CXmal/WebAgnt-A continuously intercepted by Sophos on Exchange Server - Have I been hacked?


I have an Exchange server 2019 wich have not been correctly patched since one month ago; it had Sophos Advanced Endopoint installed allready + Sophos Firewall Intercept X in front (protected by WAF - no DNAT)

I started questioning my self as soon as I noticed some notifications about Sophos deliting some "CXmal/WebAgnt-A" in www/inetpub folders

Searching around I saw that these might be related to ProxyShell vulnerabilities, this server wasn't correctly patch with last cumulative updates so I did everything it needed...

Then I made a quite deep search with Micrisoft Scripts (TestProxylogon + others found here ) and nothing came out so I thought I should be relaxed that this server has not been compromised...

...but then Sophos keeps intercepting this "CXmal/WebAgnt-A" so, my question is: is it normal that I see these notifications? in other words Sophos is doing it's job so there is nothing to worry about?

or may I have to watch something else in this EX server that I didn't realize with those scripts?

Thanks in advance.

Edit tags
[edited by: GlennSen at 3:35 AM (GMT -7) on 4 Apr 2022]
Parents Reply
  • Hi Robert - we are having similar issues with those detections. Still I do not get the point out of your answer. You made a new install of sophos endpoint on those machines - Is this meant by "cleaning up" ? We also make use of VEEAM - Exchange 2k16 in our enviroment is an hyper-v vm. What is the connection to vss ?

    Thanks in advance