rgoldman 2 Posted January 17, 2022 Share Posted January 17, 2022 Getting alerts today on some of these (Exchange server): Object URI: file:///C:/Windows/Microsoft.NET/Framework64/v4.0.30319/Temporary ASP.NET Files/owa/8e05b027/e164d61b/App_Web_oierlfno.dll Severity: Warning Detection Type: Trojan Detection Name: MSIL/Webshell.BY Object Type: File Action Performed: Cleaned by deleting Anyone know if this could be legit or false positive? Thanks russell_t 1 Link to comment Share on other sites More sharing options...
russell_t 2 Posted January 18, 2022 Share Posted January 18, 2022 I'm also just now seeing this on the same APP_Web_%random%.dll files on multiple Exchange 2016 servers that have no open HTTPS to the internet and the file date from months and months ago... Also briefly checked the strings of the file and I don't see anything obvious or any other drops in the same folder as would be expected. I've reported the file to samples@eset.com as a possible False Positive but it would be great to have someone from Support confirm this issue. Thanks Link to comment Share on other sites More sharing options...
alterschwede 0 Posted January 18, 2022 Share Posted January 18, 2022 9 hours ago, rgoldman said: Getting alerts today on some of these (Exchange server): Object URI: file:///C:/Windows/Microsoft.NET/Framework64/v4.0.30319/Temporary ASP.NET Files/owa/8e05b027/e164d61b/App_Web_oierlfno.dll Severity: Warning Detection Type: Trojan Detection Name: MSIL/Webshell.BY Object Type: File Action Performed: Cleaned by deleting Anyone know if this could be legit or false positive? Thanks Same question: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\owa\8e05b027\e164d61b\App_Web_n01xcmt3.dll - eine Variante von MSIL/Webshell.BY Trojaner - durch Löschen gesäubert Link to comment Share on other sites More sharing options...
Administrators Marcos 5,069 Posted January 18, 2022 Administrators Share Posted January 18, 2022 Appears that the detection was pulled for a review a couple of hours ago. Link to comment Share on other sites More sharing options...
jboddy 0 Posted January 18, 2022 Share Posted January 18, 2022 I got this last night and I guess it is related: 18/01/2022 00:33:25; Real-time file system protection C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\owa\8e05b027\e164d61b\App_Web_juze3jwd.dll;a variant of MSIL/Webshell.BY trojan;cleaned by deleting;NT AUTHORITY\SYSTEM;Event occurred during an attempt to access the file by the application: C:\Windows\System32\inetsrv\w3wp.exe (54443C275EDDD9BBE75C6D47CF9C24076B5D785C).;5971F579EDDD90CA4A80DC99DFD29B329D7B9360;12/01/2022 21:49:10 Link to comment Share on other sites More sharing options...
VoNovo 0 Posted January 18, 2022 Share Posted January 18, 2022 (edited) I'm also getting this on some EX2013/CU23 and EX2019/CU11, all patched with SU 01/2022 (and Mail Security 8.0). In addition, two servers have the same detection in c:\windows\temp (?!!), all within the last 18 hours. Getting a bit nervous... If anyone got news, I'mlooking forward to hear about this... Thanks! Edited January 18, 2022 by VoNovo Link to comment Share on other sites More sharing options...
Administrators Marcos 5,069 Posted January 18, 2022 Administrators Share Posted January 18, 2022 The detection has been already re-enabled today and now should detected only actually malicious files. russell_t and Aryeh Goretsky 2 Link to comment Share on other sites More sharing options...
russell_t 2 Posted January 18, 2022 Share Posted January 18, 2022 I also received this response from samples@eset.sk: Thank you for your submission. It was a false positive of our scanner and this issue is fixed in current version of detection engine. Regards, ESET Malware Response Team rgoldman 1 Link to comment Share on other sites More sharing options...
Recommended Posts