Author Topic: what is this that SAplus keeps offering to block  (Read 2149 times)

Offline Clive Richards

  • Newbie
  • *
  • Posts: 2
  • Kudos +0/-0
what is this that SAplus keeps offering to block
« on: December 22, 2017, 06:23:29 PM »
Recently it offers to block a command line - but I am curious as to what it might be and whether it should be blocked  - any ideas?

"C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Unrestricted -NonInteractive -NoProfile -WindowStyle Hidden "& C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\SmbShare\DisableUnusedSmb1.ps1 -Scenario Client"

for the time being I am continuing to block this

Offline hendy

  • SecureAPlus Developer
  • Sr. Member
  • *****
  • Posts: 307
  • Kudos +13/-0
Re: what is this that SAplus keeps offering to block
« Reply #1 on: December 24, 2017, 08:02:46 AM »
It depends on what program that you are launching when you see this message. For example, if you are launching Microsoft Word to view or edit a document, and suddenly you see this, you should block this. A document is not supposed to run anything. If you are running a utility, or a software from a company that you trust, and you see this, you may allow it to run.

Offline Clive Richards

  • Newbie
  • *
  • Posts: 2
  • Kudos +0/-0
Re: what is this that SAplus keeps offering to block
« Reply #2 on: December 24, 2017, 08:34:10 AM »
That is the problem in that I am not aware of running anything special though I may have had TOR browser open at the time.  However I use that a lot and don't normally see any issue, indeed I have it running now and the message is not appearing.   It appeared many times over the space of 2 - 3 days but now seems to have stopped for the time being.  Could something like this indicate someone trying to take control of my computer?  I have run a full scan but it comes up clean.

I guess there is not much to do unless it happens again.  Usually in the past when I have seen messages like this there has been something in it to indicate what is triggering it - for example dropbox action sometimes has in the past but this one gives no clue.  The worrying thing is that I have only recently completey refreshed my windows installation removing all programmes and content on my system and program software drive.

Offline hendy

  • SecureAPlus Developer
  • Sr. Member
  • *****
  • Posts: 307
  • Kudos +13/-0
Re: what is this that SAplus keeps offering to block
« Reply #3 on: December 25, 2017, 08:05:52 AM »
If it is running out of nowhere, it could be an attack, although sometimes it may not be the case. Probably something from web, since you are opening a browser. It looks like it tried to disable unused Windows sharing (Samba protocol). It triggered using fileless method, so Antivirus is usually difficult to catch this. When you try to scan it, there may be no trace any more.

Offline hendy

  • SecureAPlus Developer
  • Sr. Member
  • *****
  • Posts: 307
  • Kudos +13/-0
Re: what is this that SAplus keeps offering to block
« Reply #4 on: December 26, 2017, 11:38:25 AM »
It may be from Windows. Since you have just reinstalled your Windows, it may try to check and disable the old Samba protocol for security reason. The old Samba protocol is known to be vulnerable.

In the future, we may try to improve the message, by showing which process was issueing the command.
« Last Edit: December 26, 2017, 11:41:57 AM by hendy »