Good morning.
Recently our AV program pops up with Axigen on Windows Server 2019 with a request from Axigen.exe to communicate with two different IPs in Google Cloud both via port 465 and 443 and the command line “–console”.
Is this a normal Axigen procedure or should we be worried ?
Thanks
Hello,
I would say that you should worry as we are not aware of any such activities from Axigen binaries.
BR,
Ioan
indreias, thank you for the fast reply.
Which are the logs to check - everything.txt did not show anything
First of all I would suggest to compute the md5sum for Axigen.exe binary and post it here accompanied by its version so we could confirm there are no changes into it.
Secondly please share (here or via direct message to me) the reported IP addresses that your AV program found to be contacted by Axigen.exe binary so we could understand better this situation.
HTH,
Ioan
MD5 is dff726a6f9164fd3b157ba33cd8e0874
Version is 10.5.19
IPs are
173.255.221.138
195.158.107.101
Hello @stefano,
The md5sum string corresponds with the value obtained from the 10.5.19 kit so it should be fine.
Do you have any copy of the report produced by your AV product so we could review it from our side as well?
BR,
Ioan
Thank you for your comments.
In the meantime we have updated our firewall to accept 443 call to Axigen only from few very specific IPs and consider this to be solved. However - just for curiosity - does the command line “-console” sound familiar to you. Would you be so kind to explain which kind of access this is as a console access on 465 does not make any sense to me. Thanks again.
Hello Stefano,
No, -console is not an expected keyword to be used in communications over :465 (SMTPs) or :443 (HTTPS).
BR,
Ioan