Morning all,
Our network consists of workstations and servers protected by SAV 9.5 with all latest updates .etc, and I can confirm that all machines are protected. The workstations are also protected by Sophos Client Firewall, and our entire network is behind a hardware firewall.
I received the following message at 5am this morning (the machine in question was left on overnight):
User: NT AUTHORITY\SYSTEM
Scan: On-access
Machine: <pcname>
File "C:\Windows\PSEXESVC.EXE" belongs to adware or PUA 'PsExec' (of type Hacking tool).
I have used PsExec on this machine in the past, but I am concerned as to why it is picked up by the on-access scan, and also at such a strange time. Should I be worried? I have taken the following steps so far:
- Checked Netstat and confirmed that no unwanted connections are there
- Removed PSEXESVC.EXE
- Run TrendMicro's HijackThis and confirmed no unwanted entries anywhere
- Checked the Windows event log from around the time of the warning message; nothing interesting there
- Triggered a SpyBot S&D scan with all latest updates, and disconnected the machine frm the network as a precaution.
I understand that an application like PsExec is detected as a PUA (not technically falsely), but I am confused as to why it was detected in the on-access scan!
Thanks in advance,
Adam Sharif
This thread was automatically locked due to age.
Quote