Powershell URL Exclusion

rgoldman · September 8, 2021

Hi

Recently I have an issue with ESET blocking powershell from downloading a file on my domain/url. It's a bginfo script.

I need to allow this to execute but I don't want to allow powershell access to everything, so I need to just allow my domain/url.

First I added it to allowed/excluded in Web Protection but doesn't seem to allow it. Now I've attempted to create a firewall rule to see if that works. Any other ideas?

Thanks

itman · September 8, 2021

31 minutes ago, rgoldman said:

Recently I have an issue with ESET blocking powershell from downloading a file on my domain/url. It's a bginfo script.

Is this an internal network domain?

rgoldman · September 8, 2021

No, it’s external on the Internet

itman · September 8, 2021

You will have to determine which Eset component is blocking the outbound Powershell communication. Start by reviewing your Detections log. If a related entry is not there, check the HIPS, Network protection, etc. logs.

rgoldman · September 8, 2021

Hi and thanks

It says its the HTTP filter, so I'm thinking I need to create a new policy and refresh it.

Marcos · September 8, 2021

Please post the appropriate record from the Detections log.

rgoldman · September 8, 2021

<?xml version="1.0" encoding="utf-8" ?>
<ESET>
<LOG>
<RECORD>
<COLUMN NAME="Time">9/8/2021 10:09:10 AM</COLUMN>
<COLUMN NAME="Scanner">HTTP filter</COLUMN>
<COLUMN NAME="Object type">file</COLUMN>
<COLUMN NAME="Object">https://mydomain.dom/s/MTx56fiz7kKC4No/download</COLUMN>
<COLUMN NAME="Detection">Blocked Object</COLUMN>
<COLUMN NAME="Action">connection terminated</COLUMN>
<COLUMN NAME="User">SHOPTECH\user</COLUMN>
<COLUMN NAME="Information">Event occurred during an attempt to access the web by the application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe (F43D9BB316E30AE1A3494AC5B0624F6BEA1BF054).</COLUMN>
<COLUMN NAME="Hash">35D8C4E86ECF41973D340BCC02B7DAEC4077106B</COLUMN>
<COLUMN NAME="First seen here">8/11/2021 10:09:14 AM</COLUMN>
</RECORD>
</LOG>
</ESET>

export.txt

rgoldman · September 8, 2021

An Event Log notification has occurred with the following parameters:

Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Object URI: https://mydomain.dom/s/MTx56fiz7kKC4No/download

Severity: Warning

Detection Type:

Detection Name: Blocked

Object Type: file

Action Performed: Connection terminated

Restart: no

Circumstances: Event occurred during an attempt to access the web.

Marcos · September 8, 2021

Is mydomain.com the actual domain from which you downloaded the file?

rgoldman · September 8, 2021

No but I didn't want to post it here, it's xxxxx.

Edited September 8, 2021 by Marcos
domain hidden

Marcos · September 8, 2021

The domain will be unblocked momentarily.

rgoldman · September 8, 2021

Thanks for the help

itman · September 8, 2021

Just a FYI here.

Allowing unrestricted inbound/outbound network access to PowerShell is a major security risk. Eset recommended anti-ransomware firewall rules: https://support.eset.com/en/kb6132-configure-firewall-rules-for-eset-endpoint-security-to-protect-against-ransomware , block all inbound/outbound PowerShell network traffic.

Edited September 8, 2021 by itman

rgoldman · September 8, 2021

I understand. I was just wanting to exclude one of my domains, not powershell completely. Thanks!

Sign In

Powershell URL Exclusion

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Recently Browsing 0 members

Quick search

FAQ

Topics