I'm seeing quite a few alerts detecting winexesvc.exe as w32.hack.tool.winexe this morning.
Is this a false positive - popped up on an otherwise not active PC after overnight's Windows updates?
Anyone else seeing this?
Best answer by JesseBropezView original
Is a rollback/restore needed?
I'm also getting a lot of these detections on protected endpoints. The files are being quarantined but I would like to know the main cause or if any preventive measures can be set in place to lower the alerts.
I also saw on the web where these could be generated from a Linux server pushing files to a windows machine... what are your thoughts?
These alerts started for me around yesterday morning and they've escalated up to this time. This threat is not Windows OS specific as I've had alerts from both Windows 7 and Windows server OS.
Please submit a ticket to our Support Team so they can review the logs to make a proper determination.
Same is happening here. We have found out that our Unitrends Backup Appliance is using winexesvc.exe to push updates out to computers it is backing up. Just a heads up to other people wondering how the application got there.
This file "winexesvc.exe" is related to the Windows Subsystem for Linux feature and allows remote commands to be sent to all systems in a network. Because of the enormous potential to be used maliciously, Webroot has classified this file malicious as it is potentially un-safe. If this program is needed in your environment, you may create an override and restore it from Webroot's quarantine via the Webroot Console.
For steps to override this file, please visit the link below.
Please let us know if we can explain anything in further detail.
Webroot Advanced Malware Removal Team
I s this happening because Windows 10 is extending the Linux subsystem feature with newer versions?
The appliance is attempting to push to a Win 2012-R2 Server...
PRETTY_NAME="RecoveryOS 7 (Core)"