This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

CXmal/WebAgnt-A continuously intercepted by Sophos on Exchange Server - Have I been hacked?

Hi,

I have an Exchange server 2019 wich have not been correctly patched since one month ago; it had Sophos Advanced Endopoint installed allready + Sophos Firewall Intercept X in front (protected by WAF - no DNAT)

I started questioning my self as soon as I noticed some notifications about Sophos deliting some "CXmal/WebAgnt-A" in www/inetpub folders

Searching around I saw that these might be related to ProxyShell vulnerabilities, this server wasn't correctly patch with last cumulative updates so I did everything it needed...

Then I made a quite deep search with Micrisoft Scripts (TestProxylogon + others found here https://github.com/microsoft/CSS-Exchange/tree/main/Security ) and nothing came out so I thought I should be relaxed that this server has not been compromised...

...but then Sophos keeps intercepting this "CXmal/WebAgnt-A" so, my question is: is it normal that I see these notifications? in other words Sophos is doing it's job so there is nothing to worry about?

or may I have to watch something else in this EX server that I didn't realize with those scripts?

Thanks in advance.



This thread was automatically locked due to age.
Parents
  • is it normal that I see these notifications?  No.
    in other words Sophos is doing it's job so there is nothing to worry about? Sophos is doing its job, but these detections come from files that must come from somewhere, so you need to worry about that.

    “First things first, but not necessarily in that order” – Doctor Who

Reply
  • is it normal that I see these notifications?  No.
    in other words Sophos is doing it's job so there is nothing to worry about? Sophos is doing its job, but these detections come from files that must come from somewhere, so you need to worry about that.

    “First things first, but not necessarily in that order” – Doctor Who

Children
  • So you might want to check all startup items for traces of persistency, and/or find out what process is writing those files, and go from there.

    “First things first, but not necessarily in that order” – Doctor Who