Xcmd.exe and Xcmdsvc.exe files in \CA\ReleaseAutomationServer\scripts directory
search cancel

Xcmd.exe and Xcmdsvc.exe files in \CA\ReleaseAutomationServer\scripts directory

book

Article ID: 200399

calendar_today

Updated On:

Products

CA Release Automation - Release Operations Center (Nolio) CA Release Automation - DataManagement Server (Nolio)

Issue/Introduction

What are Xcmd.exe and Xcmdsvc.exe files in \CA\ReleaseAutomationServer\scripts directory?

Can we safely delete/quarantine these files? 

Why hasn’t Broadcom signed these utilities?

 

Note:

This question is sometimes associated with the files being found/considered malware/ransomware. 

 

Environment

Release : 6.7.x, 6.8.x

Component : CA RELEASE AUTOMATION EXECUTION SERVER

 

Resolution

What are Xcmd.exe and Xcmdsvc.exe files in \CA\ReleaseAutomationServer\scripts directory?

Xcmd.exe and Xcmdsvc.exe are both legitimate files that are shipped with the product. These files are popularly used as an alternative to PsExec for remote execution of command. 

Note: 

The presence of the Xcmd.exe utility is not a vulnerability by itself. Xcmd is a utility necessary for some features of Nolio (installing agents on remote hosts), so it is an intentional part of the distribution. Broadcom constantly pays attention to security aspects of delivered software, and not only reacts to newly discovered vulnerability reports, but also works proactively to eliminate potential issues.

 

Can we safely delete/quarantine these files? 

If these files are being detected in some kind of scan then it is recommended to exclude these two files from the target scan. File location:

  • <NES_InstalDir>/scripts/xCmd.exe
  • <NES_InstalDir>/scripts/xCmdSvc.exe

 

If excluding the files from the scan is not possible or if the files must be deleted, quarantined, renamed, moved, etc.. then it will break the features that use the files. Specifically, the files are used by:

  1. In Web UI:
    • Remote agent installation on Windows hosts
  2. In ASAP client:
    • Remote agent installation on Windows hosts
    • Remote uninstallation of Windows agents
    • Remote restart of Windows agents

On 64-bit OS both binaries are used from "C:\WINDOWS\SysWOW64\" where they are copied to before usage and are supposed to be deleted afterwards automatically.

 

 

Why hasn’t Broadcom signed these utilities?

There's no such a common practice in the industry to sign 3rd party components with one's own certificate, so Broadcom is not doing this as well. Moreover, such a signature would technically be a modification of the 3rd party component, which Broadcom has no intention to do and sometimes has no rights to do. 

 

 

Additional Information

 

 
Powered by Wolken Software