Thomas Haggren 0 Posted February 26, 2018 Share Posted February 26, 2018 Hi I have to servers, A and B. I'm trying to execute PS on server B from server A using remote PS. ESET File Security is installed on both servers (v6.5.12014.0) with a standard configuration. For some reason my remote PS call from server A to B times out when ESET File Security is installed on server A (the server performing the remote PS call). If I uninstall ESET File Security from server A everything works as expected. Temporary disabling ESET File Security from server A makes no difference.... I have to uninstall to get it to work. Before ESET File Security 4.5 was installed on both servers and there were no issues. Any ideas of what is blocking the remote PS calls? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,243 Posted February 26, 2018 Administrators Share Posted February 26, 2018 Does temporarily disabling HIPS and rebooting the server make a difference? If not, what about temporarily disabling automatic start of real-time protection followed by a reboot? Link to comment Share on other sites More sharing options...
Thomas Haggren 0 Posted February 26, 2018 Author Share Posted February 26, 2018 Hi Marcos Make no difference .. everything is "Permanently disabled" og real-time scanner is disabled and set to not start automatically. I forgot to mention that the installation is controlled by an ERA server, but I cannot see what difference that might make. Regards, Thomas Link to comment Share on other sites More sharing options...
Thomas Haggren 0 Posted February 26, 2018 Author Share Posted February 26, 2018 Forgot to mention that the servers are Windows Server 2012 R2. Link to comment Share on other sites More sharing options...
Thomas Haggren 0 Posted February 26, 2018 Author Share Posted February 26, 2018 The PS being called looks like this: $ppf = New-Object System.Management.Automation.PSCredential -ArgumentList @("domain\user",(ConvertTo-SecureString -String "PASSWORD" -AsPlainText -Force)) Invoke-Command -ComputerName server.domain.local -ScriptBlock { 0|cmd /c C:\_Deploy\Scripts\Deploy_ALL.cmd } -Authentication CredSSP -Credential $ppf Link to comment Share on other sites More sharing options...
Administrators Marcos 5,243 Posted February 26, 2018 Administrators Share Posted February 26, 2018 I don't see any reason why this would be blocked by ESET. Does renaming ekrn.exe in safe mode has any effect? Link to comment Share on other sites More sharing options...
Thomas Haggren 0 Posted February 26, 2018 Author Share Posted February 26, 2018 (edited) 21 minutes ago, Marcos said: I don't see any reason why this would be blocked by ESET. Does renaming ekrn.exe in safe mode has any effect? Renaming in ekrn.exe in safe mode and then reboot makes the PS work again. So even though all modules in File Security has been "Permanently disabled" or "Disabled and don't start automatically" something is still active. Edited February 26, 2018 by Thomas Haggren Link to comment Share on other sites More sharing options...
Thomas Haggren 0 Posted February 26, 2018 Author Share Posted February 26, 2018 (edited) Removing the credential part of the PS command makes the script run both with File Security disabled and enabled. -Authentication CredSSP -Credential $ppf So the PS command now looks like: Invoke-Command -ComputerName server.domain.local -ScriptBlock { 0|cmd /c C:\_Deploy\Scripts\Deploy_ALL.cmd } This of course mean that the script is running with my credentials... and not the serivce users.... Edited February 26, 2018 by Thomas Haggren Link to comment Share on other sites More sharing options...
Thomas Haggren 0 Posted February 26, 2018 Author Share Posted February 26, 2018 Got it to work (still need to perform more testing)... All that was needed was to remove this from the PS command: -Authentication CredSSP The working PS command looks like this: $ppf = New-Object System.Management.Automation.PSCredential -ArgumentList @("domain\user",(ConvertTo-SecureString -String "PASSWORD" -AsPlainText -Force)) Invoke-Command -ComputerName server.domain.local -ScriptBlock { 0|cmd /c C:\_Deploy\Scripts\Deploy_ALL.cmd } -Credential $ppf So ESET File Security blocks for the usage of "-Authentication CredSSP". This is needed if you need to make a remote PS command from the server you are doing the first remote PS to (remote in remote). In my situation this is not needed... and therefore I can remove this part of the PS command. This article (hxxp://www.powershellmagazine.com/2014/03/06/accidental-sabotage-beware-of-credssp/) is highlighting some secure risks of using "-Authentication CredSSP". Could this be the reason for ESET File Security to block it? Would be great with some insight Link to comment Share on other sites More sharing options...
Recommended Posts