Jump to content

Exchange detection


Recommended Posts

Hi all.

We have 2 exchange servers in DAG, both fully patched.

Right now ESET reported webshell:

File
Hash
176B18F137BE7D629CBBAA59615FDB926731EF0C
Name
ASP/Webshell.FF
Detection Type
Trojan
Object type
File
Uniform Resource Identifier (URI)
file:///C:/Program Files/Microsoft/Exchange Server/V15/FrontEnd/HttpProxy/owa/auth/errorFE.aspx
User
NT AUTHORITY\SYSTEM
Scan
Scanner
Real-time file system protection
Detection engine version
24716 (20220201)
Current engine version
24716 (20220201)
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
SECOND Server
 

File

Hash

176B18F137BE7D629CBBAA59615FDB926731EF0C

Name

ASP/Webshell.FF

Detection Type

Trojan

Object type

File

Uniform Resource Identifier (URI)

file:///C:/Program Files/Microsoft/Exchange Server/V15/FrontEnd/HttpProxy/owa/auth/errorFE.aspx

Process name

User

NT AUTHORITY\SYSTEM

Scan

Scanner

Real-time file system protection

Detection engine version

24716 (20220201)

Current engine version

24716 (20220201)

Link to comment
Share on other sites

  • Administrators

The file is no longer detected, the detection was removed. Since these Webshell detections are more prone to FPs, I assume this was FP as well.

Link to comment
Share on other sites

We've just had the errorFE.aspx file removed by ESET on two exchange 2016 servers as ASP/Webshell.FF too....  Signatures are up to date as of 2022-02-01 18:20 GMT

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...