At times either PAExec or RemCom services and processes may be found on client systems and raise alarms of a security breach. Barracuda RMM utilizes both of these for various automated tasks and running scripts against devices.
To view what either service is running on a device open Task Manager > Details. Right-click the titles and select Columns. Check Command Line. This provides the full path of where PAExec or RemCom is running from as well as the name of the script being executed.
When execution of a script is completed the respective service is deleted from the end device although there will be entries in the Windows Event log indicating that a service was installed, started, stopped and deleted.
PAExec
PAExec is used for running silent tasks on devices from either an Onsite Manager or Device Manager. When a task is executed on a device a service with the name of PAExec-ONSITEMANAGERNAME.exe. This does not indicate a security breach on the system if it is coming from the Onsite Manager and was started by the MWService account that is being utilized by the Onsite Manger or Local System in the case of a Device Manager.
Tasks that utilize PAExec include:
- Deployment of Premium Remote Control
- Deployment of Avast Antivirus
- Automatic execution of resolving found Onboarding issues
- Site Security Dashboard scans
PAExec is a re-write of PSExec. Details of PAExec can be found here https://www2.poweradmin.com/paexec/.
RemCom
This is used for Automation within Barracuda RMM. When a script is executed against devices RemCom will be installed, the script files copied to the device and executed on the device. Once the script has completed the service is deleted.
Remcom is an open-source project and details of it can be found here https://github.com/kavika13/RemCom.