To resolve this issue:
- Check the event details:
- Event which contains the exact process command which was blocked
- Detail which contains the Parent Process
- For Static Commands, this can be resolved by simply clicking Add to Approved Process List.
- For Dynamic Commands, this can be resolved by proper exception settings using RegEx. Below is an example of a dynamic command:
-command "& {get-content "C:\Windows\TEMP\input057a2451a28c9f27.tmp" | "D:\scripts\bin\psscript.ps1" | "D:\folder2\" 057a2451a28c9f27}"
Note that the bold characters above indicate random/dynamic text.
- Convert your Process Command to RegEx form.
Dynamic Command in RegEx:-command "& \{get-content ".*" \| ".*" \| "D:\\folder2\\" .*}"
- Escape your RegEx to XML compatible. You can use tool such as XML Escape / Unescape.
Dynamic Command in RegEx (XML Escape):-command "& \{get-content ".*" \| ".*" \| "D:\\folder2\\" .*}"
- Navigate to StellarOne > Agents > StellarEnforce > Select Agent/Group > Import/Export then click Export Agent Configuration to get config.xml.
- Modify the config.xml with the following:
<Exception Label="98e7f39b-5d15-47a4-9f71-bd443746c7d5" Target="powershell.exe"> <Arguments Regex="yes">-command "& \{get-content ".*" \| ".*" \| "D:\\folder2\\" .*}"</Arguments> <Parent1>C:\Windows\System32\cmd.exe</Parent1> <Parent2>C:\Windows\explorer.exe</Parent2> <Parent3/> <Parent4/> </Exception> - Import config.xml back to StellarOne.
- Run the script and check if the issue persists.