Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945
Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!
We'd love to hear about it! Click here to go to the product suggestion community
Getting a lot of alerts in Adware/PUA on Enterprise Console 5.5 for WinExeSVC (C:\Windows\WinExeSvc)
First alert was at 2:51 am this morning and as I type this now have 92 endpoints with the same alert.
Only seems to be affecting Windows 2008 Server and 2008 R2 at the moment
Is this a bug/dodgy update or a change of classification?
Just wondering if I need to authorise it or hold fire to see if it's a glitch.
if "genuine" it is/was used to invoke Windows command from Linux/Unix - similar to psexec (that is also classified as PUA). What is the Item name shown in the console on the Alerts and Errors tab?
Please submit a sample. And - if you're not aware of its use and nothing breaks there's no need to authorize it, at least not before Labs have confirmed it's clean.
In reply to QC:
On the "Alert and Error Details" tab "item detected" shows as WinExeSvc
If I go to "Resolve Alerts and Errors" then the name is WinExeSvc, Sub-Type is Hacking tool and details is C:\Windows\winexesvc.exe
Looking at an affected server the file in question is from 2016
I did find this:
Which says updated 10th June 2019 - maybe Sophos have decided it's now a threat.....?
In reply to PeterBlythe:
rats - missed it because I searched for winexesvc.exe ...It also gives the same date for Protection available since so it's definitely new. As said, it's similar to psexec and the classification makes sense. Interestingly the search returns a link to WinExe as Controlled Application but the link is no longer valid. Please note that PUA authorization is universal as opposed to authorization of suspicious files, i.e. the former authorizes everything that looks like e.g. WinExeSvc (under the assumption that a rogue version wouldn't be mistakenly seen as belonging to this application) whereas the latter applies to the exact version of a file.
Personally I'd not keep it if I don't know who or what product needs it. And submitting a sample does no harm.
Thanks Christian I've submitted a sample
We are experiencing a similar situation to you (only on a much smaller scale).
So far, only one of our endpoints has been flagged up as having this so-called Adware/PUA present.
Have you heard anything back from Sophos in relation to this?
Curious thing is, I cannot see the file in the C:\Windows folder. I temporarily authorised the .exe, but haven't had a recurrence.
I have found the smoking gun
An update is being performed of some monitoring agents, the upgrade leverages WinExeSvc as part of the process
That explains the sudden flood of alerts
Thanks for your help
Just out of curiosity, what monitoring agent are you guys using? Also, how were you able to tie it to the winexesvc PUA? As of this morning, we have a couple hundred instances as well. Thanks!
As of today am getting a few of these myself. They were not on access, but on a scheduled scan. Though not getting it on all monitored machines? Curious why this is getting flagged now? Something in the latest update? Is there a recommended course of action? It's a Windows application, so don't know what is exactly expected to be done about it.
In reply to A1315:
The agent is in relation to some AlienVault appliances we have.
Had a look at the installation info they supply for the agent and they mention that it could generate false alerts for "hacking tools" as it leverages WinExe
In reply to Dan Witz:
Looks like Sophos have updated something in relation to this based on this that I found:
That's probably why it's suddenly showing up as part of a scheduled scan.
As you say a valid windows app so not a threat as such but I suppose it could be exploited as part of an attack.
Hello Dan Witz,
not getting it on all monitored machines - it might simply not be present why this is getting flagged now - apparently it was (recently - as said it has been added 10 Jun) involved in some "incident", similar to PsExec. You can see that the detection for PsExec has been created a long time ago - a Windows to Windows attack the common scenario. Seems it could be Linux to Windows as well. N.B. this refers to the genuine winexe/winexesvc, not some rogue impostor.
And yes, AlienVault uses it.
You are correct it was not on all the machines. I thought this was native, but apparently not part of the standard OS install.
As I am not aware of anything that we use using this, I have removed it from the systems that were flagged.
Thanks for the added info all.