MSERT scan results says clean bill of health

Deen Uthman 41 Reputation points
2021-03-13T20:19:04.813+00:00

Hi all,
Just completed an MSERT scan on my Exchange 2013 server, and during the scan it was reporting that it had detected a number of infected files. However, once the scan completed the MSERT scan report log file is reporting a clean bill of health on the server.

Am assuming what it was reporting during the scan were all false positives and the norm, is this something others have experienced or should I be worried.

Just started off another scan to see if it comes back with the same results.

Exchange | Exchange Server | Management
0 comments No comments
{count} votes

7 answers

Sort by: Most helpful
  1. Andy David - MVP 158K Reputation points MVP Volunteer Moderator
    2021-03-14T12:40:29.627+00:00

    Be sure to purchase and use anti-malware protection on the Exchange Servers

    https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/

    If you find any evidence of exploitation (e.g., in Exchange application logs), ensure you are retaining the logs, and use the details such as timestamps and source IPs to drive further investigation.

    If you find known bad files using your endpoint security solution, the Microsoft IOC feed, or the Microsoft Safety Scanner, take the following actions:

    Remediate and quarantine them for further investigation unless they are expected customizations in your environment.
    Search your IIS logs to identify whether or not the files identified as malicious have been accessed.
    Consider submitting suspected malicious files to Microsoft for analysis following this guidance: Submit files for analysis by Microsoft – Windows security | Microsoft Learn and include the string “ExchangeMarchCVE” in the Additional Information text box of the submission form.
    As part of hunting and scanning, if you find evidence of exploitation of the Unified Messaging RCE (CVE-2021-26857), you should delete potential uncleaned exploit files in %ExchangeInstallPath%\UnifiedMessaging\voicemail

    If you find any evidence of external access to a suspect file identified above, use this information to drive further investigation on impacted servers and across your environment. Our blog post on the Hafnium attack goes into details for folks who need additional details for IOC’s, File Hashes, etc.: HAFNIUM targeting Exchange Servers with 0-day exploits – Microsoft Security

    If any of your security detections or the investigation tools results lead you to suspect that your Exchange servers have been compromised and an attacker has actively engaged in your environment, execute your Security Incident Response plans, and consider engaging experienced Incident Response assistance. It is particularly critical if you suspect that your Exchange environment is compromised by a persistent adversary that you coordinate your response using alternative communications channels as mentioned earlier in this document.

    0 comments No comments

  2. Lucas Liu-MSFT 6,191 Reputation points
    2021-03-15T07:00:42.95+00:00

    Hi @Deen Uthman ,
    As Andy mentioned above, although the infected files are not shown in the results, you still need to be vigilant and handle them correctly.

    In addtion, please make sure that Exchange server has been upgrade to last version and install the security update for Microsoft Exchange server.
    For more information: Description of the security update for Microsoft Exchange Server 2019, 2016, and 2013: March 2, 2021 (KB5000871)

    ----------

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


  3. DGG 1 Reputation point
    2021-03-18T12:41:48.047+00:00

    I don't think any of the answers actually address the real question. I'm seeing the same issue. During the MSERT scan it is displaying that it has found infected files. When the scan is complete it states that no malware, viruses, etc. were found. The question is why are these reports different and where can we find a report on what files the MSERT scan thought were an issue. We can't investigate them without knowing what they are.
    We absolutely should follow all the other recommendations, but I would like to know what MSERT thought it found to make sure we are not missing something. Without babysitting the scan, you'd never see that it was flagging files as problems based on the results displayed.

    0 comments No comments

  4. Andy David - MVP 158K Reputation points MVP Volunteer Moderator
    2021-03-18T12:51:24.407+00:00
    0 comments No comments

  5. DGG 1 Reputation point
    2021-03-18T13:13:52.49+00:00

    To add to this. The MSERT txt/log file reports zero infections found.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.