Skip to content
  • There are no suggestions because the search field is empty.

What is the impact of PowerShell commands in authenticated network scans?

During authenticated scans on Windows machines, Holm Security uses PowerShell commands to detect installed applications and assess vulnerabilities. While this provides more accurate results, PowerShell execution can sometimes trigger alerts in antivirus and security tools. This article explains the impact and how to configure your scan settings.

How PowerShell commands are used in scans

Authenticated scans on Windows rely on PowerShell commands for two key purposes:

1. Vulnerability detection: PowerShell runs commands to identify installed applications and assess potential security vulnerabilities on your Windows systems.
2. Portable Application Detection: PowerShell can scan the file system to detect commonly used portable applications such as 7-Zip, Firefox, Chrome, PuTTY, and others.

Default behavior: PowerShell execution is disabled

By default, the scan engine is configured to NOT execute PowerShell commands during authenticated scans. This default setting:

  • Minimizes disruptions to your systems and network.
  • Reduces the risk of triggering false alerts in Windows Defender and other antivirus solutions.
  • Prevents security tools from misinterpreting scanner activity as potentially malicious.

Prioritises system stability
The default configuration prioritizes system stability. If you do not need the enhanced detection that PowerShell provides, leave this setting as is.

Impact of enabling PowerShell commands

Trade-off: Accuracy vs. potential disruptions

Benefit: Enhanced vulnerability detection and portable app discovery provide more comprehensive scan results.

Risk: Windows Defender, antivirus software, or other security monitoring tools may flag PowerShell activity as suspicious, triggering alerts or blocking the scan.

If your organization prioritizes scan accuracy and has antivirus solutions configured to allow security scanner activity, you can enable PowerShell execution by modifying your scan configuration.

How to configure PowerShell execution

Control PowerShell execution in your authenticated scans by managing two settings in your scan profile:

Option 1: Enable PowerShell for vulnerability detection

Disable remote command execution on Windows

HID: HID-2-1-5344164

By default, this setting is ENABLED, which means PowerShell commands are BLOCKED.

To enable PowerShell commands: Remove or disable this HID code from your scan profile.

  • This setting is part of the General plugin category, which is included in the Standard scan configuration by default.
  • If you use a customized scan configuration without the General category, you must explicitly add this HID to prevent PowerShell execution.

Option 2: Enable portable application detection

Enable scanning of portable apps

HID: HID-2-1-5314830

This setting enables the detection of portable applications on your systems.

Starting June 18, 2026, this HID is automatically included in standard scan profiles. If PowerShell is enabled (Option 1), portable application detection will run without any additional configuration for standard scan profiles.

If you use a custom scan configuration without the General plugin category, you must add this HID manually:

  • This feature also relies on PowerShell execution.
  • Only enable if you want to detect portable apps like 7-Zip, Firefox, Chrome, and PuTTY.

Before enabling PowerShell commands

Verify internanlly
Before enabling PowerShell execution, verify with your security team that your Windows security tools are configured to allow scanner activity. Without proper configuration, PowerShell commands may:

  • Trigger false positive alerts.
  • Block the scan from completing.
  • Interrupt production systems.

Configuration workflow

To configure PowerShell execution in your authenticated scans:

  1. Log in to Security Center. 
  2. Hower over Assessments > Profiles
  3. Click Edit to open your scan profile configuration.
  4. Click Vulnerabilites > add HID-2-1-5344164 to the Exclude vulnerability section. 
  5. Save your scan profile configuration. Run an authenticated scan and monitor for any alerts from antivirus solutions. 

Understanding custom scan configurations

If you use a customized scan configuration:

  • General category included: The HID-2-1-5344164 setting is automatically included and will block PowerShell by default. HID-2-1-5314830 is also included, so portable app detection activates as soon as PowerShell is enabled.
  • General category NOT included: You must manually add HID-2-1-5344164 to block PowerShell. Without this HID, PowerShell commands will execute by default. You must also manually add HID-2-1-5314830 to enable portable app detection.

Automatic or manual configuration
Review your scan profile settings to understand whether the General category is included. This determines whether PowerShell blocking and portable app detection are automatic or require manual configuration.

Related information

For detailed guidance on configuring authenticated scans, see the following article:

How do I configure a scan profile for authenticated scanning?