Last updated on: March 19, 2021
Update March 19: This notification was updated to show the detection is for all versions of Cloud Agent.
Original post: On March 10, 2021, Qualys Policy Compliance added the following new control to detect malicious webshells on Windows systems, supported by Qualys Cloud Agent.
Control ID 20873: Statement – Status of the ‘webshell IoCs’ present in the files under the MS Exchange Frontend directory
This control required a Powershell command to collect the data for checking ‘webshell IoCs’ listed in the files present under the MS Exchange Frontend directory. Execution of this command could potentially result in alerts being triggered in EDR products.
While the command was safe to run and produced expected results, it had the potential to create a high number of EDR alerts. Based on feedback, we are removing this control, and the Policy Compliance manifest will be updated immediately.
Manifest version VULNSIGS-2.5.130-3 removes the control and is available for download by the agents.