False Positive?: psexec.exe

[Chris P. [MVP]]

Call it either a false positive or a mis-clasification.

psexec.exe is a launch tool from sysinternals used to launch processes on
remote machines for which you have appropriate permissions. It cannot be
used as a NAT trojan as suggested. While it can be used to launch local
processes it can not be controlled from a remote host any more than any
other app (such as cmd.exe).

 

[Chris P. [MVP]]

Call it either a false positive or a mis-clasification.

psexec.exe is a launch tool from sysinternals used to launch processes on
remote machines for which you have appropriate permissions. It cannot be
used as a NAT trojan as suggested. While it can be used to launch local
processes it can not be controlled from a remote host any more than any
other app (such as cmd.exe).

That was RAT, not NAT.

 

[Anonymous poster]

That's something like the SubSeven trojan, it's no false
positive. You can make that computer crash, start virusses,
that's probably where that program is made for. And if you
want to have access to remote machines, better try the
remote assistance feature in Windows XP or RealVNC
(www.realvnc.com).

 

[Chris P. [MVP]]

That's something like the SubSeven trojan, it's no false
positive. You can make that computer crash, start virusses,
that's probably where that program is made for. And if you
want to have access to remote machines, better try the
remote assistance feature in Windows XP or RealVNC
(www.realvnc.com).

It's not what it's made for, it's made for legitmate purposes by
sysinternals.com. I can make the computer crash by infecting with a custom
executable, why is psexec so special?

 

[Bill Sanderson]

Being listed by the program doesn't mean that this is not a legitimate
commercial product installed intentionally by the user.

It does mean that it fits the critera published here:

http://support.microsoft.com/kb/892340 Microsoft Windows AntiSpyware (Beta)
identifies a program as a spyware threat (Listing criteria and Dispute
process)

and that, perhaps, if it were installed on your machine without your
knowledge, it would be a threat. VNC, or any remote control tool that
doesn't require the users interaction and knowledge, for example.

 

[Bill Sanderson]

Whoops - forgot the last part:

So--two questions:

1) was the description of the item appropriate, in your view?
2) was the default action suggested by the tool--Ignore??--also appropriate?

 

[Chris P. [MVP]]

Whoops - forgot the last part:

So--two questions:

1) was the description of the item appropriate, in your view?

It was listed as a RemoteProcessLaunch RAT, which is only partly true. The
application psexec cannot be controlled remotely, but it can launch
processes on remote machines using DCOM - hence it follows Windows security
for access of the remote machines. Having this file on a machine does not
make a machine vulnerable in any way.

2) was the default action suggested by the tool--Ignore??--also appropriate?

It was flagged as a Severe threat, suggested action was to remove. The
action didn't seem appropriate as I didn't see it as a threat at all.

I checked the criteria on the KB page you sent and I didn't see it directly
meeting any of the criteria. There is a possibility that it could be being
bundled with other malicious software, but I haven't seen that identified
anywhere.

 

[Bill Sanderson]

I'm still undecided about this detection.

Pest Patrol has this to say about it:

http://www.pestpatrol.com/pestinfo/p/psexec.asp

(really not much--they just note a "potential for abuse.")

It is, in fact, a tool which can be used in investigation or mitigation of
security or spyware incidents:

http://windowsir.blogspot.com/

This reference:

http://www.derkeiler.com/Newsgroups/microsoft.public.security/2002-09/3633.html

includes this paragraph:
---------------------------
g. This showed basically how psexec.exe work, and how dangerous it could be
used when it's on the hacker's hand. psexec.exe copied the test.bat file
over to the remote system, and then executed right after it was copied
---------------------------

I suspect this one is going to be like VNC: It ought to be detected, and
the detection should describe the tool accurately--i.e. it ought to be
attributed to Sysinternals and Mark Russinovich. It is a situation where if
this tool is installed on your machine with your knowledge, all is probably
fine. If you find it there and didn't know it was there, that might be
cause for concern. (Although, as far as I can see--the concern is in
relation to the remote system--i.e. maybe you need to know more about what
some other user of your system might be up to!)

 

[Chris P. [MVP]]

I'm still undecided about this detection.

Thanks for the follow up. See below.

Pest Patrol has this to say about it:

http://www.pestpatrol.com/pestinfo/p/psexec.asp

(really not much--they just note a "potential for abuse.")

It is, in fact, a tool which can be used in investigation or mitigation of
security or spyware incidents:

http://windowsir.blogspot.com/

This reference:

http://www.derkeiler.com/Newsgroups/microsoft.public.security/2002-09/3633.html

includes this paragraph:
---------------------------
g. This showed basically how psexec.exe work, and how dangerous it could be
used when it's on the hacker's hand. psexec.exe copied the test.bat file
over to the remote system, and then executed right after it was copied
---------------------------

I suspect this one is going to be like VNC: It ought to be detected, and
the detection should describe the tool accurately--i.e. it ought to be
attributed to Sysinternals and Mark Russinovich. It is a situation where if
this tool is installed on your machine with your knowledge, all is probably
fine. If you find it there and didn't know it was there, that might be
cause for concern. (Although, as far as I can see--the concern is in
relation to the remote system--i.e. maybe you need to know more about what
some other user of your system might be up to!)

That was mostly my point. The threat isn't to the local system but rather
to the systems around you. I can see a situation where if your in a
corporate LAN and the user of the an infected is a Domain Administrator
then it could easily propigate itself rather quickly (reason #1 not to run
as an Admin until required). But then again, I can do that with a few
lines of code in a custom app, psexec just makes it easier for script
hackers.

Definately better information and description is required to allow the user
to make an informed decision.

-Chris

 

[Bill Sanderson]

Thanks for the follow up. See below.


That was mostly my point. The threat isn't to the local system but rather
to the systems around you. I can see a situation where if your in a
corporate LAN and the user of the an infected is a Domain Administrator
then it could easily propigate itself rather quickly (reason #1 not to run
as an Admin until required). But then again, I can do that with a few
lines of code in a custom app, psexec just makes it easier for script
hackers.

Definately better information and description is required to allow the
user
to make an informed decision.

-Chris

Agreed. The descriptions for, VNC, for example, are clear and appropriate,
I believe. This one could be improved, and posting here is one way to get
these things improved.

There is now a direct reporting form for false positives at
ww.spynet.com --last link in the left column.

 

[Chris P. [MVP]]

Agreed. The descriptions for, VNC, for example, are clear and appropriate,
I believe. This one could be improved, and posting here is one way to get
these things improved.

There is now a direct reporting form for false positives at
ww.spynet.com --last link in the left column.

Thanks for the link, I submitted the form.

 

[Bill Sanderson]

Great!

Thanks for the link, I submitted the form.