My ASUS laptop runs some sort of script on a regular basis. It is a powershell .ps1 or .bat file with a different file name each time. CIS is blocking each one and as each one is different I don’t know how to stop them being isolated. I assume that I can set up some sort of exception, but as a bit of a numptie I can’t work out how. Can anyone offer any suggestions?
Open the file list and view the file details of the .bat files, then see if created by is filled with an application name, if it is you can then create an ignore auto-containment rule. For the ignore rule you set the file location to the temp folder or temporary files file group, then set file created by the application listed from the file detail window of the .bat file.
Thanks for the help futuretech
I am a little unsure as to what I am doing. When I look in the .bat files there is nothing so I have looked in the CIS temporary scripts.
The CIS log shows Temporary scripts
When I look in one of these scripts it shows the ASUS System Control Interface Which I assume generates these files.
I have created “Ignore” rules for the two folders that I can trace.
I hope this is what you meant. If not please let me know.
Unfortunately it didn’t work, so I must have got something wrong. Any suggestions greatly appreciated!
futuretech Thanks for earlier advice, unfortunately nothing seems to work. I have created auto-containment rules to ignore pretty much all the ASUS .exe’s and all applications signed by ASUS companies but nothing seems to work. I now believe that these are not ASUS scripts at all.
Digging a little deeper it is CIS creating these .psi scripts which to me (Tyro) seem to contain .ETL logs created by Windows Performance Analyzer.
i.e Compress-Archive -Force -Path ‘C:\ProgramData\ASUS\ASUS System Control Interface\log\asus_swmgr_2021_04_15_00001.etl’ -DestinationPath ‘C:\ProgramData\ASUS\ASUS System Control Interface\log\asus_swmgr_2021_04_15_00001.etl.zip’
I am still not sure how to set CIS to ignore these and as I am getting between 10 and 30 of these a day and it is becoming a pain to have to keep clearing them. I am surprised that this ASUS problem hasn’t affected more people. I don’t want to stop using CIS but I cannot continue with these notifications and blocks.
Although not recommended you could try to disable (uncheck) the setting “Advanced Protection → Script Analysis → Perform Script Analysis” altogether (for a while) to see if that prevents the ASUS .ps1 or .bat files from being isolated.
APPX/UWP related ?!
ps: do not reset the container
navigate to your root drive exp: C:\VTRoot
copy to a all *.ps1 files and *.bat to a trusted location, and run them from there
additional if nothing is in C:\VTRoot, try to look in the cis view quarantine, and in there click restore !
Export and attach the containment logs so we can see what process is starting the scripts. Either change the file extension or add it to a compress format such as a zip folder or 7z archive.
I have attached the logs but I have tried to set an auto-containment policy to ignore the files such as “C:\Windows\System32\DriverStore\FileRepository\asussci2.inf_amd64_2820868d17e87ae3\ASUSSoftwareManager\AsusSoftwareManager.exe” but it didn’t seem to work. Not sure if that was what was previously recommended or if I got it set up correctly.
There are two folders in the C:\Windows\System32\DriverStore\FileRepository folder and I tried to set up rules for both folders.
Try creating the rule as shown.
Tried creating the rule looks exactly as in the image, but unfortunately it didn’t seem to get CIS to ignore the processes.
I have attached another containment log of todays warnings/blocked items.
Could be worthwhile to try my suggestion of reply #5 …
Tried switching off Script analysis and as suggested this stopped the problem.
So how do I now go about setting up a rule or something to stop it permanently without compromising security??
I have tried turning off Script Analysis as suggested by CISfan and this stopped the problem, presumably temporarily as I have turned it back on. It doesn’t seem a good idea to leave SA off permanently.
Do you think I could adapt the rule above using the ASUS folders in “Program data” and “File repository” rather than processes, to stop CIS creating temp scripts?
I don’t think you did the rule correctly or you may need to increase the number of parent process levels to be analyzed. The logs show that the powershell scripts are being started by the asus executables that are located in the C:\Windows\System32\DriverStore\FileRepository directory. Can you export your configuration and attach it?
Ok thanks, as I am pretty much flying blind I accept that I may have set it up wrongly. I will try again and then post an image of the rule. Hopefully if I get it right it will do the job.
I have re-created the rule and attached copies of the set-up. i have also attached a copy of my configuration settings. Hope that’s enough info. If not let me know.
futuretech - sorry I forgot to ask about increasing the number of parent levels. I may have missed the point, but isn’t “file repository” the parent and the relevant asus exe’s the child(ren). Doesn’t increasing the number of parent levels open up the possibility of dangerous scripts being run from say the “Driver Store” or “System 32” folder? There is no option to increase the number of child files and I can’t see why this would be necessary as the folder picked is anything in the “File Repository*”?
The number of parent process checking is a way to configure how far up the process tree CIS should look to check for the defined path. Your config that you attached didn’t have any ignore rules, so I can’t see if there is an issue with the rule.
I don’t understand why the Ignore rule doesn’t show up. I have re-created it and attach a screenshot and a new copy of the config. I don’t know what I am looking for in the config, so I can’t see whether the rule is there now or not.