PSEXESVC being detected by VirusScan
I've got a domain controller/file/print server running W2k SP4 that has McAfee VirusScan Enterprise 7.1 on it. The last couple weeks we've been getting the following warning........The file C:\WINNT\system32\PSEXESVC
I know Sysinternals has some PStools that you can use to remotely manage PCs. There is also a service on my server called PSEXESVC that is not running and it set to manual. I've got other W2k servers w/SP4 and none of them have this service. I'm not finding any information about where this service came from or why it's on this particular one and not the others. I've looked on McAfee's web site and read that it's not a virus, but a potentially dangerous program. I would like to know why this server has this service for one. I didn't build this server; I need to know if I need this service and/or file.
I know Sysinternals has some PStools that you can use to remotely manage PCs. There is also a service on my server called PSEXESVC that is not running and it set to manual. I've got other W2k servers w/SP4 and none of them have this service. I'm not finding any information about where this service came from or why it's on this particular one and not the others. I've looked on McAfee's web site and read that it's not a virus, but a potentially dangerous program. I would like to know why this server has this service for one. I didn't build this server; I need to know if I need this service and/or file.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Just checked again; seems like it leaves the service on the system only when psexec itself got terminated unexpectedly; I had one machine where it was still present. Ran psexec against it, and afterwards it was gone. On another machine, it showed up during execution, and disappeared after the started process was done.
You can reproduce the "leftover" service by doing the following:
Open a command prompt, start a process with a psexec (without using the -d switch), for example
psexec \\somemachine -i notepad
This will open notepad. Now close the window with the command prompt. Close Notepad, and the service will still be there (start type manual).
Run psexec again, close notepad while psexec is still waiting for the execution, and the service will have disappeared.
You can reproduce the "leftover" service by doing the following:
Open a command prompt, start a process with a psexec (without using the -d switch), for example
psexec \\somemachine -i notepad
This will open notepad. Now close the window with the command prompt. Close Notepad, and the service will still be there (start type manual).
Run psexec again, close notepad while psexec is still waiting for the execution, and the service will have disappeared.
It is from PSTOOLS and if someone wrote a script such as I have it will leave a copy on machines depending on what you do and when the script runs. The easiest thing to do is either get rid of it if you aren't doing anything or just exclude it from your virus scan. It is annoying but many programs that run like this are detected as spyware or virus'.
ASKER