This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Adware/PUA False Positive for C:\Windows\WinExeSvc ??

Hi All,

 

Getting a lot of alerts in Adware/PUA on Enterprise Console 5.5 for WinExeSVC (C:\Windows\WinExeSvc)

First alert was at 2:51 am this morning and as I type this now have 92 endpoints with the same alert.

Only seems to be affecting Windows 2008 Server and 2008 R2 at the moment

Is this a bug/dodgy update or a change of classification?

Just wondering if I need to authorise it or hold fire to see if it's a glitch.

 

Thanks

Peter



This thread was automatically locked due to age.
Parents
  • Hello Peter,

    if "genuine" it is/was used to invoke Windows command from Linux/Unix - similar to psexec (that is also classified as PUA). What is the Item name shown in the console on the Alerts and Errors tab?

    Please submit a sample. And - if you're not aware of its use and nothing breaks there's no need to authorize it, at least not before Labs have confirmed it's clean.

    Christian

  • Hi Christian,

     

    On the "Alert and Error Details" tab "item detected" shows as WinExeSvc

    If I go to "Resolve Alerts and Errors" then the name is WinExeSvc, Sub-Type is Hacking tool and details is C:\Windows\winexesvc.exe

    Looking at an affected server the file in question is from 2016

    I did find this:

    https://www.sophos.com/en-us/threat-center/threat-analyses/adware-and-puas/WinExeSvc.aspx

    Which says updated 10th June 2019 - maybe Sophos have decided it's now a threat.....?

    Thanks

    Peter

     

  • Hello Peter,

    rats - missed it because I searched for winexesvc.exe ...
    It also gives the same date for Protection available since so it's definitely new. As said, it's similar to psexec and the classification makes sense. Interestingly the search returns a link to WinExe as Controlled Application but the link is no longer valid. Please note that PUA authorization is universal as opposed to authorization of suspicious files, i.e. the former authorizes everything that looks like e.g. WinExeSvc (under the assumption that a rogue version wouldn't be mistakenly seen as belonging to this application) whereas the latter applies to the exact version of a file.

    Personally I'd not keep it if I don't know who or what product needs it. And submitting a sample does no harm.

    Christian

Reply
  • Hello Peter,

    rats - missed it because I searched for winexesvc.exe ...
    It also gives the same date for Protection available since so it's definitely new. As said, it's similar to psexec and the classification makes sense. Interestingly the search returns a link to WinExe as Controlled Application but the link is no longer valid. Please note that PUA authorization is universal as opposed to authorization of suspicious files, i.e. the former authorizes everything that looks like e.g. WinExeSvc (under the assumption that a rogue version wouldn't be mistakenly seen as belonging to this application) whereas the latter applies to the exact version of a file.

    Personally I'd not keep it if I don't know who or what product needs it. And submitting a sample does no harm.

    Christian

Children