Jump to content

Hyper-V Backup Via Synology Active Backup Blocked


Recommended Posts

I'm attempting to backup my Hyper-V VM using Synology's Active Backup for Business. It appears that EmsiSoft is blocking it. I'm getting pop-ups from Emsi in regard to behavior blocking. If I disable Emsisoft, the backup will occur. The logs indicate that C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (SHA1: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx) is being blocked.

Do I add the complete path string with the SHA numbers to the exception list, or just the PowerShell path? It seems to me that I don't want just ANY PowerShell item to run.

Just need a little guidance please. TIA

Link to post
Share on other sites

If the Business version of EAM is like the Home one, you'll only be /able/ to specify the path.  The SHA1 hash is only displayed next to the .exe's name so that (if you needed to) you could look up the reputation of that specific version of powershell.exe online.  What you really want to do, probably, is unblock the specific script that Powershell.exe is running, but I don't know if that's possible.

If you are going to have to run these backups frequently, repeatedly adding Powershell to the exceptions list is going to be a nuisance.  On the other hand you probably wouldn't want to have it permanently excluded, in case some malware that uses it comes along.  (There's been discussion on these forums in the past about attempts to disable Powershell completely, which is hard to do.)

Link to post
Share on other sites

Thanks Jeremy. I may have to reach out to Synology then. You're correct, I don't want to open up for all PowerShell scripts to run, just this one in particular. The popup occurs from EmsiSoft but no option to allow this particular instance. Synology is connecting to the HYPER-V host server to backup the VM. It seems to me that I can't possibly be the first to run into this exact scenario! LOL

Link to post
Share on other sites

Do you know the path to the PowerShell script that was being executed? At least I hope Synology's software wasn't directly executing PowerShell without a script, because it's dangerous to exclude PowerShell itself, and much easier and safer to deal with a script.

Link to post
Share on other sites

I don't know what process Synology is using. I do know that when Active Backup for Business attempts to backup the Hyper-V VM that Emsi coughs up a block and it won't complete. When I disable Emsi the backup proceeds and completes. Emsi is only reporting the block, specifying that it blocked Powershell:

"Behavior Blocker detected suspicious behavior "undefined" of "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (SHA1: 6CBCE4A295C163791B60FC23D285E6D84F28EE4C)"

I can't find any solution other than to add powershell as an exception to behavior blocker. Clearly that is not an idea solution!

Any thoughts as to how to proceed?

Link to post
Share on other sites

If you have process creation/termination event logs being created in the Security Eventlog, and if you have enabled the feature which records the whole command line used, you might be able to see what command is being used.

I've enabled this on personal computers for Win XP and 8[.1] (though annoyingly I can't find my notes on how I did it in W8.1), and I've not got a Win 10 machine yet.  On business machines, this level of logging can be a security problem because anyone with authority to read the event logs can see parameters on commands issued by all users.

I'm not sure if this link is useful, but it's the feature I'm talking about: https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.Auditing::IncludeCmdLine

Link to post
Share on other sites

GT500: I have a support ticket created with them. Hopefully I'll get to the bottom of the problem. I prefer using Emsi, but if I can't find a solution, I'll have to switch this clients server to another product. ☹️

 

Jeremy: Thanks for the added info and link. I'll check it out.

Link to post
Share on other sites
  • 2 weeks later...
16 hours ago, csatech said:

Just a follow-up. Currently the Synology script runs from the /temp directory, so it's not feasible to exclude that directory from active protection. I'll either have to allow all powershell or switch products on the server. 😐

Is the script randomly named? If so, does it follow a pattern that would allow for exclusion with wildcards? Is it created in the root of %TEMP% or is it created in a subfolder.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...