Jump to content

ESET File Security block outgoing remote PS


Recommended Posts

Hi

I have to servers, A and B.

I'm trying to execute PS on server B from server A using remote PS. ESET File Security is installed on both servers (v6.5.12014.0) with a standard configuration.

For some reason my remote PS call from server A to B times out when ESET File Security is installed on server A (the server performing the remote PS call). If I uninstall ESET File Security from server A everything works as expected. Temporary disabling ESET File Security from server A makes no difference.... I have to uninstall to get it to work.

Before ESET File Security 4.5 was installed on both servers and there were no issues.

Any ideas of what is blocking the remote PS calls? 

2018-02-26_17-50-34.png

Link to post
Share on other sites
  • Administrators

Does temporarily disabling HIPS and rebooting the server make a difference? If not, what about temporarily disabling automatic start of real-time protection followed by a reboot?

Link to post
Share on other sites

Hi Marcos

Make no difference .. everything is "Permanently disabled" og real-time scanner is disabled and set to not start automatically.

I forgot to mention that the installation is controlled by an ERA server, but I cannot see what difference that might make.

Regards,

Thomas

Link to post
Share on other sites

The PS being called looks like this:
 

$ppf = New-Object System.Management.Automation.PSCredential -ArgumentList @("domain\user",(ConvertTo-SecureString -String "PASSWORD" -AsPlainText -Force))
Invoke-Command -ComputerName server.domain.local -ScriptBlock { 0|cmd /c C:\_Deploy\Scripts\Deploy_ALL.cmd } -Authentication CredSSP -Credential $ppf

 

Link to post
Share on other sites
21 minutes ago, Marcos said:

I don't see any reason why this would be blocked by ESET. Does renaming ekrn.exe in safe mode has any effect?

Renaming in ekrn.exe in safe mode and then reboot makes the PS work again.

So even though all modules in File Security has been "Permanently disabled" or "Disabled and don't start automatically" something is still active.

Link to post
Share on other sites

Removing the credential part of the PS command makes the script run both with File Security disabled and enabled.

-Authentication CredSSP -Credential $ppf

So the PS command now looks like:

Invoke-Command -ComputerName server.domain.local -ScriptBlock { 0|cmd /c C:\_Deploy\Scripts\Deploy_ALL.cmd }

This of course mean that the script is running with my credentials... and not the serivce users....  

Link to post
Share on other sites

Got it to work (still need to perform more testing)...

All that was needed was to remove this from the PS command:

-Authentication CredSSP

The working PS command looks like this:

$ppf = New-Object System.Management.Automation.PSCredential -ArgumentList @("domain\user",(ConvertTo-SecureString -String "PASSWORD" -AsPlainText -Force))
Invoke-Command -ComputerName server.domain.local -ScriptBlock { 0|cmd /c C:\_Deploy\Scripts\Deploy_ALL.cmd } -Credential $ppf

So ESET File Security blocks for the usage of "-Authentication CredSSP". This is needed if you need to make a remote PS command from the server you are doing the first remote PS to (remote in remote). In my situation this is not needed... and therefore I can remove this part of the PS command.

This article (hxxp://www.powershellmagazine.com/2014/03/06/accidental-sabotage-beware-of-credssp/) is highlighting some secure risks of using "-Authentication CredSSP".

Could this be the reason for ESET File Security to block it?

Would be great with some insight :) 

Link to post
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...