Endpoint Protection

 View Only

 System Infected: Trojan.Trickybot Activity 15

Deborah Lane-Olson's profile image
Deborah Lane-Olson posted Jun 11, 2021 10:28 AM
I have four of these Intrusion events showing in the SEP security log on my Exchange server, 2 on 6/8 and 2 on 6/10.  The full description is:

[SID: 32350] System Infected: Trojan.Trickybot Activity 15 attack blocked. Traffic has been blocked for this application: SYSTEM

The direction field shows "Outgoing."  This server does a full scan every night and virus definitions are current.

I checked the aspnet_client folder and there are no rogue files found there.  I'm also seeing numerous Information items in the SEP System log like this:

[SONAR detection Submission] File submitted to Symantec. File : 'c:\windows\system32\wscript.exe', Size (bytes): 5855.

I'm stumped as to whether this server is infected or not. What do I need to do?

Thanks,
Deb
vasilisk's profile image
vasilisk posted Jun 14, 2021 04:25 AM
Have you patched your exchange servers? Did you scan for webshell infection? You may also use the Exchange On-premises Mitigation Tool (EOMT) and identify if your exchange servers are affected and also mitigate if not patched.

Vasilis
Deborah Lane-Olson's profile image
Deborah Lane-Olson posted Jun 16, 2021 10:57 AM
I've run the MSET.exe security scanner on three different servers that were all showing these errors.  All of them came up clean, no infected files.  And yet, they all show another incident overnight in the security log:

[SID: 31954] System Infected: Trojan.Activity 100 attack blocked. Traffic has been blocked for this application: SYSTEM

Can anyone explain/help me understand what's going on here?

Thanks,
Deb