My Account |  Site Map | Contact Us  
Welcome Guest Search | Active Topics | Sign In | Register

Crowdstrike alert with app include eo.pdf Options
Posted: Tuesday, September 14, 2021 10:44:51 AM
Rank: Newbie
Groups: Member

Joined: 9/14/2021
Posts: 1
we have a web application that uses EO.pdf (v 17.3.13) to generate pdf and let the client download it.
Recently IT department install Crowstrike on the app server, then they got alerts like below

On Sep. 13, 2021 21:44:04 UTC Falcon detected an executable created and run under the IIS worker process on host ***.
Command Line:
c:\windows\system32\inetsrv\w3wp.exe -ap "***.ipipeline.com" -v "v4.0" -l "webengine4.dll" -a \\.\pipe\iisipm921892a6-1d22-450f-90d8-c0c2fcfd52dc -h "C:\inetpub\temp\apppools\***com.config" -w "" -m 0 -t 20 -ta 0

W3wp.exe wrote the following file to Windows temp and executed it:
File Path: C:\Windows\Temp\eowp.
File Hash: 4108e09b4eff8ddd56d7529a843ed02b59a02e2ba509a18b318d47ff7f80a22f

This binary is digitally signed and verified from Essential Objects, Inc. and does not appear to be malicious. Falcon also triggered a separate detection related to this when it blocked the following rundll32 process:

Command Line:
C:\Windows\SysWOW64\rundll32.exe --enable-speech-input --auto-scan-plugin --enable-media-stream --no-sandbox --disable-gpu --disable-canvas-aa

Although the eowp. binary was written today, we noted that the "EO WebBrowser" cache files go back several months. However, we would still like to confirm that this is expected activity and also inquire if an IOA exclusion should be created for these detections.
Jack Cheng
Posted: Tuesday, September 14, 2021 1:57:26 PM
Rank: Administration
Groups: Administration

Joined: 5/27/2007
Posts: 23,036

We can confirm that this is normal behavior for EO.Pdf.


You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.