In May of 2017, Symantec added a Risk detection for the tool Winexe.
Winexe is a Linux based application that allows the execution of commands remotely on Windows based OSes. It installs a service on the remote system, executes the command and can then uninstall the service. Winexe allows execution of most of the windows shell commands. Although this tool has many legitimate applications its use in security incidents is prevalent enough for us to provide controls in our Potentially Unwanted Application (PUA) category.
Apart from its legitimate uses, Winexe can and has been used for network traversal attacks as part of the Empire powershell toolkit and was also known to have been used in the 2015 attack on the German Parliament.
The 2017 Internet Security Threat Report discusses the rise of many similar “dual use” tools to breach and traverse enterprise environments.
Detection for PUA.Winexe and its huerisitc counterpart PUA.Winexe!g1, was initially provided in virus definitions on May 29, 2017 revision 006.
Risk detections have the important distinction of not being inherently malicious and allow a greater degree of risk acceptance within many of Symantec products.
For a full list of Risks and categories of Risks detected by Symantec please see:
For more information on exclusions please see: