On-Premise Endpoint

Sophos Enterprise Console Adware/PUA False Positive for C:\Windows\WinExeSvc ??

On-Premise Endpoint requires membership for participation - click to join

Thread Info

State Suggested Answer
+3 person also asked this people also asked this
Locked Locked
Replies 12 replies
Answers 1 answer
Subscribers 8 subscribers
Views 16317 views
Users 0 members are here

Options

Suggested

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Adware/PUA False Positive for C:\Windows\WinExeSvc ??

PeterBlythe over 4 years ago

Hi All,

Getting a lot of alerts in Adware/PUA on Enterprise Console 5.5 for WinExeSVC (C:\Windows\WinExeSvc)

First alert was at 2:51 am this morning and as I type this now have 92 endpoints with the same alert.

Only seems to be affecting Windows 2008 Server and 2008 R2 at the moment

Is this a bug/dodgy update or a change of classification?

Just wondering if I need to authorise it or hold fire to see if it's a glitch.

Thanks

Peter

This thread was automatically locked due to age.

Parents

0 Dan Witz over 4 years ago

As of today am getting a few of these myself. They were not on access, but on a scheduled scan. Though not getting it on all monitored machines? Curious why this is getting flagged now? Something in the latest update? Is there a recommended course of action? It's a Windows application, so don't know what is exactly expected to be done about it.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Dan Witz over 4 years ago

As of today am getting a few of these myself. They were not on access, but on a scheduled scan. Though not getting it on all monitored machines? Curious why this is getting flagged now? Something in the latest update? Is there a recommended course of action? It's a Windows application, so don't know what is exactly expected to be done about it.
Cancel
Vote Up 0 Vote Down

Cancel

Children

+1 PeterBlythe over 4 years ago in reply to Dan Witz

Hi Dan,

Looks like Sophos have updated something in relation to this based on this that I found:

https://www.sophos.com/en-us/threat-center/threat-analyses/adware-and-puas/WinExeSvc.aspx

That's probably why it's suddenly showing up as part of a scheduled scan.

As you say a valid windows app so not a threat as such but I suppose it could be exploited as part of an attack.

Regards

Peter
Cancel
Vote Up 0 Vote Down

Cancel
0 QC over 4 years ago in reply to Dan Witz

Hello Dan Witz,

not getting it on all monitored machines - it might simply not be present
why this is getting flagged now - apparently it was (recently - as said it has been added 10 Jun) involved in some "incident", similar to PsExec. You can see that the detection for PsExec has been created a long time ago - a Windows to Windows attack the common scenario. Seems it could be Linux to Windows as well. N.B. this refers to the genuine winexe/winexesvc, not some rogue impostor.

And yes, AlienVault uses it.

Christian
Cancel
Vote Up 0 Vote Down

Cancel
0 Dan Witz over 4 years ago in reply to QC

Christian,

You are correct it was not on all the machines. I thought this was native, but apparently not part of the standard OS install.

As I am not aware of anything that we use using this, I have removed it from the systems that were flagged.

Thanks for the added info all.
Cancel
Vote Up 0 Vote Down

Cancel