Plugin startup triggers symantec end-point protection, powershell command is blocked

[rcastagno]

After last update I'm getting two symantec errors each time I start Idea, and more specifically each time a start up the plugin.

I verified, and the stopped command looks like this

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -EncodedCommand JgAgAHsACgBbAEMAbwBuAHMAbwBsAGUAXQA6ADoATwB1AHQAcAB1AHQARQBuAGMAbwBkAGkAbgBnACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgACgBBAGQAZAAtAFQAeQBwAGUAIABAACIACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwAKAHAAdQBiAGwAaQBjACAAYwBsAGEAcwBzACAARABpAHIAIAB7AAoAIAAgAFsARABsAGwASQBtAHAAbwByAHQAKAAiAHMAaABlAGwAbAAzADIALgBkAGwAbAAiACkAXQAKACAAIABwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAUwBIAEcAZQB0AEsAbgBvAHcAbgBGAG8AbABkAGUAcgBQAGEAdABoACgAWwBNAGEAcgBzAGgAYQBsAEEAcwAoAFUAbgBtAGEAbgBhAGcAZQBkAFQAeQBwAGUALgBMAFAAUwB0AHIAdQBjAHQAKQBdACAARwB1AGkAZAAgAHIAZgBpAGQALAAgAHUAaQBuAHQAIABkAHcARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGgAVABvAGsAZQBuACwAIABvAHUAdAAgAEkAbgB0AFAAdAByACAAcABzAHoAUABhAHQAaAApADsACgAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAHMAdAByAGkAbgBnACAARwBlAHQASwBuAG8AdwBuAEYAbwBsAGQAZQByAFAAYQB0AGgAKABzAHQAcgBpAG4AZwAgAHIAZgBpAGQAKQAgAHsACgAgACAAIAAgAEkAbgB0AFAAdAByACAAcABzAHoAUABhAHQAaAA7AAoAIAAgACAAIABpAGYAIAAoAFMASABHAGUAdABLAG4AbwB3AG4ARgBvAGwAZABlAHIAUABhAHQAaAAoAG4AZQB3ACAARwB1AGkAZAAoAHIAZgBpAGQAKQAsACAAMAAsACAASQBuAHQAUAB0AHIALgBaAGUAcgBvACwAIABvAHUAdAAgAHAAcwB6AFAAYQB0AGgAKQAgACEAPQAgADAAKQAgAHIAZQB0AHUAcgBuACAAIgAiADsACgAgACAAIAAgAHMAdAByAGkAbgBnACAAcABhAHQAaAAgAD0AIABNAGEAcgBzAGgAYQBsAC4AUAB0AHIAVABvAFMAdAByAGkAbgBnAFUAbgBpACgAcABzAHoAUABhAHQAaAApADsACgAgACAAIAAgAE0AYQByAHMAaABhAGwALgBGAHIAZQBlAEMAbwBUAGEAcwBrAE0AZQBtACgAcABzAHoAUABhAHQAaAApADsACgAgACAAIAAgAHIAZQB0AHUAcgBuACAAcABhAHQAaAA7AAoAIAAgAH0ACgB9AAoAIgBAAAoAWwBEAGkAcgBdADoAOgBHAGUAdABLAG4AbwB3AG4ARgBvAGwAZABlAHIAUABhAHQAaAAoACIAMwBFAEIANgA4ADUARABCAC0ANgA1AEYAOQAtADQAQwBGADYALQBBADAAMwBBAC0ARQAzAEUARgA2ADUANwAyADkARgAzAEQAIgApAAoAWwBEAGkAcgBdADoAOgBHAGUAdABLAG4AbwB3AG4ARgBvAGwAZABlAHIAUABhAHQAaAAoACIARgAxAEIAMwAyADcAOAA1AC0ANgBGAEIAQQAtADQARgBDAEYALQA5AEQANQA1AC0ANwBCADgARQA3AEYAMQA1ADcAMAA5ADEAIgApAAoAfQA=

which can be decoded to

& {
[Console]::OutputEncoding = [System.Text.Encoding]::UTF8
Add-Type @"
using System;
using System.Runtime.InteropServices;
public class Dir {
  [DllImport("shell32.dll")]
  private static extern int SHGetKnownFolderPath([MarshalAs(UnmanagedType.LPStruct)] Guid rfid, uint dwFlags, IntPtr hToken, out IntPtr pszPath);
  public static string GetKnownFolderPath(string rfid) {
    IntPtr pszPath;
    if (SHGetKnownFolderPath(new Guid(rfid), 0, IntPtr.Zero, out pszPath) != 0) return "";
    string path = Marshal.PtrToStringUni(pszPath);
    Marshal.FreeCoTaskMem(pszPath);
    return path;
  }
}
"@
[Dir]::GetKnownFolderPath("3EB685DB-65F9-4CF6-A03A-E3EF65729F3D")
[Dir]::GetKnownFolderPath("F1B32785-6FBA-4FCF-9D55-7B8E7F157091")
}

I've been able to track it down to the directories-26.jar package which seems to do some convoluted spins to determine a bunch of "default folders", but I've been unable to determine the actual usage of those calls.

The fundamental problem is that encoded powershell commands are blocked as they are a security threat.

I'd like to know: 1) why it is done this way 2) what's the actual usage by the plugin, that is, is it fundamental for the correct functioning of the plugin, or can it run correctly even it those commands fail 3) where is this library from (that is, if it's yours, or third party)

For the time being, I'm disabling this pugin.

[nbransby]

Hi @rcastagno thanks for the detailed report, this is the library, looks like it might be a known issue https://github.com/dirs-dev/directories-jvm/issues/28

It's used to get the location to store caches, hopefully the issue will be fixed soon but in the meantime we'll see if it's possible to get the cache directory directly from the IntelliJ SDK

[rcastagno]

Thanks for the quick response. I'll relay this info to our sysadmins.

[nbransby]

A fix for this will be released before the end of the week. In the meantime do you have VS Code installed and are you able to let us know if it also triggers symantec end-point protection?

[rcastagno]

VS Code 1.88.1 does not trigger Symantec end-point protection

[nbransby]

Sorry, I didn't do a very good job of explaining myself! I meant VS Code with the GitLive extension installed.

Also, good news: Version 17.1.1 of the GitLive JetBrains plugin is available that should fix your issue.

[rcastagno]

Sorry, brain was not on at that moment.

BTW, new version seems good on both VS Code and Idea, thanks!