FTL

Not ESET related but thought id share with you what we use
Its an Exchange Rule as Marcos has said:
Apply this rule if:  sender is located "Outside the Organisation"
Do the following: Prepend the disclaimer
and fall back to action Ignore if the disclaimer can't be inserted.
<table border=0 cellspacing=0 cellpadding=0 align="left" width="100%"> <tr> <td style="background:#ff0505;padding:5pt 5pt 5pt 5pt"></td> <td width="100%" cellpadding="7px 6px 7px 15px" style="background:#fc5858;padding:5pt 4pt 5pt 12pt;word-wrap:break-word"> <div style="color:#ffffff;"> <span style="color:#fff; font-weight:bold;">Caution:</span> ENTER YOUR MESSAGE HERE </div> </td> </tr> </table> <br> <br> <br /> Mine has colours in but you can amend as you see fit

If somebody does POST request with malicious file inside POST request PHP will process it (execution is done in PHP TMP folder) and that is where detection comes from.
This also happens to me on server where nothing is installed but apache + php...
Deleted ESET, SAME post request came, no files were dropped (but file was naturally in PHP).
Problem would be if you find XXXX.php file which was dropped in webserver folder...

Something like this:
https://octobercms.com/forum/post/being-attacked-please-help?page=1#post-37387
 

Any news on this please Marcos?
9.1.2160 is still a real PITA with Outlook and shared mailboxes - makes them hang, crash, slow down to a complete crawl.
Still having to put some clients back to 9.0.2046 which is the last known good working version with Outlook
Thanks

The detection is correct, the only issue is that the source and target IP addresses are swapped in the log.