Hello, I’m seeking help with a small problem where PowerShell keeps creating comhosts and modifying some kind of file. No matter how many times I give it the Ok to do what it’s doing and clicking remember it just keeps popping up and it’s now become annoying to the point I want to uninstall the program but I came here first to see if I can find a solution.
No, some running process is executing powershell commands and they get turned into powershell scripts from embedded-code detection feature. You need to figure out what application is executing these powershell commands and set it to trusted/installer in the HIPS rules. If you open the powershell script you might find references to what application is issuing powershell. Another method is to enable auto-containment and wait for it to get auto-contained, then you can check the containment logs and look under the parent process column.
Or you can just disable embedded-code detection for powershell.
If I had to guess its CompTelRunner.exe creating a task to collect and upload Microsoft’s Telemetry, cus they need that data, its payroll time.
Creating a Auto-Containment Ignore rule may help.
Now I just have to figure out what spawns the demon beast One-Drive, to stop the bat file spam. :-\
I’m seeing a lot of these powershell instances also.
The path makes it look like it’s CIS that is both creating & blocking it…?
Maybe the reporting could show the initiating exe?