ESET File Security block outgoing remote PS

[Thomas Haggren 0]

Hi

I have to servers, A and B.

I'm trying to execute PS on server B from server A using remote PS. ESET File Security is installed on both servers (v6.5.12014.0) with a standard configuration.

For some reason my remote PS call from server A to B times out when ESET File Security is installed on server A (the server performing the remote PS call). If I uninstall ESET File Security from server A everything works as expected. Temporary disabling ESET File Security from server A makes no difference.... I have to uninstall to get it to work.

Before ESET File Security 4.5 was installed on both servers and there were no issues.

Any ideas of what is blocking the remote PS calls? 

[Marcos 5,074]

Does temporarily disabling HIPS and rebooting the server make a difference? If not, what about temporarily disabling automatic start of real-time protection followed by a reboot?

[Thomas Haggren 0]

Hi Marcos

Make no difference .. everything is "Permanently disabled" og real-time scanner is disabled and set to not start automatically.

I forgot to mention that the installation is controlled by an ERA server, but I cannot see what difference that might make.

Regards,

Thomas

[Thomas Haggren 0]

Forgot to mention that the servers are Windows Server 2012 R2.

[Thomas Haggren 0]

The PS being called looks like this:
 

$ppf = New-Object System.Management.Automation.PSCredential -ArgumentList @("domain\user",(ConvertTo-SecureString -String "PASSWORD" -AsPlainText -Force))
Invoke-Command -ComputerName server.domain.local -ScriptBlock { 0|cmd /c C:\_Deploy\Scripts\Deploy_ALL.cmd } -Authentication CredSSP -Credential $ppf

 

[Marcos 5,074]

I don't see any reason why this would be blocked by ESET. Does renaming ekrn.exe in safe mode has any effect?

[Thomas Haggren 0]

21 minutes ago, Marcos said:

I don't see any reason why this would be blocked by ESET. Does renaming ekrn.exe in safe mode has any effect?

Renaming in ekrn.exe in safe mode and then reboot makes the PS work again.

So even though all modules in File Security has been "Permanently disabled" or "Disabled and don't start automatically" something is still active.

Edited February 26, 2018 by Thomas Haggren

[Thomas Haggren 0]

Removing the credential part of the PS command makes the script run both with File Security disabled and enabled.

-Authentication CredSSP -Credential $ppf

So the PS command now looks like:

Invoke-Command -ComputerName server.domain.local -ScriptBlock { 0|cmd /c C:\_Deploy\Scripts\Deploy_ALL.cmd }

This of course mean that the script is running with my credentials... and not the serivce users....  

Edited February 26, 2018 by Thomas Haggren

[Thomas Haggren 0]

Got it to work (still need to perform more testing)...

All that was needed was to remove this from the PS command:

-Authentication CredSSP

The working PS command looks like this:

$ppf = New-Object System.Management.Automation.PSCredential -ArgumentList @("domain\user",(ConvertTo-SecureString -String "PASSWORD" -AsPlainText -Force))
Invoke-Command -ComputerName server.domain.local -ScriptBlock { 0|cmd /c C:\_Deploy\Scripts\Deploy_ALL.cmd } -Credential $ppf

So ESET File Security blocks for the usage of "-Authentication CredSSP". This is needed if you need to make a remote PS command from the server you are doing the first remote PS to (remote in remote). In my situation this is not needed... and therefore I can remove this part of the PS command.

This article (hxxp://www.powershellmagazine.com/2014/03/06/accidental-sabotage-beware-of-credssp/) is highlighting some secure risks of using "-Authentication CredSSP".

Could this be the reason for ESET File Security to block it?

Would be great with some insight