Newbie question: We got out new BES server up and running about 8 weeks ago and everything has going along fine. However, I just got an alert from our AV software indicating that a Trojan was found in the AppData\Local\Temp\1F242612\ folder of the besadmin user.

Newbie part: How can something get there as we don't surf from the machine at all - ever.

As this is the BES admin account, is this somehow related to some file a user is sending or receiving? If so, is there a log file somewhere that would tell me what user this was associated with?

Any help for the unknowing would be much appreciated.

Thanks

Moved to a more appropriate section.

No, file attachments are not saved in the in besadmin's temp folder. But if you install software on the BES server whilst being logged in as besadmin, things can be saved in the Temp folder.

What is the file name of the dangerous file?

The file was:
\AppData\Local\Temp\1F24261\tax_statement.exe

Actual threat names: PWS-Zbot.gen.ab

How can this file have gotten on this machine when no surfing could have been done? Being an AppData folder, wouldn't a local installed program have to had put it there?

Thanks for your help!

Do you have a mail client installed on that server? Normally, if you open an attachment in a mail, it gets saved to the temp folder.

Also, have a look at the besadmin mailbox, if there are any mails with attachments in there.

In your e-mail environment, do you exclude some file extensions, like .exe? You should consider that.

Hello, no there is no email client installed nor do we surf from this machine at all. And yes, exe's get blocked at the firewall level and Outlook in general. No one could e-mail any for of executable into our building.

I'm at a loss for how an executable got into the AppData folder!

Thanks

It is not your "AppData" folder. It is the Temp folder that happens to be a sub-folder of AppData. Any temporary files for that user go in there. If you open a cmd box and type

set

You will see something like

TEMP=C:\Users\username\AppData\Local\Temp

So the besadmin user must have loaded something from maybe a USB stick or internal network folder or CD that has put that file there.

I would definitely do a AV scan of the whole machine just to be sure nothing else is there. I would also do an Anti-Malware scan of the files and the registry.