Correct and a lot of AV do quarantine or delete it. Part of my point, and one that Mr Russinovich makes repeatedly, is that the program requires admin privileges to run in the first place.
Heck may as well quote him directly- "A last security note relates to viruses. Several viruses use PsExec to propagate within a network, and as a result, several major antivirus products flag PsExec as a Trojan horse program or a worm. Remember that PsExec works on remote systems only if it runs within an account that has administrator group membership on the remote system. In other words, unless the account from which you run it has administrative access to a remote system, PsExec won't be able to execute a process on the remote system. In addition, PsExec's functionality can be achieved in other ways; thus, PsExec is only a convenience for virus writers, who could otherwise easily implement the functionality that PsExec provides." http://windowsitpro.com/Windows/Articles/ArticleID/42919/pg/2/2.html From: James Rankin [mailto:[email protected]] Sent: Tuesday, September 22, 2009 12:11 PM To: NT System Admin Issues Subject: Re: PSExec starting stopping It could be a virus. Psexec and some other batch file stalwarts made an appearance in a virus a few years ago. A lot of AV may still show psexec as a threat 2009/9/22 David W. McSpadden <[email protected]> Yeah but it is voodoo if I am not the one sending the commands.... ----- Original Message ----- From: Free, Bob <mailto:[email protected]> To: NT System Admin Issues <mailto:[email protected]> Sent: Tuesday, September 22, 2009 12:41 PM Subject: RE: PSExec starting stopping Psexec installs itself as a service on the fly and uninstalls automatically (most of the time) when it's completed whatever you had it do with a clean exit. Always has. If you check the SCM while it is doing something, you will see it running under the credentials you specified on the command line. Same for PSKill and some of Mark's other utilities. That's how he accomplishes some of the remote magic..of course running them a Local System when necessary also helps. J "PsExec starts an executable on a remote system and controls the input and output streams of the executable's process so that you can interact with the executable from the local system. PsExec does so by extracting from its executable image an embedded Windows service named Psexesvc and copying it to the Admin$ share of the remote system. PsExec then uses the Windows Service Control Manager API, which has a remote interface, to start the Psexesvc service on the remote system" http://windowsitpro.com/Windows/Articles/ArticleID/42919/pg/2/2.html From: David W. McSpadden [mailto:[email protected]] Sent: Tuesday, September 22, 2009 7:51 AM To: NT System Admin Issues Subject: PSExec starting stopping I noticed in a member server event log this morning PSExec service stop, start, stop start??? I don't remember installing PSExec on this machine especially as a service??? <Flame:ON> -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." http://raythestray.blogspot.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
