This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Adware/PUA False Positive for C:\Windows\WinExeSvc ??

Hi All,

 

Getting a lot of alerts in Adware/PUA on Enterprise Console 5.5 for WinExeSVC (C:\Windows\WinExeSvc)

First alert was at 2:51 am this morning and as I type this now have 92 endpoints with the same alert.

Only seems to be affecting Windows 2008 Server and 2008 R2 at the moment

Is this a bug/dodgy update or a change of classification?

Just wondering if I need to authorise it or hold fire to see if it's a glitch.

 

Thanks

Peter



This thread was automatically locked due to age.
Parents
  • Hello Peter,

    if "genuine" it is/was used to invoke Windows command from Linux/Unix - similar to psexec (that is also classified as PUA). What is the Item name shown in the console on the Alerts and Errors tab?

    Please submit a sample. And - if you're not aware of its use and nothing breaks there's no need to authorize it, at least not before Labs have confirmed it's clean.

    Christian

  • Hi Christian,

     

    On the "Alert and Error Details" tab "item detected" shows as WinExeSvc

    If I go to "Resolve Alerts and Errors" then the name is WinExeSvc, Sub-Type is Hacking tool and details is C:\Windows\winexesvc.exe

    Looking at an affected server the file in question is from 2016

    I did find this:

    https://www.sophos.com/en-us/threat-center/threat-analyses/adware-and-puas/WinExeSvc.aspx

    Which says updated 10th June 2019 - maybe Sophos have decided it's now a threat.....?

    Thanks

    Peter

     

  • Hello Peter,

    rats - missed it because I searched for winexesvc.exe ...
    It also gives the same date for Protection available since so it's definitely new. As said, it's similar to psexec and the classification makes sense. Interestingly the search returns a link to WinExe as Controlled Application but the link is no longer valid. Please note that PUA authorization is universal as opposed to authorization of suspicious files, i.e. the former authorizes everything that looks like e.g. WinExeSvc (under the assumption that a rogue version wouldn't be mistakenly seen as belonging to this application) whereas the latter applies to the exact version of a file.

    Personally I'd not keep it if I don't know who or what product needs it. And submitting a sample does no harm.

    Christian

  • Thanks Christian I've submitted a sample

  • Hi Peter,

     

    We are experiencing a similar situation to you (only on a much smaller scale).

    So far, only one of our endpoints has been flagged up as having this so-called Adware/PUA present.

    Have you heard anything back from Sophos in relation to this?

    Curious thing is, I cannot see the file in the C:\Windows folder. I temporarily authorised the .exe, but haven't had a recurrence.

    Best regards,

     

    John P

    2 x SG450 (Version 9.714-4)

    HA = Active-Passive

  • Hi Christian,

     

    I have found the smoking gun

     

    An update is being performed of some monitoring agents, the upgrade leverages WinExeSvc as part of the process

     

    That explains the sudden flood of alerts

     

    Thanks for your help

     

    Mystery solved

     

    Regards

    Peter

  • Hi Peter,

    Just out of curiosity, what monitoring agent are you guys using? Also, how were you able to tie it to the winexesvc PUA? As of this morning, we have a couple hundred instances as well. Thanks!

Reply Children
  • Hi A1315,

     

    The agent is in relation to some AlienVault appliances we have.

    Had a look at the installation info they supply for the agent and they mention that it could generate false alerts for "hacking tools" as it leverages WinExe

     

    Regards

    Peter