Advice Request A strange notification from Eset IS

Please provide comments and solutions that are helpful to the author of this topic.

restwrst

Level 1
Thread author
Verified
Jan 17, 2019
37
Could anyone shed a light about the meaning of this notification? Does this indicate a harmful action? I have never seen such before

sdsds.jpg
 
  • Wow
  • Like
Reactions: Nevi and show-Zi

Nightwalker

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
May 26, 2014
1,339
That’s what I wonder too. But if you were not expecting it, having PowerShell randomly spawn in the background would make me feel very paranoid too. Might be worth running a second opinion scanner.

Contrary to popular opinion I dont think that it is a good ideia to tweak ESET settings, default is totally fine, unless the user really knows what he is doing and has a reason to.
 

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,731
That’s what I wonder too. But if you were not expecting it, having PowerShell randomly spawn in the background would make me feel very paranoid too. Might be worth running a second opinion scanner.
I had this happen every half hour once when running ESET. From what I could tell it was a printer driver update stuck in a loop from being blocked. Just in case I reimaged and it didn’t reoccur. Never figured it out for sure. But the peace of mind of the reimage was better.
 

restwrst

Level 1
Thread author
Verified
Jan 17, 2019
37
Are you using custom HIPS settings? What you changed from default settings?
Yes. I use custom HIPS. I imported it from someone's because I did not know how to tweak it manually. This problem started to come up just a couple days ago. Any recommendation to fix this problem other than reinstalling windows?
 

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
779
I had this happen every half hour once when running ESET. From what I could tell it was a printer driver update stuck in a loop from being blocked. Just in case I reimaged and it didn’t reoccur. Never figured it out for sure. But the peace of mind of the reimage was better.
Oh interesting. Yes I suppose it could be a legitimate installation script as well. But this is why I am also, as @Nightwalker alluded to, opposed to tightening HIPS settings by hand with ESET. This is basically inventing your own first-generation behavior blocker, except all the mature behavior blocker products have literally years of experience whitelisting specific exceptions. ESET HIPS is a powerful tool for enterprises or hardening servers that have very static workflows, but I don't think most of us want to sign up to invent our own antivirus add-on!
 

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,731
Oh interesting. Yes I suppose it could be a legitimate installation script as well. But this is why I am also, as @Nightwalker alluded to, opposed to tightening HIPS settings by hand with ESET. This is basically inventing your own first-generation behavior blocker, except all the mature behavior blocker products have literally years of experience whitelisting specific exceptions. ESET HIPS is a powerful tool for enterprises or hardening servers that have very static workflows, but I don't think most of us want to sign up to invent our own antivirus add-on!
Agreed. The only hand entered HIPS rules I did amounted to basically recreating controlled folder access and blocking child processes from Office apps.
 
F

ForgottenSeer 94654

Could anyone shed a light about the meaning of this notification? Does this indicate a harmful action? I have never seen such before

View attachment 265802
No. It does not. In Windows there are a number of tasks that run that use powershell, which in turn executes conhost. None of these powershell tasks are needed one bit by the typical Windows operating system. For example, powershell will occasionally run a check to verify if Applocker policy is enabled on the system. This powershell check only has relevance to systems that are part of a domain\Azure Active Directory with Applocker policy pushed by either InTune or Microsoft Endpoint Manager.

You can compare the time stamp of the above block event in the ESET log with the time stamp in the Windows (System) Event Log to see why powershell is launching (what is triggering the block).

Your HIPS rule for powershell is messed up. Powershell should not be permitted to launch at all (whereas it being allowed to launch the child process conhost launching is much less of a concern).
 

restwrst

Level 1
Thread author
Verified
Jan 17, 2019
37
No. It does not. In Windows there are a number of tasks that run that use powershell, which in turn executes conhost. None of these powershell tasks are needed one bit by the typical Windows operating system. For example, powershell will occasionally run a check to verify if Applocker policy is enabled on the system. This powershell check only has relevance to systems that are part of a domain\Azure Active Directory with Applocker policy pushed by either InTune or Microsoft Endpoint Manager.

You can compare the time stamp of the above block event in the ESET log with the time stamp in the Windows (System) Event Log to see why powershell is launching (what is triggering the block).

Your HIPS rule for powershell is messed up. Powershell should not be permitted to launch at all (whereas it being allowed to launch the child process conhost launching is much less of a concern).
Thanks for the advice. I think I'm going to set my HIPS to default. I'm not a happy clicker. At least I know what I do.
 

Nightwalker

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
May 26, 2014
1,339
Yes. I use custom HIPS. I imported it from someone's because I did not know how to tweak it manually. This problem started to come up just a couple days ago. Any recommendation to fix this problem other than reinstalling windows?

That's what I thought, try to reset the settings for default values or better yet, reinstall ESET and don't import someone else settings, default is fine.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top