Agent pushed to a Server 2012 / Windows 8 system and now we're getting alerts from the antivirus that it detects winexesvc.exe. What is this?
Winexesvc.exe is called remotely to install the agent with our push feature. It is part of Microsoft's own code for linux support. When we remotely connect from linux, Microsoft auto-installs this component for us if it's not been activated before (or if its been updated by Microsoft). We disable when the installation is done. Some AV vendors consider the existence of this package a risk. There unfortunately isn't a way around using such a service to push to 2012R2 or 2016 since we're not part of your domain (and your backup product for best security should not be part of your domain; that would be a bigger risk). Agent push features require UAC to be off, and also require reducing some other security barriers, it's not a 100% save process to allow other systems (any systems) to install software on your servers remotely. It's really not the best model, but, most of our customers demand we provide such a feature so we do.
Customers can enter exceptions with their AV vendors to avoid the notice on winexesvc.exe, or alternatively, you can push our agent MSIs with GPO instead of using our push feature, which in larger environments may be far more convenience, especially to work around cluster updates, maintenance windows, or push agents automatically on weekends without additional manual intervention, plus you could maintain tighter security doing so by keeping UAC enabled.
There's technical specs for winexesvc.exe can be found within this Technet post under "Spencer"'s response: https://social.technet.microsoft.com/Forums/windows/en-US/aae7eb51-f7d2-452a-9486-ca8701032b58/winexesvcexe