Hyper-V Backup Via Synology Active Backup Blocked

[csatech]

I'm attempting to backup my Hyper-V VM using Synology's Active Backup for Business. It appears that EmsiSoft is blocking it. I'm getting pop-ups from Emsi in regard to behavior blocking. If I disable Emsisoft, the backup will occur. The logs indicate that C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (SHA1: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx) is being blocked.

Do I add the complete path string with the SHA numbers to the exception list, or just the PowerShell path? It seems to me that I don't want just ANY PowerShell item to run.

Just need a little guidance please. TIA

[JeremyNicoll]

If the Business version of EAM is like the Home one, you'll only be /able/ to specify the path.  The SHA1 hash is only displayed next to the .exe's name so that (if you needed to) you could look up the reputation of that specific version of powershell.exe online.  What you really want to do, probably, is unblock the specific script that Powershell.exe is running, but I don't know if that's possible.

If you are going to have to run these backups frequently, repeatedly adding Powershell to the exceptions list is going to be a nuisance.  On the other hand you probably wouldn't want to have it permanently excluded, in case some malware that uses it comes along.  (There's been discussion on these forums in the past about attempts to disable Powershell completely, which is hard to do.)

[csatech]

Thanks Jeremy. I may have to reach out to Synology then. You're correct, I don't want to open up for all PowerShell scripts to run, just this one in particular. The popup occurs from EmsiSoft but no option to allow this particular instance. Synology is connecting to the HYPER-V host server to backup the VM. It seems to me that I can't possibly be the first to run into this exact scenario! LOL

[GT500]

Do you know the path to the PowerShell script that was being executed? At least I hope Synology's software wasn't directly executing PowerShell without a script, because it's dangerous to exclude PowerShell itself, and much easier and safer to deal with a script.

[csatech]

I don't know what process Synology is using. I do know that when Active Backup for Business attempts to backup the Hyper-V VM that Emsi coughs up a block and it won't complete. When I disable Emsi the backup proceeds and completes. Emsi is only reporting the block, specifying that it blocked Powershell:

"Behavior Blocker detected suspicious behavior "undefined" of "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (SHA1: 6CBCE4A295C163791B60FC23D285E6D84F28EE4C)"

I can't find any solution other than to add powershell as an exception to behavior blocker. Clearly that is not an idea solution!

Any thoughts as to how to proceed?

[JeremyNicoll]

If you have process creation/termination event logs being created in the Security Eventlog, and if you have enabled the feature which records the whole command line used, you might be able to see what command is being used.

I've enabled this on personal computers for Win XP and 8[.1] (though annoyingly I can't find my notes on how I did it in W8.1), and I've not got a Win 10 machine yet.  On business machines, this level of logging can be a security problem because anyone with authority to read the event logs can see parameters on commands issued by all users.

I'm not sure if this link is useful, but it's the feature I'm talking about: https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.Auditing::IncludeCmdLine

[GT500]

15 hours ago, csatech said:

Any thoughts as to how to proceed?

Can Synology support let you know what PowerShell script their software is using?

[csatech]

GT500: I have a support ticket created with them. Hopefully I'll get to the bottom of the problem. I prefer using Emsi, but if I can't find a solution, I'll have to switch this clients server to another product. ☹️

 

Jeremy: Thanks for the added info and link. I'll check it out.

[csatech]

Just a follow-up. Currently the Synology script runs from the /temp directory, so it's not feasible to exclude that directory from active protection. I'll either have to allow all powershell or switch products on the server. 😐

[GT500]

16 hours ago, csatech said:

Just a follow-up. Currently the Synology script runs from the /temp directory, so it's not feasible to exclude that directory from active protection. I'll either have to allow all powershell or switch products on the server. 😐

Is the script randomly named? If so, does it follow a pattern that would allow for exclusion with wildcards? Is it created in the root of %TEMP% or is it created in a subfolder.