Jump to content

Recommended Posts

Posted

Hi all.

We have 2 exchange servers in DAG, both fully patched.

Right now ESET reported webshell:

File
Hash
176B18F137BE7D629CBBAA59615FDB926731EF0C
Name
ASP/Webshell.FF
Detection Type
Trojan
Object type
File
Uniform Resource Identifier (URI)
file:///C:/Program Files/Microsoft/Exchange Server/V15/FrontEnd/HttpProxy/owa/auth/errorFE.aspx
User
NT AUTHORITY\SYSTEM
Scan
Scanner
Real-time file system protection
Detection engine version
24716 (20220201)
Current engine version
24716 (20220201)
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
SECOND Server
 

File

Hash

176B18F137BE7D629CBBAA59615FDB926731EF0C

Name

ASP/Webshell.FF

Detection Type

Trojan

Object type

File

Uniform Resource Identifier (URI)

file:///C:/Program Files/Microsoft/Exchange Server/V15/FrontEnd/HttpProxy/owa/auth/errorFE.aspx

Process name

User

NT AUTHORITY\SYSTEM

Scan

Scanner

Real-time file system protection

Detection engine version

24716 (20220201)

Current engine version

24716 (20220201)

  • Administrators
Posted

The file is no longer detected, the detection was removed. Since these Webshell detections are more prone to FPs, I assume this was FP as well.

Posted
8 minutes ago, Marcos said:

 I assume this was FP as well.

Can we get confirmation that it was 100% FP?

Posted

We've just had the errorFE.aspx file removed by ESET on two exchange 2016 servers as ASP/Webshell.FF too....  Signatures are up to date as of 2022-02-01 18:20 GMT

Posted

Definitely FP...image.thumb.png.1928a1e37b68f45c45efa896c43d8f51.png

24717 does NOT detect it anymore.
 

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...