Allow Powershell scripts to pass through antivirus - Support and Troubleshooting

Allow Powershell scripts to pass through antivirus Issue Alerts are generated by antivirus for Powershell scripts. The antivirus is blocking the incoming PS sessions from the mid-server. Release All Resolution By design, during the execution of the PowerShell probes, some PowerShell scripts are created on the fly. For every Powershell probe that we run during discovery, the probe passes a .ps file as the probe parameter and a PowerShell script under the temp folder of the MID is created something like " NameOfParameter.RandomNumber.ps1 ". For example for probe "Windows - JBoss Get jboss-service.xml" we have the parameter "findjbossservicexml.ps1" and the following "findjbossservicexml.1031966753134230570.PS1" gets created on the fly during the execution of the .exe on the MID, which can be observed from the below screenshot. "Key" : "\\Device\\HarddiskVolume2\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "KeyScriptModule" : "{ [Console]::OutputEncoding = [Text.UTF8Encoding]::UTF8; Write-Output SNC_PowerShell_PID=$pid; & 'scripts\\PowerShell\\PSScript.ps1' -computer '161.36.55.237' -script 'C:\\Windows\\TEMP\\ findjbossservicexml.1031966753134230570.PS1 ' -useCred $true -ismid $false -isDiscovery $true -debug $false -logInfo $false -skipTest $false -executeRemote $false -copyScriptToTarget $false; exit $LASTEXITCODE ", So for every Powershell probe that we pass .ps file as the parameter, we have a script created under the temp folder. The list of all such parameters can be found here below https:// .service-now.com/discovery_probe_parameter_list.do?sysparm_query=nameLIKE.ps&sysparm_first_row=1&sysparm_view=&sysparm_choice_query_raw=&sysparm_list_header_search=true For every WMIRunner probe, we create some scripts with the format of " WMI_FetchData_RANDOMNUMBER.ps1 ", based on the WMI fields defined in the probe. There would be some internal scripts running parallelly under the temp of the MID. There is no common format as such for naming these scripts. Each follows a different format for PowerShell, WMIRunner and for internal scripts. For any script that we run on the MID, we always use the " scripts\\PowerShell\\PSScript.ps " and we pass the file under the temp folder as a parameter to this script. In the antivirus, if we run " scripts\\PowerShell\\PSScript.ps " with any parameter the script would be safe as this script belongs to the MID Server. The below points can be taken into consideration MID Server is running the command using " Process" : "\\Device\\HarddiskVolume3\\ServiceNow\\agent\\jre\\bin\\java.exe " The command is " scripts\\PowerShell\\PSScript.ps " (this script belongs to the MID server and MID Server can only run it) In the command we always have " -isDiscovery $true " in the parameters to make sure that discovery is only running the script " Process" : "\\Device\\HarddiskVolume3\\ServiceNow\\agent\\jre\\bin\\java.exe ", ..... "Key" : "\\Device\\HarddiskVolume2\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "KeyScriptModule" : "{ [Console]::OutputEncoding = [Text.UTF8Encoding]::UTF8; Write-Output SNC_PowerShell_PID=$pid; & ' scripts\\PowerShell\\PSScript.ps1 ' -computer 'ams-p-rdsgsd01' -script 'C:\\Users\\SVC-SN~1\\AppData\\Local\\Temp\\script.4422133186211577577.PS1' 'use_mid_service_account' $false -useCred $true -ismid $false -isDiscovery $true -debug $false -logInfo $false -skipTest $false -executeRemote $false -copyScriptToTarget $false; exit $LASTEXITCODE ", "MountPoint" : "", So, the configuration of the antivirus should be adjusted as per the above points to consider the above are valid so that it does not block the processes.