Jump to content

Powershell URL Exclusion


Recommended Posts

Hi

Recently I have an issue with ESET blocking powershell from downloading a file on my domain/url. It's a bginfo script.

I need to allow this to execute but I don't want to allow powershell access to everything, so I need to just allow my domain/url.

First I added it to allowed/excluded in Web Protection but doesn't seem to allow it. Now I've attempted to create a firewall rule to see if that works. Any other ideas?

Thanks

Link to comment
Share on other sites

31 minutes ago, rgoldman said:

Recently I have an issue with ESET blocking powershell from downloading a file on my domain/url. It's a bginfo script.

Is this an internal network domain?

Link to comment
Share on other sites

You will have to determine which Eset component is blocking the outbound Powershell communication. Start by reviewing your Detections log. If a related entry is not there, check the HIPS, Network protection, etc. logs.

Link to comment
Share on other sites

<?xml version="1.0" encoding="utf-8" ?>
<ESET>
  <LOG>
    <RECORD>
      <COLUMN NAME="Time">9/8/2021 10:09:10 AM</COLUMN>
      <COLUMN NAME="Scanner">HTTP filter</COLUMN>
      <COLUMN NAME="Object type">file</COLUMN>
      <COLUMN NAME="Object">https://mydomain.dom/s/MTx56fiz7kKC4No/download</COLUMN>
      <COLUMN NAME="Detection">Blocked Object</COLUMN>
      <COLUMN NAME="Action">connection terminated</COLUMN>
      <COLUMN NAME="User">SHOPTECH\user</COLUMN>
      <COLUMN NAME="Information">Event occurred during an attempt to access the web by the application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe (F43D9BB316E30AE1A3494AC5B0624F6BEA1BF054).</COLUMN>
      <COLUMN NAME="Hash">35D8C4E86ECF41973D340BCC02B7DAEC4077106B</COLUMN>
      <COLUMN NAME="First seen here">8/11/2021 10:09:14 AM</COLUMN>
    </RECORD>
 </LOG>
</ESET>

export.txt

Link to comment
Share on other sites

An Event Log notification has occurred with the following parameters:

Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Object URI: https://mydomain.dom/s/MTx56fiz7kKC4No/download

Severity: Warning

Detection Type: 

Detection Name: Blocked

Object Type: file

Action Performed: Connection terminated

Restart: no

Circumstances: Event occurred during an attempt to access the web.

Link to comment
Share on other sites

Just a FYI here.

Allowing unrestricted inbound/outbound network access to PowerShell is a major security risk. Eset recommended anti-ransomware firewall rules: https://support.eset.com/en/kb6132-configure-firewall-rules-for-eset-endpoint-security-to-protect-against-ransomware , block all inbound/outbound PowerShell network traffic.

Edited by itman
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...