Product: PowerShell Studio 2022 (64 Bit)
Build: v5.8.213
OS: Windows 10 Pro (64 Bit)
Build: v10.0.22621.0
I realize the following issue is AV related and no fault of PSS but I'm after some advice on how I may mitigate the issue as this utility is critical to server health and our clients IT specialists are failing to whitelist or exclude this utility from scans.
Some background, cnwhousekeeper performs various log file & temp file cleanup and audits a variety tasks as well as providing server health information. We have several hundred servers that we manage with dozens of windows domains. Some of these are under client control and others we manage. There are various AV's that we run on the different domains (eg. Trend ApexOne, Cloudstrike, ESET)
ESET is the one causing the problem. It was fine then one day then (no change to the exe), it broke.
A manual run returns the below then it is terminated. I do not supply this code "$PSScriptRoot = "C:\cardinal\bin"", so assume that this is done when the exe is packaged.
As it seems to be that line the AV is complaining about, is there some way I can suppress it?
Any other suggestions on how to avoid this issue (other than having ESET restrict scanning of the exe) as this problem has now persisted for 4 weeks and the client has still not whitelisted or excluded the exe from scans. I'm unsure whether there's an actual issue with the AV product or some other weirdness.
Those servers that are affected also have several other PSS packaged exe's and they continue to run fine which has me very confused as to why the AV is picking on cnwhousekeeper.
Cheers
************* runtime output *************
C:\Windows\system32>cnwhousekeeper
Line 2: At line:1 char:1
+ $PSScriptRoot = "C:\cardinal\bin"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This script contains malicious content and has been blocked by your antivirus software.
ESET AV Blocking exe from running
Forum rules
DO NOT POST LICENSE NUMBERS, ACTIVATION KEYS OR ANY OTHER LICENSING INFORMATION IN THIS FORUM.
Only the original author and our tech personnel can reply to a topic that is created in this forum. If you find a topic that relates to an issue you are having, please create a new topic and reference the other in your post.
Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
DO NOT POST LICENSE NUMBERS, ACTIVATION KEYS OR ANY OTHER LICENSING INFORMATION IN THIS FORUM.
Only the original author and our tech personnel can reply to a topic that is created in this forum. If you find a topic that relates to an issue you are having, please create a new topic and reference the other in your post.
Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
Re: ESET AV Blocking exe from running
Forgot to mention that I also tried running the raw ps1 script on the server and the AV blocked that also AND '$PSScriptRoot = "C:\cardinal\bin"' was not present in the script, so the display coming back may be a red herring.
Re: ESET AV Blocking exe from running
Typical...
I tried a new approach, deleting code to try and isolate the offending bit.and the winner is............
[Byte[]]$IMAGE_FILE_MACHINE = New-Object Byte[](2)
from Get-PEArchitecture published by Matthew Graeber
Not sure how I'm going to workaround that....grrrrr
I tried a new approach, deleting code to try and isolate the offending bit.and the winner is............
[Byte[]]$IMAGE_FILE_MACHINE = New-Object Byte[](2)
from Get-PEArchitecture published by Matthew Graeber
Not sure how I'm going to workaround that....grrrrr
- Alexander Riedel
- Posts: 8488
- Last visit: Tue Apr 16, 2024 8:42 am
- Been upvoted: 37 times
Re: ESET AV Blocking exe from running
The only sure way is to send the offending file to your anti-virus provider. They all have a way to upload files to check for false positives. Well, the good ones anyway.
Using a sequence like you have here is somewhat ridiculous to use for malware identification, if you ask me.
Using a sequence like you have here is somewhat ridiculous to use for malware identification, if you ask me.
Alexander Riedel
SAPIEN Technologies, Inc.
SAPIEN Technologies, Inc.
Re: ESET AV Blocking exe from running
Thanks Alexander,
ESET have not been forthcoming or fast with their technical assistance from our clients perspective so we have had to go to the additional effort to work-around. Fortunately, that function is not business critical so simply commenting out has worked around the problem.
Pretty basic syntax, cant see why an AV would grizzle about it.
Cheers
ESET have not been forthcoming or fast with their technical assistance from our clients perspective so we have had to go to the additional effort to work-around. Fortunately, that function is not business critical so simply commenting out has worked around the problem.
Pretty basic syntax, cant see why an AV would grizzle about it.
Cheers