ESET AV Blocking exe from running

This forum can be browsed by the general public. Posting is limited to current SAPIEN license holders with active maintenance and does not offer a response time guarantee.
Forum rules
DO NOT POST LICENSE NUMBERS, ACTIVATION KEYS OR ANY OTHER LICENSING INFORMATION IN THIS FORUM.
Only the original author and our tech personnel can reply to a topic that is created in this forum. If you find a topic that relates to an issue you are having, please create a new topic and reference the other in your post.

Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
This topic is 1 year and 2 months old and has exceeded the time allowed for comments. Please begin a new topic or use the search feature to find a similar but newer topic.
User avatar
owinsloe
Posts: 161
Last visit: Tue Mar 26, 2024 8:14 pm
Been upvoted: 1 time

ESET AV Blocking exe from running

Post by owinsloe »

Product: PowerShell Studio 2022 (64 Bit)
Build: v5.8.213
OS: Windows 10 Pro (64 Bit)
Build: v10.0.22621.0

I realize the following issue is AV related and no fault of PSS but I'm after some advice on how I may mitigate the issue as this utility is critical to server health and our clients IT specialists are failing to whitelist or exclude this utility from scans.

Some background, cnwhousekeeper performs various log file & temp file cleanup and audits a variety tasks as well as providing server health information. We have several hundred servers that we manage with dozens of windows domains. Some of these are under client control and others we manage. There are various AV's that we run on the different domains (eg. Trend ApexOne, Cloudstrike, ESET)

ESET is the one causing the problem. It was fine then one day then (no change to the exe), it broke.

A manual run returns the below then it is terminated. I do not supply this code "$PSScriptRoot = "C:\cardinal\bin"", so assume that this is done when the exe is packaged.

As it seems to be that line the AV is complaining about, is there some way I can suppress it?

Any other suggestions on how to avoid this issue (other than having ESET restrict scanning of the exe) as this problem has now persisted for 4 weeks and the client has still not whitelisted or excluded the exe from scans. I'm unsure whether there's an actual issue with the AV product or some other weirdness.

Those servers that are affected also have several other PSS packaged exe's and they continue to run fine which has me very confused as to why the AV is picking on cnwhousekeeper.

Cheers

************* runtime output *************
C:\Windows\system32>cnwhousekeeper
Line 2: At line:1 char:1
+ $PSScriptRoot = "C:\cardinal\bin"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This script contains malicious content and has been blocked by your antivirus software.
User avatar
owinsloe
Posts: 161
Last visit: Tue Mar 26, 2024 8:14 pm
Been upvoted: 1 time

Re: ESET AV Blocking exe from running

Post by owinsloe »

Forgot to mention that I also tried running the raw ps1 script on the server and the AV blocked that also AND '$PSScriptRoot = "C:\cardinal\bin"' was not present in the script, so the display coming back may be a red herring.
User avatar
owinsloe
Posts: 161
Last visit: Tue Mar 26, 2024 8:14 pm
Been upvoted: 1 time

Re: ESET AV Blocking exe from running

Post by owinsloe »

Typical...
I tried a new approach, deleting code to try and isolate the offending bit.and the winner is............

[Byte[]]$IMAGE_FILE_MACHINE = New-Object Byte[](2)

from Get-PEArchitecture published by Matthew Graeber

Not sure how I'm going to workaround that....grrrrr
User avatar
Alexander Riedel
Posts: 8478
Last visit: Tue Mar 26, 2024 8:52 am
Answers: 19
Been upvoted: 37 times

Re: ESET AV Blocking exe from running

Post by Alexander Riedel »

The only sure way is to send the offending file to your anti-virus provider. They all have a way to upload files to check for false positives. Well, the good ones anyway.
Using a sequence like you have here is somewhat ridiculous to use for malware identification, if you ask me.
Alexander Riedel
SAPIEN Technologies, Inc.
User avatar
owinsloe
Posts: 161
Last visit: Tue Mar 26, 2024 8:14 pm
Been upvoted: 1 time

Re: ESET AV Blocking exe from running

Post by owinsloe »

Thanks Alexander,
ESET have not been forthcoming or fast with their technical assistance from our clients perspective so we have had to go to the additional effort to work-around. Fortunately, that function is not business critical so simply commenting out has worked around the problem.

Pretty basic syntax, cant see why an AV would grizzle about it.
Cheers
This topic is 1 year and 2 months old and has exceeded the time allowed for comments. Please begin a new topic or use the search feature to find a similar but newer topic.