I have an Exchange server 2019 wich have not been correctly patched since one month ago; it had Sophos Advanced Endopoint installed allready + Sophos Firewall Intercept X in front (protected by WAF - no DNAT)
I started questioning my self as soon as I noticed some notifications about Sophos deliting some "CXmal/WebAgnt-A" in www/inetpub folders
Searching around I saw that these might be related to ProxyShell vulnerabilities, this server wasn't correctly patch with last cumulative updates so I did everything it needed...
Then I made a quite deep search with Micrisoft Scripts (TestProxylogon + others found here https://github.com/microsoft/CSS-Exchange/tree/main/Security ) and nothing came out so I thought I should be relaxed that this server has not been compromised...
...but then Sophos keeps intercepting this "CXmal/WebAgnt-A" so, my question is: is it normal that I see these notifications? in other words Sophos is doing it's job so there is nothing to worry about?
or may I have to watch something else in this EX server that I didn't realize with those scripts?
Thanks in advance.