Gregecslo 8 Posted February 1, 2022 Posted February 1, 2022 Hi all. We have 2 exchange servers in DAG, both fully patched. Right now ESET reported webshell: File Hash 176B18F137BE7D629CBBAA59615FDB926731EF0C Name ASP/Webshell.FF Detection Type Trojan Object type File Uniform Resource Identifier (URI) file:///C:/Program Files/Microsoft/Exchange Server/V15/FrontEnd/HttpProxy/owa/auth/errorFE.aspx User NT AUTHORITY\SYSTEM Scan Scanner Real-time file system protection Detection engine version 24716 (20220201) Current engine version 24716 (20220201) SECOND Server File Hash 176B18F137BE7D629CBBAA59615FDB926731EF0C Name ASP/Webshell.FF Detection Type Trojan Object type File Uniform Resource Identifier (URI) file:///C:/Program Files/Microsoft/Exchange Server/V15/FrontEnd/HttpProxy/owa/auth/errorFE.aspx Process name User NT AUTHORITY\SYSTEM Scan Scanner Real-time file system protection Detection engine version 24716 (20220201) Current engine version 24716 (20220201)
Administrators Marcos 5,443 Posted February 1, 2022 Administrators Posted February 1, 2022 The file is no longer detected, the detection was removed. Since these Webshell detections are more prone to FPs, I assume this was FP as well.
Gregecslo 8 Posted February 1, 2022 Author Posted February 1, 2022 File is: https://www.virustotal.com/gui/file/04be76217500275335e82eb4c2c1588478f7a171efd7a0d9bdc6bbe83e315589/detection
Gregecslo 8 Posted February 1, 2022 Author Posted February 1, 2022 8 minutes ago, Marcos said: I assume this was FP as well. Can we get confirmation that it was 100% FP?
CraigFisher 0 Posted February 1, 2022 Posted February 1, 2022 We've just had the errorFE.aspx file removed by ESET on two exchange 2016 servers as ASP/Webshell.FF too.... Signatures are up to date as of 2022-02-01 18:20 GMT
Gregecslo 8 Posted February 1, 2022 Author Posted February 1, 2022 Definitely FP... 24717 does NOT detect it anymore.
Recommended Posts