none
PWS:Win32/Fareit Detected on Exchange Server RRS feed

  • Question

  • We got the alert below on our Exchange 2013 Server

    System Center Endpoint Protection has detected malware on one or more computers in your organization

    Collection name: All Systems
    Malware Name: PWS:Win32/Fareit
    Number of infections: 2

    Last detection time(UTC time): 3/17/2016 4:06:03 AM

    These are the infections of this malware:
    1. Computer name: EX13MBX001.domain.com
    Domain: OURDOMAIN
    Detection time(UTC time): 3/17/2016 4:06:03 AM Malware file path: file:_C:\Windows\Temp\OICE_BC6A34D4-F117-4854-B383-322640654337.0\FLTB8B9.tmp
    Remediation action: NoAction
    Action status: Succeeded

    2. Computer name: EX13MBX001.domain.com
    Domain: OURDOMAIN
    Detection time(UTC time): 3/16/2016 3:09:30 PM Malware file path: file:_C:\Windows\Temp\OICE_A4A0A46E-2248-4574-B911-A62D153AF052.0\FLTBA62.tmp
    Remediation action: NoAction
    Action status: Succeeded

    I've done a full scan on the box and it shows clean. The .tmp files don't exist in the path listed above, however there are several that have OICE in them.

    In the SCCM Console, it shows running in an Exchange 2013 process

    C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\ParserServer\ParserServer.exe

    Has anyone run across this one?


    Orange County District Attorney

    Thursday, March 17, 2016 3:37 PM

Answers