Need Advice A strange notification from Eset IS

[restwrst]

Could anyone shed a light about the meaning of this notification? Does this indicate a harmful action? I have never seen such before

 

[Nightwalker]

Are you using custom HIPS settings? What you changed from default settings?

 

[MacDefender]

Are you using custom HIPS settings? What you changed from default settings?

That’s what I wonder too. But if you were not expecting it, having PowerShell randomly spawn in the background would make me feel very paranoid too. Might be worth running a second opinion scanner.

 

[Nightwalker]

That’s what I wonder too. But if you were not expecting it, having PowerShell randomly spawn in the background would make me feel very paranoid too. Might be worth running a second opinion scanner.

Contrary to popular opinion I dont think that it is a good ideia to tweak ESET settings, default is totally fine, unless the user really knows what he is doing and has a reason to.

 

[blackice]

That’s what I wonder too. But if you were not expecting it, having PowerShell randomly spawn in the background would make me feel very paranoid too. Might be worth running a second opinion scanner.

I had this happen every half hour once when running ESET. From what I could tell it was a printer driver update stuck in a loop from being blocked. Just in case I reimaged and it didn’t reoccur. Never figured it out for sure. But the peace of mind of the reimage was better.

 

[restwrst]

Are you using custom HIPS settings? What you changed from default settings?

Yes. I use custom HIPS. I imported it from someone's because I did not know how to tweak it manually. This problem started to come up just a couple days ago. Any recommendation to fix this problem other than reinstalling windows?

 

[MacDefender]

I had this happen every half hour once when running ESET. From what I could tell it was a printer driver update stuck in a loop from being blocked. Just in case I reimaged and it didn’t reoccur. Never figured it out for sure. But the peace of mind of the reimage was better.

Oh interesting. Yes I suppose it could be a legitimate installation script as well. But this is why I am also, as @Nightwalker alluded to, opposed to tightening HIPS settings by hand with ESET. This is basically inventing your own first-generation behavior blocker, except all the mature behavior blocker products have literally years of experience whitelisting specific exceptions. ESET HIPS is a powerful tool for enterprises or hardening servers that have very static workflows, but I don't think most of us want to sign up to invent our own antivirus add-on!

 

[blackice]

Oh interesting. Yes I suppose it could be a legitimate installation script as well. But this is why I am also, as @Nightwalker alluded to, opposed to tightening HIPS settings by hand with ESET. This is basically inventing your own first-generation behavior blocker, except all the mature behavior blocker products have literally years of experience whitelisting specific exceptions. ESET HIPS is a powerful tool for enterprises or hardening servers that have very static workflows, but I don't think most of us want to sign up to invent our own antivirus add-on!

Agreed. The only hand entered HIPS rules I did amounted to basically recreating controlled folder access and blocking child processes from Office apps.

 

[ForgottenSeer 94654]

Could anyone shed a light about the meaning of this notification? Does this indicate a harmful action? I have never seen such before

View attachment 265802

No. It does not. In Windows there are a number of tasks that run that use powershell, which in turn executes conhost. None of these powershell tasks are needed one bit by the typical Windows operating system. For example, powershell will occasionally run a check to verify if Applocker policy is enabled on the system. This powershell check only has relevance to systems that are part of a domain\Azure Active Directory with Applocker policy pushed by either InTune or Microsoft Endpoint Manager.

You can compare the time stamp of the above block event in the ESET log with the time stamp in the Windows (System) Event Log to see why powershell is launching (what is triggering the block).

Your HIPS rule for powershell is messed up. Powershell should not be permitted to launch at all (whereas it being allowed to launch the child process conhost launching is much less of a concern).

 

[restwrst]

No. It does not. In Windows there are a number of tasks that run that use powershell, which in turn executes conhost. None of these powershell tasks are needed one bit by the typical Windows operating system. For example, powershell will occasionally run a check to verify if Applocker policy is enabled on the system. This powershell check only has relevance to systems that are part of a domain\Azure Active Directory with Applocker policy pushed by either InTune or Microsoft Endpoint Manager.

You can compare the time stamp of the above block event in the ESET log with the time stamp in the Windows (System) Event Log to see why powershell is launching (what is triggering the block).

Your HIPS rule for powershell is messed up. Powershell should not be permitted to launch at all (whereas it being allowed to launch the child process conhost launching is much less of a concern).

Thanks for the advice. I think I'm going to set my HIPS to default. I'm not a happy clicker. At least I know what I do.

 

[Nightwalker]

Yes. I use custom HIPS. I imported it from someone's because I did not know how to tweak it manually. This problem started to come up just a couple days ago. Any recommendation to fix this problem other than reinstalling windows?

That's what I thought, try to reset the settings for default values or better yet, reinstall ESET and don't import someone else settings, default is fine.