Skip to main content

Hi everyone,

I have a Control Room hosted on my customer’s Virtual Machines.

This morning new bots and folders appeared that I did not develop. My customer denies developing them (and they don’t know how to do, it is not yet in production).

Those bots have been imported according to the audit logs (and given the fact the packages are not found they most probably have been)

In the logs I see a mysterious “ Auto Download Templates” that seems to have triggered the importation.I was at that time not connected to either the runner VMs or the control room.

Should I report this as a security incident ? How dangerous are those bots ? Can I delete them ?

I have tried to Google their names, "CLS_Email_Response", “W2 Form Document Automation” but did not find anything.

 

@Augustin Yes, I would report this. Export the logs to CSV and you will see more detail.

Those bots have been imported according to the audit logs (and given the fact the packages are not found they most probably have been)

That just means when the bots were exported, they chose the option “do not export packages”, which is pretty common. Looking at the first action from the bot, those were some OLD, OLD import files. We renamed String: Before after to String: Extract text many years ago.

While these bots appear to be benign, I might check them into public and export them should you need them in the future. Then you should be able to safely get rid of them.


It seems that those were dependencies from a component of the Bot Store. 

They have been added more or less automatically, it seems (perhaps through an update of a bot store component). Quite weird imho, but at least it was not a piracy/hacking attempt