Crowdstrick detection of the "rwin.exe"
search cancel

Crowdstrick detection of the "rwin.exe"

book

Article ID: 272281

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

Hello Team,

Reported Issue :- Crowdstrick detection of the "rwin.exe"

CA PAM Version :- 4.1.3

- Customer has encountered an issue with detecting the "rwin.exe" file on their Windows Server by Crowdstrick. The file is being flagged as malware when uploaded to VirusTotal.

- We have suggested that the Windows Remote target connector lets PAM manage Windows accounts and the passwords for services and scheduled tasks that are local to the Windows server, when password changing by ‘Windows Remote’ ‘rwin.exe’ is created under C$ of the target server to sync the password , so there will be two type of methods to synchronize the password .

1.It tries password synch with samba commands such as smbpasswd or net , if this fails it will go second option which is

2. rwin.exe is copied to \\HOSTNAME\C$ onto the target machine and tries to synchronize the password.
These communications are done via SMB port(445)

Referred Article :-
https://knowledge.broadcom.com/external/article/125661/rwinexe-is-placed-when-password-sync-wit.html  

- They have also submitted the file to Symantec security response team , please find the attachment.
- They need confirmation if these actions are genuine PAM behaviors. And would like to know if it is a legitimate file and free from malware. 

Environment

Release : 4.1.3

Cause

The rwin.exe file is provided my multiple application vendors, and can be deployed by any of the application vendors.

Resolution

To identify if the rwin.exe that is on the target device is provided by CA PAM is to generate the MD5 checksum and share it with the technical support team to verify the MD5 signature of this file and get a confirmation if the rwin.exe in doubt is from CA PAM or not.

The rwin.exe file from CA PAM is safe and can be ignored from the Anti Virus scan.

rwin.exe is a legitimate file provided by Broadcom, the verification of the same can be performed by running the md5sum against the binary in the CA PAM server as well as on the target device where this file is copied over.

Below is the md5sum signature for rwin.exe from CA PAM 4.1.3 version.

# md5sum /opt/cloakware/cspmserver/rwin/rwin.exe
65b3970449153d6ce3d061209e6a5815  /opt/cloakware/cspmserver/rwin/rwin.exe