This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 45%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
In watching recent traffic generated by my Exchange Server 2019 Version 15.2 (Build 858.5). I see this as a newer traffic since updating with the latest "patches" from earlier this month (March 2021). According to healthchecker.ps1 and every other scan I can get my hands on, I don't have a "nasty" in my network. Specifically usually a TCP connection attempt to various ports to the AD Servers in the organization from the E2019 VM. This is the script that is running. The only change I see is the hexadecimal number changes after .\pipe\iisipm c:\windows\system32\inetsrv\w3wp.exe () -ap "msexchangepowershellapppool" -v "v4.0" -c "C:\Program Files\Microsoft\Exchange Server\V15\bin\GenericAppPoolConfigWithGCServerEnabledFalse.config" -a \.\pipe\iisipm2102ad39-516e-4a5c-a934-228a22f08eb5 () -h "C:\inetpub\temp\apppools\MSExchangePowerShellAppPool\MSExchangePowerShellAppPool.config" -w "" -m 0 Does anyone know if this is normal behavior? I am currently block the process through our internal behavior monitoring software.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 82%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEY%3C/text%3E%3C/svg%3E)
Hi,
Where do you get those information? It looks more related to IIS.
Any errors in Event Log? Or any performance issues found?
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
I am writing here to confirm with you how the thing going now?
If you need further help, please provide more detailed information, so that we can give more appropriate suggestions.
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 57.99999999999999%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJB%3C/text%3E%3C/svg%3E)
This process is associated with exchange_cve_2021_26855
If you are seeing it I am just letting you know that it is possible if you are UNPATCHED that you are hacked. If you are patched it could be attempts to try.
Not trying to stress you out but figured you are looking to know.
The behavior described above stopped occurring after the "Latest Update 3/16/2021 PST (this will be the final update)" was applied. I saw no other blocked behavior in the Carbon Black logs after this was patched. So what you mentioned about CVE-2021-26855 appears to be correct.
Thanks
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 74%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERM%3C/text%3E%3C/svg%3E)
Exchange uses RPC to do may things, and the connections are ephemeral so while the initial connection from the Exchange server would always begin on the same port (135), the actual data exchange would always take place on a dynamically assigned "high port".
I haven't worked on Exchange since 2014 (I was an Exchange Server MVP for 16 years before retiring), but looking at what you posted it seems to have to do with the configuration of the application pool used by what used to be the Client Access Server (I don't know what that role's called now, sorry).
Maybe one of the Exchange folks can fill in more detail. But I wouldn't interfere with that traffic for now.