Windows defender is finding tmp malware under C:\windows\temp

  • superduperguy9399

    (@superduperguy9399)


    5 years, 6 months ago

    I’m running php 7.4.3 on IIS 2016. About 2x a month, my windows defender will find php malware under the window/temp folder.

    It found Backdoor:PHP/WebShell!MSR and TrojanDownloader:Win32/Nemucod!ml and deleted the files. I don’t know what content is in the tmp file because it was already deleted.

    I’ve run a full scan on my machine and it’s clean. Plus I’m running ithemes security pro. The core files seems to be fine. Any ideas on how to proceed? If an anonymous users does a POST and attaches a file with malware, could this be the reason why?

Viewing 4 replies - 1 through 4 (of 4 total)
  • Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    5 years, 6 months ago

    Its entirely possible that was a false positive, though as you suggested, it could have been the result of a post that did not complete. Are you using a WP security plugin on your site to help regulate stuff like that?

    Thread Starter superduperguy9399

    (@superduperguy9399)

    5 years, 6 months ago

    I’m using ithemes Security Pro and it reports everything is look well.

    Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    5 years, 6 months ago

    Cool. So, turn off Live Traffic. 🙂

    Thread Starter superduperguy9399

    (@superduperguy9399)

    5 years, 6 months ago

    I don’t think ithemes security pro has “Live Traffic” module. That’s Wordfence I believe.
    In my IIS logs i see post requests to – /wp-cron.php and /xmlrpc.php around the same time. I don’t see the payload though since IIS logs doesn’t capture it. I see a lot of post requests though cron and xmlrpc. Not sure if that has anything to do with it.

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Windows defender is finding tmp malware under C:\windows\temp’ is closed to new replies.