Advice Request w3wp.exe (IIS worker) TrojanDownloader detection, auto-whitelisted?

Please provide comments and solutions that are helpful to the author of this topic.


Level 16
Thread author
Top Poster
Oct 13, 2019
I got an email from Emsisoft Cloud that one of my web servers had a detection:

THREAT Detected object: C:\Windows\System32\inetsrv\w3wp.exe Category: Downloader Detected by: Behavior Blocker REMEDIATION Action: Excluded, Unknown, Blocked by community

Looks like the IIS worker process triggered a TrojanDownloader behavior block, but then Emsisoft actually automatically wrote a rule to ignore it. I'm 95% sure this is a false positive, though I am concerned that if any of my .NET websites actually got compromised, it would show up as the w3wp process doing something.

Is it normal to have w3wp trigger the behavior blocker?


About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.