ESET reports high-risk activity due to TeamCity server 'cmd.exe /C dir /-c ...\TeamCityData\system' calls
Our company recently switched to ESET security solutions and administrator noticed some suspicious activity on our TeamCity server flagged by ESET as “High Risk”. The alerts are triggered by a command that is executed systematically every two minutes - cmd.exe /C dir /-c C:\TeamCityData\system.
My initial thought based on the /-c argument was that this might be an attempt to check for available disk space although this seems like a very unusual way of doing it. My administrator however was quite skeptical and is now monitoring the server more closely which is a big concern for us.
Could you please clarify what the purpose of these calls is? Are you aware that ESET is flagging this activity as high risk? It would be helpful to understand why TeamCity requires this specific command so we can address our security concerns.
Please sign in to leave a comment.
The <TeamCity Data Directory>/system is a directory that includes build results, remote run changes, plugin data, and caches. For more information on the data directory, please refer to https://www.jetbrains.com/help/teamcity/teamcity-data-directory.html#Structure+of+TeamCity+Data+Directory
TeamCity periodically queries <TeamCity Data Directory>/system with cmd.exe /C dir /-c
It may also create and access cache files in it, also using the cmd.exe. The data directory is, in general, used a lot by TeamCity.
On a side note, it is recommended to exclude entire TeamCity server home and TeamCity Data Directory from the background checks and perform periodical checks there in the well-known maintenance window so that those do not affect server performance much. On TeamCity agent, it is recommended to exclude TeamCity agent home from the background checks. Please refer to https://www.jetbrains.com/help/teamcity/known-issues.html#Conflicting+Software.
Best regards,
Anton