Skip to content

Adding changes to reduce false positives seen by customers#386

Merged
bill-long merged 4 commits into
microsoft:mainfrom
SharmaAkash1:patch-4
Mar 18, 2021
Merged

Adding changes to reduce false positives seen by customers#386
bill-long merged 4 commits into
microsoft:mainfrom
SharmaAkash1:patch-4

Conversation

@SharmaAkash1
Copy link
Copy Markdown
Contributor

@SharmaAkash1 SharmaAkash1 commented Mar 18, 2021

The changes made in the script are as follows:

  1. For Cve26858 we only show the error if the path in the error message “Download failed and temporary file needs to be removed” is invalid (does not start with C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\OAB)
  2. For set-virtual directory we throw an error only if the url is invalid
  3. For the get-suspicious files we only show those if one of the 4 vulnerabilities (Cve26855 Or Cve26857 or Cve26858 or Cve27065 ) is found.
    This was done because even customers who did not have any vulnerabilities were alerted due to the presence of some zip files that they had created in their system.
    These false positives lead to a lot of confusion and the uneasiness for the customers.
  4. We also show an additional error message regarding web shells if we find logs of successful reset-virtualdirectory hits (having a bad anchor mailbox object) in the httpsproxy folder.

@SharmaAkash1
Adding changes to reduce false positives
ff06672 
The changes made in the script are as follows:

1.	For  Cve26858 we only show the error if the path in the error message “Download failed and temporary file <path> needs to be removed” is invalid (does not start with C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\OAB)
2.	For set-virtual directory we throw an error only if the url is invalid
3.	For the get-suspicious files we only show those if one of the 4 vulnerabilities (Cve26855 Or  Cve26857 or  Cve26858 or  Cve27065 ) is found.
This was done because even customers who did not have any vulnerabilities were alerted due to the presence of some zip files that they had created in their system.
These false positives lead to a lot of confusion and the uneasiness for the customers.
4.	We also show an additional error message regarding web shells if we find logs of successful reset-virtualdirectory hits (having a bad anchor mailbox object) in the httpsproxy folder.
@bill-long
Copy link
Copy Markdown
Member

bill-long commented Mar 18, 2021

Please run .build\CodeFormatter.ps1 -Save and then correct the PSScriptAnalyzer issues manually:

RuleName                              Severity    ScriptName          Line Message
--------                              --------    ----------          ---- -------
PSAvoidTrailingWhitespace             Information Test-ProxyLogon.ps1 172  Line has trailing whitespace
PSAvoidTrailingWhitespace             Information Test-ProxyLogon.ps1 194  Line has trailing whitespace
PSAvoidTrailingWhitespace             Information Test-ProxyLogon.ps1 210  Line has trailing whitespace
PSAvoidTrailingWhitespace             Information Test-ProxyLogon.ps1 219  Line has trailing whitespace
PSAvoidTrailingWhitespace             Information Test-ProxyLogon.ps1 228  Line has trailing whitespace
PSAvoidTrailingWhitespace             Information Test-ProxyLogon.ps1 229  Line has trailing whitespace
PSPossibleIncorrectComparisonWithNull Warning     Test-ProxyLogon.ps1 186  $null should be on the left side of
                                                                           equality comparisons.
PSPossibleIncorrectComparisonWithNull Warning     Test-ProxyLogon.ps1 186  $null should be on the left side of
                                                                           equality comparisons.
PSUseDeclaredVarsMoreThanAssignments  Warning     Test-ProxyLogon.ps1 225  The variable 'FoundMaliciousResetVDir' is
                                                                           assigned but never used.

@bill-long bill-long self-requested a review March 18, 2021 16:22
@bill-long bill-long merged commit 1aa9680 into microsoft:main Mar 18, 2021
dpaulson45 added a commit that referenced this pull request Apr 20, 2021
@dpaulson45
Merge pull request #386 from lusassl-msft/Fix-Is-Admin-Errors-Display
43f1662 
Script displays all errors if not executed elevated in v3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bill-long bill-long bill-long approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@SharmaAkash1 @bill-long