This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Adware/PUA False Positive for C:\Windows\WinExeSvc ??

Hi All,

 

Getting a lot of alerts in Adware/PUA on Enterprise Console 5.5 for WinExeSVC (C:\Windows\WinExeSvc)

First alert was at 2:51 am this morning and as I type this now have 92 endpoints with the same alert.

Only seems to be affecting Windows 2008 Server and 2008 R2 at the moment

Is this a bug/dodgy update or a change of classification?

Just wondering if I need to authorise it or hold fire to see if it's a glitch.

 

Thanks

Peter



This thread was automatically locked due to age.
  • Hello Dan Witz,

    not getting it on all monitored machines - it might simply not be present
    why this is getting flagged now - apparently it was (recently - as said it has been added 10 Jun) involved in some "incident", similar to PsExec. You can see that the detection for PsExec has been created a long time ago - a Windows to Windows attack the common scenario. Seems it could be Linux to Windows as well. N.B. this refers to the genuine winexe/winexesvc, not some rogue impostor. 

    And yes, AlienVault uses it.

    Christian

  • Christian,

     

    You are correct it was not on all the machines.  I thought this was native, but apparently not part of the standard OS install.  

     

    As I am not aware of anything that we use using this, I have removed it from the systems that were flagged.  

     

    Thanks for the added info all.