u201cASP Compiled Templates\u201d est utilis\u00e9 pour stocker les pages compil\u00e9es servies par l\u2019application. En fonction de la configuration de l&rsquo;application et de son utilisation, ce dossier risque de g\u00e9n\u00e9rer beaucoup de trafic en \u00e9criture. La surcharge induite pourrait \u00eatre r\u00e9duite en excluant les \u00e9critures sur ce r\u00e9pertoire dans la configuration de la solution anti-virus.<\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li><strong><em>%SYSTEMDRIVE%\\Inetpub\\temp\\ASP Compiled Templates<\/em><\/strong><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li><strong>R\u00e9pertoires d\u2019installation des binaires IIS<\/strong><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p>Les binaires IIS binaries sont localis\u00e9s dans les deux r\u00e9pertoires suivants :<\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li><em><strong>64-bit binaries : %WINDIR%\\System32\\Inetsrv<br \/>\n<\/strong><\/em><\/li>\n<li><em><strong>32-bit binaries : %WINDIR%\\SysWOW64\\Inetsrv<\/strong><\/em><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><strong>\u00a0<\/strong><\/p>\n<ul>\n<li><strong>R\u00e9pertoire de Configuration IIS <\/strong><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p align=\"justify\">IIS7 + utilise un syst\u00e8me de configuration bas\u00e9 sur XML pour stocker les param\u00e8tres IIS qui remplace la m\u00e9tabase utilis\u00e9e dans IIS 6.0 et versions ant\u00e9rieures. Ce nouveau syst\u00e8me de configuration a \u00e9t\u00e9 introduit avec ASP.NET et repose sur un syst\u00e8me hi\u00e9rarchique de syst\u00e8me de gestion qui utilise des fichiers * .config. Les fichiers de configuration pour IIS 7 et versions ult\u00e9rieures se trouvent dans votre dossier% WinDir% \\ System32 \\ Inetsrv \\ Config.<\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li><strong><em>%WINDIR%\\System32\\Inetsrv\\Config<\/em><\/strong><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li><strong>Schema pour la Configuration IIS <\/strong><\/li>\n<\/ul>\n<p>Le sch\u00e9ma des param\u00e8tres IIS constitue la base de la configuration d&rsquo;IIS 7.0. La plupart des propri\u00e9t\u00e9s de m\u00e9tabase que vous utilisiez dans les versions pr\u00e9c\u00e9dentes d&rsquo;IIS ont \u00e9t\u00e9 converties en \u00e9l\u00e9ments ou en attributs dans le sch\u00e9ma.<\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li><strong><em>%WINDIR%\\System32\\Inetsrv\\Config\\Schema<\/em><\/strong><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li><strong>Emplacement du contenu (par d\u00e9faut) <\/strong><\/li>\n<\/ul>\n<p align=\"justify\">Par d\u00e9faut le contenu de vos sites est stock\u00e9 dans le r\u00e9pertoire ci-dessous (Il est d\u2019ailleurs recommand\u00e9 de le mettre sur un disque, une paritition ou une LUN d\u00e9di\u00e9e)<\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li><strong><em>%SYSTEMDRIVE%\\Inetpub\\WWWRoot<\/em><\/strong><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li><strong>Default History Location<br \/>\n<\/strong><\/li>\n<\/ul>\n<p align=\"justify\">This folder keeps a running history of changes to your configuration files. This history is especially useful for recovering from mistakes made when manually editing your configuration files.<\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li><strong><em>%SYSTEMDRIVE%\\Inetpub\\History<\/em><\/strong><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li><strong>Emplacement des backup de configuration (par d\u00e9faut)<\/strong><\/li>\n<\/ul>\n<p align=\"justify\">Depuis IIS 7, vous pouvez cr\u00e9er et g\u00e9rer les sauvegardes de vos configurations en utilisant l\u2019outil Appcmd.exe. Par d\u00e9fault, ces sauvegardes sont stock\u00e9s dans des sous-r\u00e9pertoires de %SystemDrive%\\Inetpub\\History.<\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li><strong><em>%WINDIR%\\System32\\Inetsrv\\backup<\/em><\/strong><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li><strong>Emplacement de l\u2019isolation de configuration (par d\u00e9faut)<\/strong><\/li>\n<\/ul>\n<p align=\"justify\">L\u2019isolation des Application Pool est une nouvelle fonctionnalit\u00e9 apparue avec IIS7. Un fichier de configuration d\u00e9di\u00e9 \u00e0 chaque application pool est automatiquement cr\u00e9e lors du d\u00e9marrage de chaque Application Pool. L\u2019emplacement par d\u00e9faut de ces fichiers est :<\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li><strong><em>%SYSTEMDRIVE%\\Inetpub\\temp\\appPools<\/em><\/strong><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li><strong>R\u00e9pertoires de pages d\u2019erreur (par d\u00e9faut)<\/strong><\/li>\n<\/ul>\n<p align=\"justify\">IIS7+ stocke les pages d\u2019erreurs personalis\u00e9es dans<\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li><strong><em>%SYSTEMDRIVE%\\Inetpub\\custerr<\/em><\/strong><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p align=\"justify\"><strong>\u00a0<\/strong><\/p>\n<p><strong>Lectures recommand\u00e9es<\/strong><\/p>\n<p><a href=\"https:\/\/support.microsoft.com\/fr-fr\/help\/822158\/virus-scanning-recommendations-for-enterprise-computers-that-are-runni\">Recommandations d\u2019analyse antivirus pour les ordinateurs d\u2019entreprise qui ex\u00e9cutent des versions de Windows prises en charge<\/a><\/p>\n<p><a href=\"https:\/\/support.microsoft.com\/fr-fr\/help\/817442\/a-0-byte-file-may-be-returned-when-compression-is-enabled-on-a-server\">Un fichier de 0 octet peut \u00eatre renvoy\u00e9 lorsque la compression est activ\u00e9e sur un serveur qui ex\u00e9cute IIS<\/a><\/p>\n<p><a href=\"https:\/\/support.microsoft.com\/en-us\/help\/821749\/antivirus-software-may-cause-iis-to-stop-unexpectedly\">Antivirus software may cause IIS to stop unexpectedly<\/a><\/p>\n<hr \/>\n<div id=\"en-US\"><a href=\"#fr-FR\">Version fran\u00e7aise<\/a><\/div>\n<div><\/div>\n<p>&nbsp;<\/p>\n<p>In the context of IIS audit or <a href=\"http:\/\/go.microsoft.com\/fwlink\/?LinkID=393865\">IIS RaaS<\/a>, one of the verification points is the presence of an antivirus and, if applicable, its configuration. This can be a valuable ally in securing your server but can also be your worst enemy in terms of performance.<\/p>\n<p>An inappropriate configuration (often by default) will significantly slow down your IIS server. I propose in this article to list some good practices and see the exclusions to set up to optimize your server. Of course all these recommendations must be put in context and discussed with your security team or <a href=\"https:\/\/en.wikipedia.org\/wiki\/Chief_information_security_officer\">CISO<\/a><\/p>\n<p>The locations specified here are the default locations (Sometimes it is a best practices to use alternate location : log files, web content \u2026)<\/p>\n<p align=\"justify\"><b>Anti-Virus Solution <\/b><\/p>\n<p align=\"justify\">Anti-Virus solutions can help in preventing malware from infecting web servers, and can also work in a detection and removal mode when appropriate. It is recommended to have an Anti-Virus solution on the production servers to regularly scan the content folders and the system in general, for any malware that might have made it on there. The anti-virus when present, however, needs to be configured carefully so as to avoid adding unnecessary overhead to the system while protecting it. Not having an anti-virus solution altogether, while providing a performance benefit potentially, can also make the web servers susceptible to unknown malware attacks.<\/p>\n<p align=\"justify\"><b>Real-time Scanning<\/b><\/p>\n<p align=\"justify\">Having the antivirus solution monitor the servers in real-time provides for constant protection of the web server from malformed content that might make it to the system by accident or intentionally. However, if and when this is enabled, it is recommended to be configured in a way that reduces the overhead associated with it on the servers.<\/p>\n<p align=\"justify\"><b>Read Operation Scan<\/b><\/p>\n<p align=\"justify\">When real-time scanning is enabled on the web server, care has to be taken to not add overhead to the system due to the scanning operations. One of the optimizations that can be done is to disable reads from being scanned. However, this does entertain the possibility that any removable disk drives attached to the system, can run potentially harmful programs and these would not be caught by the Anti-virus program. It is recommended to not attach external devices to the servers to mitigate this problem.<\/p>\n<p align=\"justify\"><b>Write Operation Scan<\/b><\/p>\n<p align=\"justify\">One of the primary actions that can cause web servers to become vulnerable is the introduction of malware into the system, and that is usually accomplished by copying the infected content to the server. By having an anti-virus scan writes to the server in real-time will help in protecting the server from such attack vectors (intended and unintended). Since writes do not happen frequently on the content folders and system folders, it is recommended to have this turned ON in those locations primarily to protect the server while reducing the overhead involved due to its usage.<\/p>\n<p align=\"justify\"><strong>Exclusions<\/strong><\/p>\n<ul>\n<li>\n<div align=\"justify\"><b>Worker processes<\/b><\/div>\n<\/li>\n<\/ul>\n<p>Your web content is served by the processes of the Application Pools. They are called worker processes (w3wp.exe). If you are confident in the content generated by your code you can add the binaries in the exclusions of your antivirus solution :<\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li><strong><em>64-bit worker process : %SYSTEMROOT%\\system32\\inetsrv\\w3wp.exe<\/em><\/strong><\/li>\n<li><strong><em>32-bit worker process : <\/em><\/strong><strong><em>%SYSTEMROOT%\\SysWOW64\\inetsrv\\w3wp.exe<\/em><\/strong><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li>\n<div align=\"justify\"><b>Log Files<\/b><\/div>\n<\/li>\n<\/ul>\n<p align=\"justify\">One of the busiest folders on a web server from a write perspective is the log file folder for the applications and sites running on the server. Typically, these locations are recommended to be away from the system drive, so it is recommended to exclude these folders from real-time write scanning to prevent unnecessary overhead on the system while not potentially adding vulnerabilities to it.<\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li><strong><em>Default Logging Location : %SYSTEMDRIVE%\\Inetpub\\Logs\\LogFiles<\/em><\/strong><\/li>\n<li><strong><em>Default FREB Logging Location : %SYSTEMDRIVE%\\inetpub\\logs\\FailedReqLogFiles<\/em><\/strong><\/li>\n<li><strong><em>Default HTTP.SYS Logging Location : %WINDIR%\\System32\\LogFiles\\HTTPERR<\/em><\/strong><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li>\n<div align=\"justify\"><b>Temporary Compressed Files<\/b><\/div>\n<\/li>\n<\/ul>\n<p align=\"justify\">IIS Temporary Compressed Files folder on the web server is constantly being written to by the worker process in the process of serving static content. System overhead can be reduced if write actions into this folder are not constantly scanned by the anti-virus solution, especially on a busy system.<\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li><strong><em>%SYSTEMDRIVE%\\Inetpub\\temp\\IIS Temporary Compressed Files<\/em><\/strong><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p align=\"justify\"><strong>\u00a0<\/strong><\/p>\n<ul>\n<li>\n<div align=\"justify\"><strong>Temporary ASP.NET Files<\/strong><\/div>\n<\/li>\n<\/ul>\n<p align=\"justify\">When using ASP.NET, the Temporary ASP.NET Files folder is used by the .NET Framework to store the compiled output of the pages that are being served by the application. Depending on how the application is configured, and the usage of the application, this folder would potentially see a lot of write traffic, and it would lessen the overhead on the system if the write actions to this folder are not scanned in real-time by the anti-virus solution.<\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li><strong><em>Default folder for x86 compiled ASP.Net Code : %WINDIR%\\Microsoft.NET\\Framework\\{version}\\Temporary ASP.NET Files<\/em><\/strong><\/li>\n<li><strong><em>Default folder for x64 compiled ASP.Net Code : %WINDIR%\\Microsoft.NET\\Framework64\\{version}\\Temporary ASP.NET Files<\/em><\/strong><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li>\n<div align=\"justify\"><b>Temporary ASP Files<\/b><\/div>\n<\/li>\n<\/ul>\n<p align=\"justify\">When using classic ASP, the ASP Compiled Templates folder is used to store the compiled output of the pages that are being served by the application. Depending on how the application is configured, and the usage of the application, this folder would potentially see a lot of write traffic, and it would lessen the overhead on the system if the write actions to this folder are not scanned in real-time by the anti-virus solution.<\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li><strong><em>%SYSTEMDRIVE%\\Inetpub\\temp\\ASP Compiled Templates<\/em><\/strong><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li><strong>IIS binaries Installation Folder<\/strong><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p>All IIS binaries are located in two folders<\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li><em><strong>64-bit binaries : %WINDIR%\\System32\\Inetsrv<br \/>\n<\/strong><\/em><\/li>\n<li><em><strong>32-bit binaries : %WINDIR%\\SysWOW64\\Inetsrv<\/strong><\/em><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><strong>\u00a0<\/strong><\/p>\n<ul>\n<li><strong>IIS Configuration Folder<\/strong><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p align=\"justify\">Internet Information Services (IIS) 7 and later use an XML-based configuration system for storing IIS settings which replaces the metabase that was used in IIS 6.0 and earlier. This new configuration system was introduced with ASP.NET and is based on a hierarchical system of management system that uses *.config files. The configuration files for IIS 7 and later are located in your %<em>WinDir<\/em>%\\System32\\Inetsrv\\Config folder.<\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li><strong><em>%WINDIR%\\System32\\Inetsrv\\Config<\/em><\/strong><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li><strong>Schema for the IIS Configuration<\/strong><\/li>\n<\/ul>\n<p>The IIS settings schema provides the basis for IIS 7.0 configuration. Most of the metabase properties you used in previous versions of IIS have been converted into elements or attributes in the schema.<\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li><strong><em>%WINDIR%\\System32\\Inetsrv\\Config\\Schema<\/em><\/strong><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li><strong>Default Content Location<\/strong><\/li>\n<\/ul>\n<p align=\"justify\">By default the web content is stored in the listed folder (it is a best practices to use a dedicated disk\/partition\/LUN to host the web content)<\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li><strong><em>%SYSTEMDRIVE%\\Inetpub\\WWWRoot<\/em><\/strong><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li><strong>Default History Location<br \/>\n<\/strong><\/li>\n<\/ul>\n<p align=\"justify\">This folder keeps a running history of changes to your configuration files. This history is especially useful for recovering from mistakes made when manually editing your configuration files.<\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li><strong><em>%SYSTEMDRIVE%\\Inetpub\\History<\/em><\/strong><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li><strong>Default Backup Location<\/strong><\/li>\n<\/ul>\n<p align=\"justify\">In IIS 7+, you can create and manage configuration backups by using the Appcmd.exe tool. By default, the configuration backups that you create by using the Appcmd.exe tool are located in subfolders in the %SystemDrive%\\Inetpub\\History directory.<\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li><strong><em>%WINDIR%\\System32\\Inetsrv\\backup<\/em><\/strong><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li><strong>Default Configuration Isolation Path<\/strong><\/li>\n<\/ul>\n<p align=\"justify\">AppPool isolation is a new feature in IIS7. A dedicated AppPool configuration file gets automatically created before a new Application Pool is started. The default location of these files is<\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li><strong><em>%SYSTEMDRIVE%\\Inetpub\\temp\\appPools<\/em><\/strong><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li><strong>Default Folder for Error pages<\/strong><\/li>\n<\/ul>\n<p align=\"justify\">IIS7+ stores Custom Error Pages in<\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li><strong><em>%SYSTEMDRIVE%\\Inetpub\\custerr<\/em><\/strong><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><strong>\u00a0<\/strong><\/p>\n<p><strong>Recommended Reading<\/strong><\/p>\n<p><a href=\"http:\/\/support.microsoft.com\/kb\/822158\">Virus scanning recommendations for Enterprise computers that are running currently supported versions of Windows<\/a><\/p>\n<p><a href=\"https:\/\/support.microsoft.com\/en-us\/help\/817442\/a-0-byte-file-may-be-returned-when-compression-is-enabled-on-a-server\">A 0-byte file may be returned when compression is enabled on a server that is running IIS<\/a><\/p>\n<p><a href=\"https:\/\/support.microsoft.com\/en-us\/help\/821749\/antivirus-software-may-cause-iis-to-stop-unexpectedly\">Antivirus software may cause IIS to stop unexpectedly<\/a><\/p>\n<p>&nbsp;<\/p>\n<p>Laurent.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>English version Dans le cadre d\u2019un audit IIS ou d\u2019un IIS RaaS, l\u2019un des points de v\u00e9rification et la pr\u00e9sence d\u2019un antivirus et le cas [&#8230;]<\/p>\n","protected":false},"author":2,"featured_media":2465,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7,12],"tags":[21,25,41,42],"class_list":["post-2235","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-iis","category-securite-security","tag-antivirus","tag-iis","tag-securite","tag-security"],"_links":{"self":[{"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/posts\/2235","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/comments?post=2235"}],"version-history":[{"count":3,"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/posts\/2235\/revisions"}],"predecessor-version":[{"id":3046,"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/posts\/2235\/revisions\/3046"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/media\/2465"}],"wp:attachment":[{"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/media?parent=2235"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/categories?post=2235"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/tags?post=2235"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}