Adware/PUA False Positive for C:\Windows\WinExeSvc ??

Hi All,

 

Getting a lot of alerts in Adware/PUA on Enterprise Console 5.5 for WinExeSVC (C:\Windows\WinExeSvc)

First alert was at 2:51 am this morning and as I type this now have 92 endpoints with the same alert.

Only seems to be affecting Windows 2008 Server and 2008 R2 at the moment

Is this a bug/dodgy update or a change of classification?

Just wondering if I need to authorise it or hold fire to see if it's a glitch.

 

Thanks

Peter

  • Hello Peter,

    if "genuine" it is/was used to invoke Windows command from Linux/Unix - similar to psexec (that is also classified as PUA). What is the Item name shown in the console on the Alerts and Errors tab?

    Please submit a sample. And - if you're not aware of its use and nothing breaks there's no need to authorize it, at least not before Labs have confirmed it's clean.

    Christian

  • In reply to QC:

    Hi Christian,

     

    On the "Alert and Error Details" tab "item detected" shows as WinExeSvc

    If I go to "Resolve Alerts and Errors" then the name is WinExeSvc, Sub-Type is Hacking tool and details is C:\Windows\winexesvc.exe

    Looking at an affected server the file in question is from 2016

    I did find this:

    https://www.sophos.com/en-us/threat-center/threat-analyses/adware-and-puas/WinExeSvc.aspx

    Which says updated 10th June 2019 - maybe Sophos have decided it's now a threat.....?

    Thanks

    Peter

     

  • In reply to PeterBlythe:

    Hello Peter,

    rats - missed it because I searched for winexesvc.exe ...
    It also gives the same date for Protection available since so it's definitely new. As said, it's similar to psexec and the classification makes sense. Interestingly the search returns a link to WinExe as Controlled Application but the link is no longer valid. Please note that PUA authorization is universal as opposed to authorization of suspicious files, i.e. the former authorizes everything that looks like e.g. WinExeSvc (under the assumption that a rogue version wouldn't be mistakenly seen as belonging to this application) whereas the latter applies to the exact version of a file.

    Personally I'd not keep it if I don't know who or what product needs it. And submitting a sample does no harm.

    Christian

  • In reply to QC:

    Thanks Christian I've submitted a sample

  • In reply to PeterBlythe:

    Hi Peter,

     

    We are experiencing a similar situation to you (only on a much smaller scale).

    So far, only one of our endpoints has been flagged up as having this so-called Adware/PUA present.

    Have you heard anything back from Sophos in relation to this?

    Curious thing is, I cannot see the file in the C:\Windows folder. I temporarily authorised the .exe, but haven't had a recurrence.

    Best regards,

     

    John P

  • In reply to PeterBlythe:

    Hi Christian,

     

    I have found the smoking gun

     

    An update is being performed of some monitoring agents, the upgrade leverages WinExeSvc as part of the process

     

    That explains the sudden flood of alerts

     

    Thanks for your help

     

    Mystery solved

     

    Regards

    Peter

  • In reply to PeterBlythe:

    Hi Peter,

    Just out of curiosity, what monitoring agent are you guys using? Also, how were you able to tie it to the winexesvc PUA? As of this morning, we have a couple hundred instances as well. Thanks!

  • As of today am getting a few of these myself.  They were not on access, but on a scheduled scan.  Though not getting it on all monitored machines?  Curious why this is getting flagged now?  Something in the latest update?  Is there a recommended course of action?  It's a Windows application, so don't know what is exactly expected to be done about it. 

     

  • In reply to A1315:

    Hi A1315,

     

    The agent is in relation to some AlienVault appliances we have.

    Had a look at the installation info they supply for the agent and they mention that it could generate false alerts for "hacking tools" as it leverages WinExe

     

    Regards

    Peter

  • In reply to Dan Witz:

    Hi Dan,

     

    Looks like Sophos have updated something in relation to this based on this that I found:

    https://www.sophos.com/en-us/threat-center/threat-analyses/adware-and-puas/WinExeSvc.aspx

     

    That's probably why it's suddenly showing up as part of a scheduled scan.

     

    As you say a valid windows app so not a threat as such but I suppose it could be exploited as part of an attack.

     

    Regards

    Peter

  • In reply to Dan Witz:

    Hello Dan Witz,

    not getting it on all monitored machines - it might simply not be present
    why this is getting flagged now - apparently it was (recently - as said it has been added 10 Jun) involved in some "incident", similar to PsExec. You can see that the detection for PsExec has been created a long time ago - a Windows to Windows attack the common scenario. Seems it could be Linux to Windows as well. N.B. this refers to the genuine winexe/winexesvc, not some rogue impostor. 

    And yes, AlienVault uses it.

    Christian

  • In reply to QC:

    Christian,

     

    You are correct it was not on all the machines.  I thought this was native, but apparently not part of the standard OS install.  

     

    As I am not aware of anything that we use using this, I have removed it from the systems that were flagged.  

     

    Thanks for the added info all.