Exchange detection

[Gregecslo 8]

Hi all.

We have 2 exchange servers in DAG, both fully patched.

Right now ESET reported webshell:

File

Hash

176B18F137BE7D629CBBAA59615FDB926731EF0C

Name

ASP/Webshell.FF

Detection Type

Trojan

Object type

File

Uniform Resource Identifier (URI)

file:///C:/Program Files/Microsoft/Exchange Server/V15/FrontEnd/HttpProxy/owa/auth/errorFE.aspx

User

NT AUTHORITY\SYSTEM

Scan

Scanner

Real-time file system protection

Detection engine version

24716 (20220201)

Current engine version

24716 (20220201)

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

SECOND Server

 

File

Hash

176B18F137BE7D629CBBAA59615FDB926731EF0C

Name

ASP/Webshell.FF

Detection Type

Trojan

Object type

File

Uniform Resource Identifier (URI)

file:///C:/Program Files/Microsoft/Exchange Server/V15/FrontEnd/HttpProxy/owa/auth/errorFE.aspx

Process name

User

NT AUTHORITY\SYSTEM

Scan

Scanner

Real-time file system protection

Detection engine version

24716 (20220201)

Current engine version

24716 (20220201)

[Marcos 5,070]

The file is no longer detected, the detection was removed. Since these Webshell detections are more prone to FPs, I assume this was FP as well.

[Gregecslo 8]

Still detecting it
 

[Gregecslo 8]

File is: https://www.virustotal.com/gui/file/04be76217500275335e82eb4c2c1588478f7a171efd7a0d9bdc6bbe83e315589/detection

[Gregecslo 8]

8 minutes ago, Marcos said:

 I assume this was FP as well.

Can we get confirmation that it was 100% FP?

[CraigFisher 0]

We've just had the errorFE.aspx file removed by ESET on two exchange 2016 servers as ASP/Webshell.FF too....  Signatures are up to date as of 2022-02-01 18:20 GMT

[Gregecslo 8]

Definitely FP...

24717 does NOT detect it anymore.