Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 1 subscriber
  • Views 56937 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Psexec.exe detected as PUA

tomjhen

Endpoint Security and Control V9.0 detects Psexec.exe as PUA Hacking Tool.  Message is:

File "C:\WINDOWS\PSEXESVC.EXE" belongs to adware or PUA 'PsExec' (of type Hacking tool).

I have seen this detection on machines with TweakUI installed, as well as when certain batch files are executed.  Is it safe to authorize psexec.exe, or are there common malware programs that use this as well?

Thanks!

:2238


This thread was automatically locked due to age.
Parents
  • 0

    Hello,

    C:\WINDOWS\PSEXESVC.EXE is the executable for the service which psexec runs on the remote machine. Usually it's deleted when program/command run by psexec exits. As long as it's running the service can also be found in services.msc on the remote machine, afterwards it should be gone.

    Are there common malware programs that use this as well?

    While this is a good question it's not the right question. Why? Psexec, for example, shouldn't be usable from "outside" your network. Thus if a malware program uses it this malware must have somehow gotten inside your perimeter and then psexec/psexesvc is probably one of the lesser worries. Leaves execution from the inside. If you can't find out who is using it or what it's used for the simply block it. Either someone will complain sooner or later  (then you can decide to authorize it if the use is justified) or not (the you can clean it up which in this case will mean the files are simply deleted).

    The Administrator's rollout guide for potentially unwanted application (PUA) protection has more details.

    HTH

    Christian

    :2244
Reply
  • 0

    Hello,

    C:\WINDOWS\PSEXESVC.EXE is the executable for the service which psexec runs on the remote machine. Usually it's deleted when program/command run by psexec exits. As long as it's running the service can also be found in services.msc on the remote machine, afterwards it should be gone.

    Are there common malware programs that use this as well?

    While this is a good question it's not the right question. Why? Psexec, for example, shouldn't be usable from "outside" your network. Thus if a malware program uses it this malware must have somehow gotten inside your perimeter and then psexec/psexesvc is probably one of the lesser worries. Leaves execution from the inside. If you can't find out who is using it or what it's used for the simply block it. Either someone will complain sooner or later  (then you can decide to authorize it if the use is justified) or not (the you can clean it up which in this case will mean the files are simply deleted).

    The Administrator's rollout guide for potentially unwanted application (PUA) protection has more details.

    HTH

    Christian

    :2244
Children
No Data
Unfiltered HTML