Upgrade configuration and use powershell directly in order for ENS not to alert an illegal api injection.
This requires a config change for the powershell wrapper, not using cmd \c as a prefix.
Background:
The latest version of McAfee's ENS blocks the cmd \c wrapper for powershell as it is an illegal api injection.
The command shown does not give any hints in what is actually executed and will be blocked every now and then, which leads to a flapping service.
Threat Target Process Name: POWERSHELL.EXE
Target Parent Process Name: CMD.EXE
Target Name: POWERSHELL.EXE
Target File Path: C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE
Threat Target User Name: NT AUTHORITY\SYSTEM
Module Name: Threat Prevention
Action Taken: Blocked
Source Description: powershell.exe -noprofile -command -
Issue and Steps to Reproduce
Upgrade configuration and use powershell directly in order for ENS not to alert an illegal api injection. This requires a config change for the powershell wrapper, not using cmd \c as a prefix.
Background:
The latest version of McAfee's ENS blocks the cmd \c wrapper for powershell as it is an illegal api injection. The command shown does not give any hints in what is actually executed and will be blocked every now and then, which leads to a flapping service.
Threat Target Process Name: POWERSHELL.EXE Target Parent Process Name: CMD.EXE Target Name: POWERSHELL.EXE Target File Path: C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE Threat Target User Name: NT AUTHORITY\SYSTEM Module Name: Threat Prevention Action Taken: Blocked Source Description: powershell.exe -noprofile -command -
This requires Powershell Version 3.0 + on the server in order to work.