Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 1 subscriber
  • Views 57596 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

PSEXESVC.EXE unexpectedly detected by on-access scan on client machine (SAV protected)

adamsharif

Morning all,

Our network consists of workstations and servers protected by SAV 9.5 with all latest updates .etc, and I can confirm that all machines are protected. The workstations are also protected by Sophos Client Firewall, and our entire network is behind a hardware firewall.

I received the following message at 5am this morning (the machine in question was left on overnight):

User: NT AUTHORITY\SYSTEM

Scan: On-access

Machine: <pcname>

File "C:\Windows\PSEXESVC.EXE" belongs to adware or PUA 'PsExec' (of type Hacking tool).

I have used PsExec on this machine in the past, but I am concerned as to why it is picked up by the on-access scan, and also at such a strange time. Should I be worried? I have taken the following steps so far:

  • Checked Netstat and confirmed that no unwanted connections are there
  • Removed PSEXESVC.EXE
  • Run TrendMicro's HijackThis and confirmed no unwanted entries anywhere
  • Checked the Windows event log from around the time of the warning message; nothing interesting there
  • Triggered a SpyBot S&D scan with all latest updates, and disconnected the machine frm the network as a precaution.

I understand that an application like PsExec is detected as a PUA (not technically falsely), but I am confused as to why it was detected in the on-access scan!

Thanks in advance,

Adam Sharif

:5678


This thread was automatically locked due to age.
  • 0
    Hi,
    I would expect both the service image file "\windows\PSEXESVC.EXE" and the file "PsExec.exe" to be detected by on-access scanning if both the following are true:
    •  in the policy, scanning of "Adware and PUA" was enabled.
    •  PsExec was not already authorised on this machine.
    As to why it was picked up at that time, I suspect another process on the machine touched the file: be it an indexing application, backup software, auditing application, etc...  A quick look through the event logs prior to that time and maybe a look through the scheduled jobs on the machine might reveal something that could explain the events that tool place.
    If you've run PsExec on the machine in the past, I belive the service remains but in manual startup mode so you might want to authorise it if there is a genuine need for it to still be on the machine or remove the service if not.
     
    Thanks,
    Jak
    :5679
Unfiltered HTML