Guest h4X0R Posted February 29 Share Posted February 29 Hi, I'm trying NOD32 n windows 10. I have set up HIPS in smart mode plus the rules described in this KB. Rule "deny child processes for powershell.exe" threw this alert and I'm having trouble reading the command. I can't scroll the text to the right to see the whole command. The log entries don't record the command entry. Any suggestions to try to find the program/process that's triggering this hips rule? - thanks Quote Link to comment
Administrators Marcos 5,090 Posted February 29 Administrators Share Posted February 29 Not sure what you mean by "I'm having trouble reading the command". The information shown in the pop-up notification when a HIPS rule is applied are also logged in the HIPS log providing the logging verbosity was set to "information": Quote Link to comment
Guest h4X0R Posted February 29 Share Posted February 29 the command shown underlined here: https://1drv.ms/i/s!Ak1lHmi5pVceiDahVGzLqZVKdjOa?e=8uH7px I'll try the logging severity setting - thanks Quote Link to comment
itman 1,668 Posted February 29 Share Posted February 29 The Eset recommended anti-ransomware rule for PowerShell child process startup is detecting it starting conhost.exe. You will have to create a HIPS allow rule for this activity. I did. Appears internal PowerShell maintenance scripts used by Windows perform this activity. Quote Link to comment
Guest h4X0R Posted February 29 Share Posted February 29 31 minutes ago, itman said: The Eset recommended anti-ransomware rule for PowerShell child process startup is detecting it starting conhost.exe. You will have to create a HIPS allow rule for this activity. I did. Appears internal PowerShell maintenance scripts used by Windows perform this activity. Thank you very much for the info. Quote Link to comment
Recommended Posts