What are Xcmd.exe and Xcmdsvc.exe files in \CA\ReleaseAutomationServer\scripts directory?
Can we safely delete/quarantine these files?
Why hasn’t Broadcom signed these utilities?
Note:
This question is sometimes associated with the files being found/considered malware/ransomware.
Release : 6.7.x, 6.8.x
Component : CA RELEASE AUTOMATION EXECUTION SERVER
Xcmd.exe and Xcmdsvc.exe are both legitimate files that are shipped with the product. These files are popularly used as an alternative to PsExec for remote execution of command.
Note:
The presence of the Xcmd.exe utility is not a vulnerability by itself. Xcmd is a utility necessary for some features of Nolio (installing agents on remote hosts), so it is an intentional part of the distribution. Broadcom constantly pays attention to security aspects of delivered software, and not only reacts to newly discovered vulnerability reports, but also works proactively to eliminate potential issues.
If these files are being detected in some kind of scan then it is recommended to exclude these two files from the target scan. File location:
If excluding the files from the scan is not possible or if the files must be deleted, quarantined, renamed, moved, etc.. then it will break the features that use the files. Specifically, the files are used by:
On 64-bit OS both binaries are used from "C:\WINDOWS\SysWOW64\" where they are copied to before usage and are supposed to be deleted afterwards automatically.
There's no such a common practice in the industry to sign 3rd party components with one's own certificate, so Broadcom is not doing this as well. Moreover, such a signature would technically be a modification of the 3rd party component, which Broadcom has no intention to do and sometimes has no rights to do.