Rank: Newbie Groups: Member
Joined: 9/14/2021 Posts: 1
|
Hi, we have a web application that uses EO.pdf (v 17.3.13) to generate pdf and let the client download it. Recently IT department install Crowstrike on the app server, then they got alerts like below
On Sep. 13, 2021 21:44:04 UTC Falcon detected an executable created and run under the IIS worker process on host ***. Command Line: c:\windows\system32\inetsrv\w3wp.exe -ap "***.ipipeline.com" -v "v4.0" -l "webengine4.dll" -a \\.\pipe\iisipm921892a6-1d22-450f-90d8-c0c2fcfd52dc -h "C:\inetpub\temp\apppools\***com.config" -w "" -m 0 -t 20 -ta 0
W3wp.exe wrote the following file to Windows temp and executed it: File Path: C:\Windows\Temp\eowp.17.3.13.0.exe File Hash: 4108e09b4eff8ddd56d7529a843ed02b59a02e2ba509a18b318d47ff7f80a22f
This binary is digitally signed and verified from Essential Objects, Inc. and does not appear to be malicious. Falcon also triggered a separate detection related to this when it blocked the following rundll32 process:
Command Line: C:\Windows\SysWOW64\rundll32.exe --enable-speech-input --auto-scan-plugin --enable-media-stream --no-sandbox --disable-gpu --disable-canvas-aa
Although the eowp.17.3.13.0.exe binary was written today, we noted that the "EO WebBrowser" cache files go back several months. However, we would still like to confirm that this is expected activity and also inquire if an IOA exclusion should be created for these detections. ________________________________________
|
Rank: Administration Groups: Administration
Joined: 5/27/2007 Posts: 24,217
|
Hi,
We can confirm that this is normal behavior for EO.Pdf.
Thanks!
|