Gregecslo 8 Posted February 1, 2022 Share Posted February 1, 2022 Hi all. We have 2 exchange servers in DAG, both fully patched. Right now ESET reported webshell: File Hash 176B18F137BE7D629CBBAA59615FDB926731EF0C Name ASP/Webshell.FF Detection Type Trojan Object type File Uniform Resource Identifier (URI) file:///C:/Program Files/Microsoft/Exchange Server/V15/FrontEnd/HttpProxy/owa/auth/errorFE.aspx User NT AUTHORITY\SYSTEM Scan Scanner Real-time file system protection Detection engine version 24716 (20220201) Current engine version 24716 (20220201) SECOND Server File Hash 176B18F137BE7D629CBBAA59615FDB926731EF0C Name ASP/Webshell.FF Detection Type Trojan Object type File Uniform Resource Identifier (URI) file:///C:/Program Files/Microsoft/Exchange Server/V15/FrontEnd/HttpProxy/owa/auth/errorFE.aspx Process name User NT AUTHORITY\SYSTEM Scan Scanner Real-time file system protection Detection engine version 24716 (20220201) Current engine version 24716 (20220201) Link to comment Share on other sites More sharing options...
Administrators Marcos 5,238 Posted February 1, 2022 Administrators Share Posted February 1, 2022 The file is no longer detected, the detection was removed. Since these Webshell detections are more prone to FPs, I assume this was FP as well. Link to comment Share on other sites More sharing options...
Gregecslo 8 Posted February 1, 2022 Author Share Posted February 1, 2022 Still detecting it Link to comment Share on other sites More sharing options...
Gregecslo 8 Posted February 1, 2022 Author Share Posted February 1, 2022 File is: https://www.virustotal.com/gui/file/04be76217500275335e82eb4c2c1588478f7a171efd7a0d9bdc6bbe83e315589/detection Link to comment Share on other sites More sharing options...
Gregecslo 8 Posted February 1, 2022 Author Share Posted February 1, 2022 8 minutes ago, Marcos said: I assume this was FP as well. Can we get confirmation that it was 100% FP? Link to comment Share on other sites More sharing options...
CraigFisher 0 Posted February 1, 2022 Share Posted February 1, 2022 We've just had the errorFE.aspx file removed by ESET on two exchange 2016 servers as ASP/Webshell.FF too.... Signatures are up to date as of 2022-02-01 18:20 GMT Link to comment Share on other sites More sharing options...
Gregecslo 8 Posted February 1, 2022 Author Share Posted February 1, 2022 Definitely FP... 24717 does NOT detect it anymore. Link to comment Share on other sites More sharing options...
Recommended Posts