Powershell URL Exclusion

[rgoldman 2]

Hi

Recently I have an issue with ESET blocking powershell from downloading a file on my domain/url. It's a bginfo script.

I need to allow this to execute but I don't want to allow powershell access to everything, so I need to just allow my domain/url.

First I added it to allowed/excluded in Web Protection but doesn't seem to allow it. Now I've attempted to create a firewall rule to see if that works. Any other ideas?

Thanks

[itman 1,627]

31 minutes ago, rgoldman said:

Recently I have an issue with ESET blocking powershell from downloading a file on my domain/url. It's a bginfo script.

Is this an internal network domain?

[rgoldman 2]

No, it’s external on the Internet

[itman 1,627]

You will have to determine which Eset component is blocking the outbound Powershell communication. Start by reviewing your Detections log. If a related entry is not there, check the HIPS, Network protection, etc. logs.

[rgoldman 2]

Hi and thanks

It says its the HTTP filter, so I'm thinking I need to create a new policy and refresh it.

[Marcos 4,910]

Please post the appropriate record from the Detections log.

[rgoldman 2]

<?xml version="1.0" encoding="utf-8" ?>
<ESET>
  <LOG>
    <RECORD>
      <COLUMN NAME="Time">9/8/2021 10:09:10 AM</COLUMN>
      <COLUMN NAME="Scanner">HTTP filter</COLUMN>
      <COLUMN NAME="Object type">file</COLUMN>
      <COLUMN NAME="Object">https://mydomain.dom/s/MTx56fiz7kKC4No/download</COLUMN>
      <COLUMN NAME="Detection">Blocked Object</COLUMN>
      <COLUMN NAME="Action">connection terminated</COLUMN>
      <COLUMN NAME="User">SHOPTECH\user</COLUMN>
      <COLUMN NAME="Information">Event occurred during an attempt to access the web by the application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe (F43D9BB316E30AE1A3494AC5B0624F6BEA1BF054).</COLUMN>
      <COLUMN NAME="Hash">35D8C4E86ECF41973D340BCC02B7DAEC4077106B</COLUMN>
      <COLUMN NAME="First seen here">8/11/2021 10:09:14 AM</COLUMN>
    </RECORD>
 </LOG>
</ESET>

export.txt

[rgoldman 2]

An Event Log notification has occurred with the following parameters:

Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Object URI: https://mydomain.dom/s/MTx56fiz7kKC4No/download

Severity: Warning

Detection Type: 

Detection Name: Blocked

Object Type: file

Action Performed: Connection terminated

Restart: no

Circumstances: Event occurred during an attempt to access the web.

[Marcos 4,910]

Is mydomain.com the actual domain from which you downloaded the file?

[rgoldman 2]

No but I didn't want to post it here, it's xxxxx.

Edited September 8, 2021 by Marcos
domain hidden

[Marcos 4,910]

The domain will be unblocked momentarily.

[rgoldman 2]

Thanks for the help

[itman 1,627]

Just a FYI here.

Allowing unrestricted inbound/outbound network access to PowerShell is a major security risk. Eset recommended anti-ransomware firewall rules: https://support.eset.com/en/kb6132-configure-firewall-rules-for-eset-endpoint-security-to-protect-against-ransomware , block all inbound/outbound PowerShell network traffic.

Edited September 8, 2021 by itman

[rgoldman 2]

I understand. I was just wanting to exclude one of my domains, not powershell completely. Thanks!