In May of 2017, Symantec added a RISK detection for the tool Winexe.
Winexe is a Linux based application that allows the execution of commands remotely on Windows based OSes. It installs a service on the remote system, executes the command and can then uninstall the service. Winexe allows execution of most of the windows shell commands. Although this tool has many legitimate applications its use in security incidents is prevalent enough for us to provide controls in our Potentially Unwanted Application (PUA) category.
Apart from its legitimate uses, Winexe can and has been used for network traversal attacks as part of the Empire powershell toolkit and was also known to have been used in the 2015 attack on the German Parliament.
The 2017 Internet Security Threat Report discusses the rise of many similar “dual use” tools to breach and traverse enterprise environments.
Detection information:
Detection for PUA.Winexe was initially provided in virus definitions on May 29, 2017 revision 006.
PUA management and Risk acceptance:
RISK detections have the important distinction of not being inherently malicious and allow a greater degree of risk acceptance within many of Symantec products.
For more information please see:
Excluding known risks from virus and spyware scans on Windows clients