CXmal/WebAgnt-A continuously intercepted by Sophos on Exchange Server - Have I been hacked?

What does a sample path or two look like to a detected item?

It looks like this 'C:\inetpub\wwwroot\aspnet_client\aaoeu.aspx' (name of aspx is different every time. Up to now it happened reandomly and not under a "time schema" so it doesn't make me think about some bad service or exe in the exchange itself still runinng...

To give other people more infors, Yesterday I dedicated lot of time to every single row of Qoosh advice, I don0t have XDR service but I ran trhough all those queries and have found (and deleted) these:

<virtualDirectory path="/auth/部/hKMhI" physicalPath="C:\ProgramData\COM1\hKMhI" />
<virtualDirectory path="/auth/笔/dorkU" physicalPath="C:\ProgramData\WHO\dorkU" />

They seemed soem sort of "not genuine" configurations (they were in C:\Windows\System32\inetsrv\Config\applicationHost.config)

Since I have deleted them, no more interceptions by Sophos, but maybe it's just a coincidence.

If anybodyelse got other informations would be really appreciated

Regards

I am getting these detections for CXmal/WebAgnt-A occasionally as well and I also had  these strange  settings in the applicationhost.config file.    The directories do not exist so I can only think it never made it past the config stage.   I deleted them and will see if the detection happens again..

virtualDirectory path="/auth/部/hKMhI" physicalPath="C:\ProgramData\COM1\hKMhI" />
<virtualDirectory path="/auth/笔/dorkU" physicalPath="C:\ProgramData\WHO\dorkU" />

Hi Robert, since I have deleted those, no more notifications so far; I would be interested in knowing if it will be for You also... thanks

Hi Robert, since I have deleted those, no more notifications so far; I would be interested in knowing if it will be for You also... thanks

Now  I  get the CXmal/Webagnt-A    from a process on exchange c:\program files\microsoft\exchange server\v15\bin\msexchangemailboxreplication.exe   which is reading from a PST file someone created and writing a file to \\127.0.0.1\c$\inetpub\wwwroot\aspnet_client\llplckqxnci.aspx  which is immediately detected as a Virus and deleted.   Looking at how this is happening now... I have used all the systools to verify files and check schedualed jobs ..   Could it be the user computer running some schedualed mailbox replication job that is creating this?    

Hey, do you have any update on your findings? I'm running into the same issues. Thanks.

I narrowed this down to Shadow copy process that our backup solution VEEAM uses to back this up... When I cleaned all the servers hosting VEEAM and the administrators PC ... This problem has gone away for now.

Interesting, the Exchange I'm looking at is also being backed up by VEEAM. Do you have any further details on what you did exactly regarding the Shadow copy processes? What exactly do you mean by "cleaned" all the servers hosting VEEAM? Like, run a scan on the server that is running the Veeam Backupserver? Thanks in advance.

Found the server and admin stations using VEEAM and installed the new version of Sophos as we are moving from an older version and so expedited the install on these servers.   Problem went away after that though Sophos did not find anything.

Hi Robert - we are having similar issues with those detections. Still I do not get the point out of your answer. You made a new install of sophos endpoint on those machines - Is this meant by "cleaning up" ? We also make use of VEEAM - Exchange 2k16 in our enviroment is an hyper-v vm. What is the connection to vss ?

Thanks in advance

regards 

Bernd

Did you ever resolve this issue? I am running into the same thing and am a bit lost.

Did you ever resolve this issue? I am running into the same thing.

So it is normal to see these occasionally pop up with veeam at the moment I ran the eomt.ps1 script and my servers are patched, the script didn't find anything