<h2>Allow Powershell scripts to pass through antivirus</h2><br/><div style="overflow-x:auto"><article><div ><h3 >Issue </h3><section><ul><li>Alerts are generated by antivirus for Powershell scripts.</li><li>The antivirus is blocking the incoming PS sessions from the mid-server.<br /><br /><img src="/sys_attachment.do?sys_id=6c87fe51db6ad99008bbdb85ca96192b" alt="PS sessions from the mid-server" width="900" height="358" /><span class="CmCaReT" style="display: none;"></span></li></ul></section></div><div ><h3 >Release</h3><section><ul><li>All</li></ul></section></div><div ><h3 >Resolution</h3><section><ul><li>By design, during the execution of the PowerShell probes, some PowerShell scripts are created on the fly.<br /><br /></li><li>For every Powershell probe that we run during discovery, the probe passes a .ps file as the probe parameter and a PowerShell script under the temp folder of the MID is created something like "<em><strong>NameOfParameter.RandomNumber.ps1</strong></em>".<br /><br /></li><li>For example for probe <em><strong>"Windows - JBoss Get jboss-service.xml"</strong></em> we have the parameter <em><strong>"findjbossservicexml.ps1"</strong></em> and the following <em><strong>"findjbossservicexml.1031966753134230570.PS1"</strong></em> gets created on the fly during the execution of the .exe on the MID, which can be observed from the below screenshot.<br /><br /><strong><em>"Key" : "\\Device\\HarddiskVolume2\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",</em></strong><br /><strong><em>"KeyScriptModule" : "{ [Console]::OutputEncoding = [Text.UTF8Encoding]::UTF8; Write-Output SNC_PowerShell_PID=$pid; & 'scripts\\PowerShell\\PSScript.ps1' -computer '161.36.55.237' -script 'C:\\Windows\\TEMP\\<span style="background-color: #ffff00;">findjbossservicexml.1031966753134230570.PS1</span>' -useCred $true -ismid $false -isDiscovery $true -debug $false -logInfo $false -skipTest $false -executeRemote $false -copyScriptToTarget $false; exit $LASTEXITCODE ",</em></strong><br /><br /><img src="/sys_attachment.do?sys_id=62283a15db6ad99008bbdb85ca961942" width="750" height="423" /><br /><br /></li><li>So for every Powershell probe that we pass .ps file as the parameter, we have a script created under the temp folder. The list of all such parameters can be found here below<br /><br /><em>https://<instance_name>.service-now.com/discovery_probe_parameter_list.do?sysparm_query=nameLIKE.ps&sysparm_first_row=1&sysparm_view=&sysparm_choice_query_raw=&sysparm_list_header_search=true</em><br /><br /></li><li>For every WMIRunner probe, we create some scripts with the format of "<em><strong>WMI_FetchData_RANDOMNUMBER.ps1</strong></em>", based on the WMI fields defined in the probe.<br /><br /></li><li>There would be some internal scripts running parallelly under the temp of the MID.<br /><br /></li><li>There is no common format as such for naming these scripts. Each follows a different format for PowerShell, WMIRunner and for internal scripts.<br /><br /></li><li>For any script that we run on the MID, we always use the "<em><strong>scripts\\PowerShell\\PSScript.ps</strong></em>" and we pass the file under the temp folder as a parameter to this script.<br /><br /></li><li>In the antivirus, if we run "<em><strong>scripts\\PowerShell\\PSScript.ps</strong></em>" with any parameter the script would be safe as this script belongs to the MID Server.<br /><br /></li><li>The below points can be taken into consideration<br /><br /> <ul><li>MID Server is running the command using "<em><strong>Process" : "\\Device\\HarddiskVolume3\\ServiceNow\\agent\\jre\\bin\\java.exe</strong></em>"<br /><br /></li><li>The command is "<em><strong>scripts\\PowerShell\\PSScript.ps</strong>"</em> (this script belongs to the MID server and MID Server can only run it)<br /><br /></li><li>In the command we always have "<em><strong>-isDiscovery $true</strong></em>" in the parameters to make sure that discovery is only running the script<br /><br /><em><strong>"<span style="background-color: #ffff00;">Process" : "\\Device\\HarddiskVolume3\\ServiceNow\\agent\\jre\\bin\\java.exe</span>",</strong></em><br /><em><strong>.....</strong></em><br /><em><strong>"Key" : "\\Device\\HarddiskVolume2\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",</strong></em><br /><em><strong>"KeyScriptModule" : "{ [Console]::OutputEncoding = [Text.UTF8Encoding]::UTF8; Write-Output SNC_PowerShell_PID=$pid; & '<span style="background-color: #ffff00;">scripts\\PowerShell\\PSScript.ps1</span>' -computer 'ams-p-rdsgsd01' -script 'C:\\Users\\SVC-SN~1\\AppData\\Local\\Temp\\script.4422133186211577577.PS1' 'use_mid_service_account' $false -useCred $true -ismid $false <span style="background-color: #ffff00;">-isDiscovery $true</span> -debug $false -logInfo $false -skipTest $false -executeRemote $false -copyScriptToTarget $false; exit $LASTEXITCODE ",</strong></em><br /><em><strong>"MountPoint" : "",<br /></strong></em></li></ul> </li><li>So, the configuration of the antivirus should be adjusted as per the above points to consider the above are valid so that it does not block the processes.</li></ul></section></div></article></div>