LukiD

Hi, I've found source of alerts - we have Windows Defender Advanced Threat Protection enabled on this server and I discovered that this solution runs different PowerShell scripts to scan possible vulnerabilities among others JAVA/Exploit.CVE-2021-44228. I correlated running of one of these scripts with Alerts timestamps. When I've found which script could cause alert I've copied it from its original location (which is not accessible for admin accounts) and analyzed its content. The line which caused Alerts is: Scan-CVE-2021-44228 -LocalIP $null -RemoteIP "127.0.0.1" -RemoteMac $null Interesting details are: what about running rest of ATP scripts - why they do not cause alerts and what about other our machines secured by ESET Server Secure - I'm almost sure that they should have same ATP configuration as our EPS server. I will investigate it and lets you know if result will be interesting. Bye ATP scripts events.txt

Hi, We have Windows Server 2019 with ESET Protect Server (10.0.1128.0), ESET PROTECT Web Console (10.0.132.0), ESET Management Agent (10.0.1126.0) and ESET Rogue Detection Sensor (1.1.693.1) installed on it. There are no other applications which could use Log4j - no other Apache or Tomcat based products. In ESET Protect console I discovered 9 alerts in last 10 days - all alerts are detections of JAVA/Exploit.CVE-2021-44228 with following details: Process name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Hash: 6CBCE4A295C163791B60FC23D285E6D84F28EE4C Source address: 127.0.0.1 Source port: Target address: 127.0.0.1 Target port: Inbound Communication: no Protocol: TCP Action: Blocked User: NT AUTHORITY\LOCAL SERVICE How to interpret this alert and how to stop it occur? Best regards