question

DeenUthman-3980 avatar image
0 Votes"
DeenUthman-3980 asked FabriceKauffmann-7564 published

MSERT scan results says clean bill of health

Hi all,
Just completed an MSERT scan on my Exchange 2013 server, and during the scan it was reporting that it had detected a number of infected files. However, once the scan completed the MSERT scan report log file is reporting a clean bill of health on the server.

Am assuming what it was reporting during the scan were all false positives and the norm, is this something others have experienced or should I be worried.

Just started off another scan to see if it comes back with the same results.

office-exchange-server-administration
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image
0 Votes"
AndyDavid answered AndyDavid edited

Be sure to purchase and use anti-malware protection on the Exchange Servers


https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/

If you find any evidence of exploitation (e.g., in Exchange application logs), ensure you are retaining the logs, and use the details such as timestamps and source IPs to drive further investigation.


If you find known bad files using your endpoint security solution, the Microsoft IOC feed, or the Microsoft Safety Scanner, take the following actions:

Remediate and quarantine them for further investigation unless they are expected customizations in your environment.
Search your IIS logs to identify whether or not the files identified as malicious have been accessed.
Consider submitting suspected malicious files to Microsoft for analysis following this guidance: Submit files for analysis by Microsoft – Windows security | Microsoft Docs and include the string “ExchangeMarchCVE” in the Additional Information text box of the submission form.
As part of hunting and scanning, if you find evidence of exploitation of the Unified Messaging RCE (CVE-2021-26857), you should delete potential uncleaned exploit files in %ExchangeInstallPath%\UnifiedMessaging\voicemail

If you find any evidence of external access to a suspect file identified above, use this information to drive further investigation on impacted servers and across your environment. Our blog post on the Hafnium attack goes into details for folks who need additional details for IOC’s, File Hashes, etc.: HAFNIUM targeting Exchange Servers with 0-day exploits – Microsoft Security

If any of your security detections or the investigation tools results lead you to suspect that your Exchange servers have been compromised and an attacker has actively engaged in your environment, execute your Security Incident Response plans, and consider engaging experienced Incident Response assistance. It is particularly critical if you suspect that your Exchange environment is compromised by a persistent adversary that you coordinate your response using alternative communications channels as mentioned earlier in this document.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LucasLiu-MSFT avatar image
0 Votes"
LucasLiu-MSFT answered LucasLiu-MSFT commented

Hi @DeenUthman-3980 ,
As Andy mentioned above, although the infected files are not shown in the results, you still need to be vigilant and handle them correctly.

In addtion, please make sure that Exchange server has been upgrade to last version and install the security update for Microsoft Exchange server.
For more information: Description of the security update for Microsoft Exchange Server 2019, 2016, and 2013: March 2, 2021 (KB5000871)



If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.





· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @DeenUthman-3980 ,
Do suggestions above help? If the issue has been resolved, please click “Accept as answer” to mark helpful reply as an answer, this will make answer searching in the forum easier and be beneficial to other community members as well.

Thanks for your understanding.



If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


0 Votes 0 ·

Hi @DeenUthman-3980 ,
I am writing here to confirm with you how thing going now? If the above suggestion helps, please click “Accept as answer” to mark helpful reply as an answer.Your action would be helpful to other users who encounter the same issue and read this thread.
Thanks for your understanding.



If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


0 Votes 0 ·
DGG-4012 avatar image
0 Votes"
DGG-4012 answered

I don't think any of the answers actually address the real question. I'm seeing the same issue. During the MSERT scan it is displaying that it has found infected files. When the scan is complete it states that no malware, viruses, etc. were found. The question is why are these reports different and where can we find a report on what files the MSERT scan thought were an issue. We can't investigate them without knowing what they are.
We absolutely should follow all the other recommendations, but I would like to know what MSERT thought it found to make sure we are not missing something. Without babysitting the scan, you'd never see that it was flagging files as problems based on the results displayed.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image
0 Votes"
AndyDavid answered
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DGG-4012 avatar image
0 Votes"
DGG-4012 answered

To add to this. The MSERT txt/log file reports zero infections found.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FabriceKauffmann-7564 avatar image
0 Votes"
FabriceKauffmann-7564 answered FabriceKauffmann-7564 published
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.