Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials
Store

Solarwinds NPM Exclusion...?

I guess this article should be thrown in the bin now?

https://support.solarwinds.com/SuccessCenter/s/article/Files-and-directories-to-exclude-from-antivirus-scanning-for-Orion-Platform-products?language=en_US

Find more posts tagged with

Accepted answers

All comments

bogdan.stan

if you have one of the affected DLL try to make a copy of it on your local laptop and see how much time it takes your corporate antivirus to delete/quarantine it.

rockgeek

Oh, the fricken irony. Sure, AV may not have detected anything. But maybe it may have (on this or some other.)

I'm pretty sure if I were to say, "I'm not going to scan these Solarwinds directories," I'd be shown the door.

detniels

Right after FireEye released their statement, Microsoft released a definition update that flags all known versions of the .dll containing the trojan.

Our environment is currently locked down, but we fetched the virtual harddisks and mounted them as read-only, scanned them and lo' and behold, Defender flagged our .dll

And we ran 2020.2.1 HF1.

cuppadan

There are many locations of the SolarWinds.Orion.Core.BusinessLayer.dll file shown to be infected. Plus a few installer.msi files. The hotfix needs to address this issue as well. Speaking of, I still don't see a hotfix posted yet for 2020.2 yet.

Threat.png

cuppadan

Same here!

rsprim

@detniels- Is AV just looking for the file and flagging it as a possible compromise? or an actual compromise? What is your AV saying when it flagged it? Is it finding a Trojan in 2020.2.1?

detniels

We havn't done it yet, but it seems like a good idea to make sure all of our Defenders have empty exclusion lists.

detniels

Yea, Defender is identifying the .dll as Win32/Solorigate.C!dha

And yes, it is the .dll from 2020.2.1 HF1 (the one from november).

(Un)fortunately I do not have any more info to give in relation to other files, because we only allow outbound internet traffic through a strict whitelist proxy. So our servers have never been able to call home.

mcam

don't forget that is only the file that starts everything off.

It's well worth taking a bit of time to read the detailed description from FireEye of how this malware works and look for other indicators of compromise on your server.

s-bolyard

Has anyone heard of where we are at in regards to 2020.2.2 being available?

m_roberts

The advisory page is the oracle of what is the state of play and that still says today - https://www.solarwinds.com/securityadvisory

Obviously they need to make sure that the fix released does everything it needs to in removing the trojan, increasing security and maintaining platform function, so one of those things to get right rather than rushing something out the door that will exasperate the situation. Thankfully the 2020.2.1 HF1 plugs the issue as an immediate field dressing

jblankjblank

The SolarWinds Security Advisory has been updated. This also includes a link to a FAQ. These documents will continue to be updated as we obtain additional information.