Authenticated Network Scanning

What is the impact of Powershell commands when performing authenticated network scans on Windows?

The network scanner allows you to perform authenticated scans, which is powerful for detecting applications and vulnerabilities on Windows machines. Some of the plugins used in these scans rely on Windows PowerShell command execution to identify installed applications and assess potential vulnerabilities. This provides valuable insights into the security posture of your network. However, it's important to note that these PowerShell commands can sometimes trigger alerts in Windows Defender and other antivirus solutions, as they may be mistaken for potentially malicious activities.

To minimize any disruptions to our customers, the network scan engine is configured by default to not execute these PowerShell commands during authenticated scans. This configuration ensures a smoother scanning process and reduces the chances of triggering false positives in antivirus solutions. However, it may result in a slight decrease in accuracy when detecting specific vulnerabilities.

Understanding that some users prioritize accuracy over potential disruptions, the scan profiles can offer customization options. You can enable the execution of PowerShell commands by excluding HID-2-1-5344164, which is labeled as Disable Remote Command Execution on Windows in the scan configuration settings. By removing this HID, you explicitly allow the scanner to run these commands during authenticated scans.

It's worth noting that HID-2-1-5344164 is part of the General plugin category, which means it is always included in the Standard scan configuration. However, if you're using a more customized scan configuration where the General category is not included, you must add HID-2-1-5344164 to the network scan configuration to avoid the execution of PowerShell commands that could trigger alerts in antivirus solutions.

Authenticated scanning
To learn more about how to configure a scan profile for authenticated scans, read more here: https://support.holmsecurity.com/knowledge/how-do-i-configure-a-scan-profile-for-authenticated-scanning