Thread Info
  • State Suggested Answer
  • +3 person also asked this people also asked this
  • Locked Locked
  • Replies 12 replies
  • Answers 1 answer
  • Subscribers 8 subscribers
  • Views 16285 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Adware/PUA False Positive for C:\Windows\WinExeSvc ??

PeterBlythe

Hi All,

 

Getting a lot of alerts in Adware/PUA on Enterprise Console 5.5 for WinExeSVC (C:\Windows\WinExeSvc)

First alert was at 2:51 am this morning and as I type this now have 92 endpoints with the same alert.

Only seems to be affecting Windows 2008 Server and 2008 R2 at the moment

Is this a bug/dodgy update or a change of classification?

Just wondering if I need to authorise it or hold fire to see if it's a glitch.

 

Thanks

Peter



This thread was automatically locked due to age.
Parents
  • 0

    As of today am getting a few of these myself.  They were not on access, but on a scheduled scan.  Though not getting it on all monitored machines?  Curious why this is getting flagged now?  Something in the latest update?  Is there a recommended course of action?  It's a Windows application, so don't know what is exactly expected to be done about it. 

     

  • 0 in reply to Dan Witz

    Hello Dan Witz,

    not getting it on all monitored machines - it might simply not be present
    why this is getting flagged now - apparently it was (recently - as said it has been added 10 Jun) involved in some "incident", similar to PsExec. You can see that the detection for PsExec has been created a long time ago - a Windows to Windows attack the common scenario. Seems it could be Linux to Windows as well. N.B. this refers to the genuine winexe/winexesvc, not some rogue impostor. 

    And yes, AlienVault uses it.

    Christian

Reply
  • 0 in reply to Dan Witz

    Hello Dan Witz,

    not getting it on all monitored machines - it might simply not be present
    why this is getting flagged now - apparently it was (recently - as said it has been added 10 Jun) involved in some "incident", similar to PsExec. You can see that the detection for PsExec has been created a long time ago - a Windows to Windows attack the common scenario. Seems it could be Linux to Windows as well. N.B. this refers to the genuine winexe/winexesvc, not some rogue impostor. 

    And yes, AlienVault uses it.

    Christian

Children
  • 0 in reply to QC

    Christian,

     

    You are correct it was not on all the machines.  I thought this was native, but apparently not part of the standard OS install.  

     

    As I am not aware of anything that we use using this, I have removed it from the systems that were flagged.  

     

    Thanks for the added info all. 

Unfiltered HTML