Jump to content
InfiniteImp

System Watcher keeps blocking crypro mining scripts

Recommended Posts

Is there a way to keep System Watcher from blocking CMD.EXE when it's used to launch PowerShell scripts (.ps1) in a given folder?  The crypto mining software in question is a series of scripts.  Most work fine, some do not. In this case KIS throws a "Startup of cmd.exe blocked" error due to "Suspicious application behavior".

I'd like to keep protection for malicious scripts but allow the ones in the mining folder to execute.  I've added the mining folder to the exclusions list  (Threats & Exclusions settings -> Manage Exclusions) but no help.  I can't add cmd.exe to the trusted programs list as I don't want KIS to blindly allow harmful scripts to execute.

Is there a way to address this?  Right now my only option is to disable System Watcher.

Thanks.

 

Share this post


Link to post

Have you thought about making an exception to the folder with the Scripts? Not sure if this would help, but it might be that running CMD.EXE is not the problem so much, but it's the scripts running that are causing the blocking of cmd.exe. Otherwise, IMO, Kaspersky would block cmd.exe all the time, but it doesn't...Worth a try

Share this post


Link to post
1 minute ago, plb4333 said:

Have you thought about making an exception to the folder with the Scripts? Not sure if this would help, but it might be that running CMD.EXE is not the problem so much, but it's the scripts running that are causing the blocking of cmd.exe. Otherwise, IMO, Kaspersky would block cmd.exe all the time, but it doesn't...Worth a try

Thanks for the answer, but like I said, I have the mining folder in the exclusion list and it's not helping.

 

Share this post


Link to post

Sorry about that. I read your post too fast and had left and returned, forgetting some of what you said.

Share this post


Link to post
On 2/23/2019 at 4:07 PM, InfiniteImp said:

Is there a way to keep System Watcher from blocking CMD.EXE when it's used to launch PowerShell scripts (.ps1) in a given folder?  The crypto mining software in question is a series of scripts.  Most work fine, some do not. In this case KIS throws a "Startup of cmd.exe blocked" error due to "Suspicious application behavior".

I'd like to keep protection for malicious scripts but allow the ones in the mining folder to execute.  I've added the mining folder to the exclusions list  (Threats & Exclusions settings -> Manage Exclusions) but no help.  I can't add cmd.exe to the trusted programs list as I don't want KIS to blindly allow harmful scripts to execute.

Is there a way to address this?  Right now my only option is to disable System Watcher.

Thanks.

 

Here's a possibility. Go to Kasperksy Settings, then 'Additional', then 'Threats and Exclusions', about 1/2 way down there's 'Manage Exclusions', after clicking that, then Click 'Add'. In this window popup, input the folder with scripts, then go to bottom of window and set the protection components to be as 'Inactive'. This includes System Watcher, plus other components. Otherwise you could just click System Watcher so that the checkmark is gone making it inactive.

Share this post


Link to post
16 minutes ago, plb4333 said:

Here's a possibility. Go to Kasperksy Settings, then 'Additional', then 'Threats and Exclusions', about 1/2 way down there's 'Manage Exclusions', after clicking that, then Click 'Add'. In this window popup, input the folder with scripts, then go to bottom of window and set the protection components to be as 'Inactive'. This includes System Watcher, plus other components. Otherwise you could just click System Watcher so that the checkmark is gone making it inactive.

Tried that, and if I disable all the components at the bottom of the screen KIS disables the 'Save' button and will not let you save.

I understand the component checkboxes as "the checked ones are the ones which will be disabled by this rule", therefore if you uncheck them all you would be creating a rule that does nothing as it doesn't bypass any KIS modules.

 

Share this post


Link to post

But did you try leaving all of them components as checked and then just click the box below them so that its Inactive as opposed to active for default? Wasn't sure if you only did the unchecking of components is all.

Maybe just disable the 'Scan' option. This should cover everything I would think, and then it should allow saving.

Object name for making exclusion would probably be: HEUR:Trojan.PowerShell.Generic

After reviewing this Kaspersky setting window, it looks like I misunderstood how it works. To me, it looks like the default is as a exception and the person would want to leave all components as clicked. And the Active on the bottom of window, as is.. But it might be if the object name I listed could make a difference for working, not exactly sure. I had never used this setting before in Kaspersky so was unfamiliar with it. The double-checking helped tho and I believe just putting in the folder name with the object name as well, and nothing else done, would work ok.

Edited by plb4333

Share this post


Link to post
1 hour ago, plb4333 said:

But did you try leaving all of them components as checked and then just click the box below them so that its Inactive as opposed to active for default? Wasn't sure if you only did the unchecking of components is all.

Maybe just disable the 'Scan' option. This should cover everything I would think, and then it should allow saving.

Object name for making exclusion would probably be: HEUR:Trojan.PowerShell.Generic

After reviewing this Kaspersky setting window, it looks like I misunderstood how it works. To me, it looks like the default is as a exception and the person would want to leave all components as clicked. And the Active on the bottom of window, as is.. But it might be if the object name I listed could make a difference for working, not exactly sure. I had never used this setting before in Kaspersky so was unfamiliar with it. The double-checking helped tho and I believe just putting in the folder name with the object name as well, and nothing else done, would work ok.

I believe the Active/Inactive is whether the current rule is enabled or disabled.  It allows you to set one up and disable it if you need to do something and re-enabled it later without having to re-enter everything.

I used your " HEUR:Trojan.PowerShell.Generic " suggestion and also I added additional folders.  The scripts I'm trying to filter out are in a sub-folder of the folder I had specified.  I just assumed that all sub-folders would inherit the rule but hey, maybe not.  Let's see if it works.

 

Share this post


Link to post

×
×
  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.