False Positive?: psexec.exe

Call it either a false positive or a mis-clasification.

psexec.exe is a launch tool from sysinternals used to launch processes on
remote machines for which you have appropriate permissions. It cannot be
used as a NAT trojan as suggested. While it can be used to launch local
processes it can not be controlled from a remote host any more than any
other app (such as cmd.exe).

On Fri, 7 Jan 2005 15:57:19 -0500, Chris P. [MVP] wrote:

> Call it either a false positive or a mis-clasification.
>
> psexec.exe is a launch tool from sysinternals used to launch processes on
> remote machines for which you have appropriate permissions. It cannot be
> used as a NAT trojan as suggested. While it can be used to launch local
> processes it can not be controlled from a remote host any more than any
> other app (such as cmd.exe).

That was RAT, not NAT.

That's something like the SubSeven trojan, it's no false
positive. You can make that computer crash, start virusses,
that's probably where that program is made for. And if you
want to have access to remote machines, better try the
remote assistance feature in Windows XP or RealVNC
(www.realvnc.com).

>-----Original Message-----
>Call it either a false positive or a mis-clasification.
>
>psexec.exe is a launch tool from sysinternals used to
launch processes on
>remote machines for which you have appropriate
permissions. It cannot be
>used as a NAT trojan as suggested. While it can be used
to launch local
>processes it can not be controlled from a remote host any
more than any
>other app (such as cmd.exe).
>.
>

On Sun, 9 Jan 2005 00:40:52 -0800, Anonymous poster wrote:

> That's something like the SubSeven trojan, it's no false
> positive. You can make that computer crash, start virusses,
> that's probably where that program is made for. And if you
> want to have access to remote machines, better try the
> remote assistance feature in Windows XP or RealVNC
> (www.realvnc.com).

It's not what it's made for, it's made for legitmate purposes by
sysinternals.com. I can make the computer crash by infecting with a custom
executable, why is psexec so special?

Being listed by the program doesn't mean that this is not a legitimate
commercial product installed intentionally by the user.

It does mean that it fits the critera published here:

http://support.microsoft.com/kb/892340 Microsoft Windows AntiSpyware (Beta)
identifies a program as a spyware threat (Listing criteria and Dispute
process)

and that, perhaps, if it were installed on your machine without your
knowledge, it would be a threat. VNC, or any remote control tool that
doesn't require the users interaction and knowledge, for example.

"Chris P. [MVP]" <msdn@chrisnet.net> wrote in message
news:1uot14n7xhs2y$.18frb6a80sptx$.dlg@40tude.net...
> Call it either a false positive or a mis-clasification.
>
> psexec.exe is a launch tool from sysinternals used to launch processes on
> remote machines for which you have appropriate permissions. It cannot be
> used as a NAT trojan as suggested. While it can be used to launch local
> processes it can not be controlled from a remote host any more than any
> other app (such as cmd.exe).

Whoops - forgot the last part:

So--two questions:

1) was the description of the item appropriate, in your view?
2) was the default action suggested by the tool--Ignore??--also appropriate?

"Chris P. [MVP]" <msdn@chrisnet.net> wrote in message
news:1uot14n7xhs2y$.18frb6a80sptx$.dlg@40tude.net...
> Call it either a false positive or a mis-clasification.
>
> psexec.exe is a launch tool from sysinternals used to launch processes on
> remote machines for which you have appropriate permissions. It cannot be
> used as a NAT trojan as suggested. While it can be used to launch local
> processes it can not be controlled from a remote host any more than any
> other app (such as cmd.exe).

On Fri, 14 Jan 2005 14:39:30 -0500, Bill Sanderson wrote:

> Whoops - forgot the last part:
>
> So--two questions:
>
> 1) was the description of the item appropriate, in your view?

It was listed as a RemoteProcessLaunch RAT, which is only partly true. The
application psexec cannot be controlled remotely, but it can launch
processes on remote machines using DCOM - hence it follows Windows security
for access of the remote machines. Having this file on a machine does not
make a machine vulnerable in any way.

> 2) was the default action suggested by the tool--Ignore??--also appropriate?

It was flagged as a Severe threat, suggested action was to remove. The
action didn't seem appropriate as I didn't see it as a threat at all.

I checked the criteria on the KB page you sent and I didn't see it directly
meeting any of the criteria. There is a possibility that it could be being
bundled with other malicious software, but I haven't seen that identified
anywhere.

I'm still undecided about this detection.

Pest Patrol has this to say about it:

http://www.pestpatrol.com/pestinfo/p/psexec.asp

(really not much--they just note a "potential for abuse.")

It is, in fact, a tool which can be used in investigation or mitigation of
security or spyware incidents:

http://windowsir.blogspot.com/

This reference:

http://www.derkeiler.com/Newsgroups...02-09/3633.html

includes this paragraph:
---------------------------
g. This showed basically how psexec.exe work, and how dangerous it could be
used when it's on the hacker's hand. psexec.exe copied the test.bat file
over to the remote system, and then executed right after it was copied
---------------------------

I suspect this one is going to be like VNC: It ought to be detected, and
the detection should describe the tool accurately--i.e. it ought to be
attributed to Sysinternals and Mark Russinovich. It is a situation where if
this tool is installed on your machine with your knowledge, all is probably
fine. If you find it there and didn't know it was there, that might be
cause for concern. (Although, as far as I can see--the concern is in
relation to the remote system--i.e. maybe you need to know more about what
some other user of your system might be up to!)

"Chris P. [MVP]" <msdn@chrisnet.net> wrote in message
news:4e9szqf80zga$.1imomnt5hij22.dlg@40tude.net...
> On Fri, 14 Jan 2005 14:39:30 -0500, Bill Sanderson wrote:
>
>> Whoops - forgot the last part:
>>
>> So--two questions:
>>
>> 1) was the description of the item appropriate, in your view?
>
> It was listed as a RemoteProcessLaunch RAT, which is only partly true.
> The
> application psexec cannot be controlled remotely, but it can launch
> processes on remote machines using DCOM - hence it follows Windows
> security
> for access of the remote machines. Having this file on a machine does not
> make a machine vulnerable in any way.
>
>> 2) was the default action suggested by the tool--Ignore??--also
>> appropriate?
>
> It was flagged as a Severe threat, suggested action was to remove. The
> action didn't seem appropriate as I didn't see it as a threat at all.
>
> I checked the criteria on the KB page you sent and I didn't see it
> directly
> meeting any of the criteria. There is a possibility that it could be
> being
> bundled with other malicious software, but I haven't seen that identified
> anywhere.

On Wed, 19 Jan 2005 11:00:50 -0500, Bill Sanderson wrote:

> I'm still undecided about this detection.

Thanks for the follow up. See below.

> Pest Patrol has this to say about it:
>
> http://www.pestpatrol.com/pestinfo/p/psexec.asp
>
> (really not much--they just note a "potential for abuse.")
>
> It is, in fact, a tool which can be used in investigation or mitigation of
> security or spyware incidents:
>
> http://windowsir.blogspot.com/
>
> This reference:
>
> http://www.derkeiler.com/Newsgroups...02-09/3633.html
>
> includes this paragraph:
> ---------------------------
> g. This showed basically how psexec.exe work, and how dangerous it could be
> used when it's on the hacker's hand. psexec.exe copied the test.bat file
> over to the remote system, and then executed right after it was copied
> ---------------------------
>
> I suspect this one is going to be like VNC: It ought to be detected, and
> the detection should describe the tool accurately--i.e. it ought to be
> attributed to Sysinternals and Mark Russinovich. It is a situation where if
> this tool is installed on your machine with your knowledge, all is probably
> fine. If you find it there and didn't know it was there, that might be
> cause for concern. (Although, as far as I can see--the concern is in
> relation to the remote system--i.e. maybe you need to know more about what
> some other user of your system might be up to!)

That was mostly my point. The threat isn't to the local system but rather
to the systems around you. I can see a situation where if your in a
corporate LAN and the user of the an infected is a Domain Administrator
then it could easily propigate itself rather quickly (reason #1 not to run
as an Admin until required). But then again, I can do that with a few
lines of code in a custom app, psexec just makes it easier for script
hackers.

Definately better information and description is required to allow the user
to make an informed decision.

-Chris

"Chris P. [MVP]" <msdn@chrisnet.net> wrote in message
news:k73wcus5kw2d$.5xglxfz3tn7l.dlg@40tude.net...
> On Wed, 19 Jan 2005 11:00:50 -0500, Bill Sanderson wrote:
>
>> I'm still undecided about this detection.
>
> Thanks for the follow up. See below.
>
>> Pest Patrol has this to say about it:
>>
>> http://www.pestpatrol.com/pestinfo/p/psexec.asp
>>
>> (really not much--they just note a "potential for abuse.")
>>
>> It is, in fact, a tool which can be used in investigation or mitigation
>> of
>> security or spyware incidents:
>>
>> http://windowsir.blogspot.com/
>>
>> This reference:
>>
>> http://www.derkeiler.com/Newsgroups...02-09/3633.html
>>
>> includes this paragraph:
>> ---------------------------
>> g. This showed basically how psexec.exe work, and how dangerous it could
>> be
>> used when it's on the hacker's hand. psexec.exe copied the test.bat file
>> over to the remote system, and then executed right after it was copied
>> ---------------------------
>>
>> I suspect this one is going to be like VNC: It ought to be detected, and
>> the detection should describe the tool accurately--i.e. it ought to be
>> attributed to Sysinternals and Mark Russinovich. It is a situation where
>> if
>> this tool is installed on your machine with your knowledge, all is
>> probably
>> fine. If you find it there and didn't know it was there, that might be
>> cause for concern. (Although, as far as I can see--the concern is in
>> relation to the remote system--i.e. maybe you need to know more about
>> what
>> some other user of your system might be up to!)
>
> That was mostly my point. The threat isn't to the local system but rather
> to the systems around you. I can see a situation where if your in a
> corporate LAN and the user of the an infected is a Domain Administrator
> then it could easily propigate itself rather quickly (reason #1 not to run
> as an Admin until required). But then again, I can do that with a few
> lines of code in a custom app, psexec just makes it easier for script
> hackers.
>
> Definately better information and description is required to allow the
> user
> to make an informed decision.
>
> -Chris

Agreed. The descriptions for, VNC, for example, are clear and appropriate,
I believe. This one could be improved, and posting here is one way to get
these things improved.

There is now a direct reporting form for false positives at
ww.spynet.com --last link in the left column.