3 Replies Latest reply on May 11, 2017 8:37 AM by phoffmann

    Does LANDesk Vulscan run PowerShell?

    Danny0907 Rookie

      We have never used PowerShell for scripting on LANDesk. However, we are seeing PowerShell run when Vulscan is trying to execute and our Symantec end point is blocking it. Does anyone know whether Vulscan execute PowerShell by design or if there is something going on with our agents?

        • 1. Re: Does LANDesk Vulscan run PowerShell?
          phoffmann SupportEmployee

          It certainly can / does run PowerShell, VBScript, JScript or whatnot.

           

          You can write custom vulneralities with pretty much anything you want too.

           

          So ... short answer - "absolutely possible".

          • 2. Re: Does LANDesk Vulscan run PowerShell?
            Danny0907 Rookie

            Thanks Phoffmann,

             

            I may have confused with my write up. I know you can script within the LANDesk agent configuration - my question is - does LANDesk Vulscan need to execute PowerShell when it is running? This is what we are seeing in our environment - the agent is trying to run PowerShell when Vulscan is running, yet we do not have scripting in the agents. Are we configuring something wrong in the agent?

            • 3. Re: Does LANDesk Vulscan run PowerShell?
              phoffmann SupportEmployee

              So the answer to that is going to be roughly similar .

               

              It depends on what vulnerabilities / content you scan for essentially (*ALL* of which you can examine to your hearts' content).

               

              So "in the dawn of our vulnerability content" we did a lot of JScript for instance.

              Then the content folks did most of their stuff with VBScript.

               

              I'm pretty sure I've seen a few PowerShell scripts fly around from time to time. Furthermore, there's the "Windows Actions" packages, which operate via Powershell scriptlets for instance, that too can trigger the sort of thing you're seeing.

               

              There's (in addition) a couple of additional ways that we can "call vulscan in ways you don't expect" (for instance, pre-requisite checks tend to be operated by vulsan since it can do a LOT of complicated decision making) ... so you MIGHT find it a little easier having a look at time-relevant vulscan / sdclient / "any" logs around the times that your Symantec AV blocked powershell scripts from running.

               

              I hope that helps with a little insight in why this is a "generally speaking - yes" type answer, as there's a LOT of ways that you can end up calling vulcsan which can/does end up calling scripts then.

               

              TImestamps & logs will be your bigger help to track those down .