Jump to content
Robbb

MSIL/Webshell.C False Detection on Exchange 2010 Servers

Recommended Posts

We have been receiving false positives from a dynamic .dll generated by Exchange/IIS for OWA on detection engine 20199. It is occurring on different OSes, (2008 R2, SBS2011, 2012) with the common denominator being Exchange 2010 with OWA.

Threat type: trojan
Threat name: MSIL/Webshell.C
Computer name: server.domain.local
Logged user:

Object: file:///C:/Windows/Microsoft.NET/Framework64/v2.0.50727/Temporary ASP.NET Files/owa/c60e4757/114626a/App_Web_yvgyrxbc.dll

This file is generated on the fly when accessing OWA

We rolled back to latest snapshot of detection engine until this is resolved. Is ESET aware of this issue?  Any further info we can provide?

 

See this SpiceWorks thread for more reports:

https://community.spiceworks.com/topic/2237907-threat-found-in-event-viewer-shutting-off-access-to-exchange-via-deletion?page=1#entry-8609072

Edited by Robbb
URL. Then a typo.

Share this post


Link to post
Share on other sites

Thanks for posting this here as well, came here first and didn't see a peep, can also confirm this is happening on multiple Exchange 2010 servers.  Thanks for the spiceworks link!

Share this post


Link to post
Share on other sites
1 minute ago, russell_t said:

Thanks for posting this here as well, came here first and didn't see a peep, can also confirm this is happening on multiple Exchange 2010 servers.  Thanks for the spiceworks link!

No worries. I believe someone else on that SW thread has opened a ticket with ESET, so hopefully they're working on it. I figured putting it here where admins go first would give some visibility. We're an MSP and found this issue on multiple servers - but not all Exchange 2010 servers - no correlation between OS Exchange version - eg we have one 2012/Exchange 2010 server with the false alert, and another without, even running same version of Mail Security and the same v20199 detection engine.

Share this post


Link to post
Share on other sites

It was a false positive of a detection from April. It's been already fixed.

Share this post


Link to post
Share on other sites

I think some regression error is going on. Did you see the date on the spiceworks thread? And the fact getting off detection engine v20199 resolves it. When was 20199 released?

Share this post


Link to post
Share on other sites

Looks like it's been fixed in 20200.

Thanks,

Share this post


Link to post
Share on other sites

Cool I'll boot it back up and update now, this was a pretty bad one since it borked out Exchange... I can kind of see how it could be missed as without triggering the recompile of the OWA dlls it could be hard to catch in automation but it would be appreciated if that's figured out before the next panic attack.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...