I have an Exchange server 2019 wich have not been correctly patched since one month ago; it had Sophos Advanced Endopoint installed allready + Sophos Firewall Intercept X in front (protected by WAF - no DNAT)
I started questioning my self as soon as I noticed some notifications about Sophos deliting some "CXmal/WebAgnt-A" in www/inetpub folders
Searching around I saw that these might be related to ProxyShell vulnerabilities, this server wasn't correctly patch with last cumulative updates so I did everything it needed...
Then I made a quite deep search with Micrisoft Scripts (TestProxylogon + others found here https://github.com/microsoft/CSS-Exchange/tree/main/Security ) and nothing came out so I thought I should be relaxed that this server has not been compromised...
...but then Sophos keeps intercepting this "CXmal/WebAgnt-A" so, my question is: is it normal that I see these notifications? in other words Sophos is doing it's job so there is nothing to worry about?
or may I have to watch something else in this EX server that I didn't realize with those scripts?
Thanks in advance.
is it normal that I see these notifications? No.in other words Sophos is doing it's job so there is nothing to worry about? Sophos is doing its job, but these detections come from files that must come from…
Interesting, the Exchange I'm looking at is also being backed up by VEEAM. Do you have any further details on what you did exactly regarding the Shadow copy processes? What exactly do you mean by "cleaned" all the servers hosting VEEAM? Like, run a scan on the server that is running the Veeam Backupserver? Thanks in advance.
Found the server and admin stations using VEEAM and installed the new version of Sophos as we are moving from an older version and so expedited the install on these servers. Problem went away after that though Sophos did not find anything.
Hi Robert - we are having similar issues with those detections. Still I do not get the point out of your answer. You made a new install of sophos endpoint on those machines - Is this meant by "cleaning up" ? We also make use of VEEAM - Exchange 2k16 in our enviroment is an hyper-v vm. What is the connection to vss ?
Thanks in advance
Did you ever resolve this issue? I am running into the same thing and am a bit lost.
Did you ever resolve this issue? I am running into the same thing.
So it is normal to see these occasionally pop up with veeam at the moment I ran the eomt.ps1 script and my servers are patched, the script didn't find anything