Q&A w3wp.exe (IIS worker) TrojanDownloader detection, auto-whitelisted?


Level 16
Thread author
Top poster
Oct 13, 2019
I got an email from Emsisoft Cloud that one of my web servers had a detection:

THREAT Detected object: C:\Windows\System32\inetsrv\w3wp.exe Category: Downloader Detected by: Behavior Blocker REMEDIATION Action: Excluded, Unknown, Blocked by community

Looks like the IIS worker process triggered a TrojanDownloader behavior block, but then Emsisoft actually automatically wrote a rule to ignore it. I'm 95% sure this is a false positive, though I am concerned that if any of my .NET websites actually got compromised, it would show up as the w3wp process doing something.

Is it normal to have w3wp trigger the behavior blocker?