Skip to content
  • There are no suggestions because the search field is empty.

What is the impact of PowerShell commands in authenticated network scans?

During authenticated scans on Windows machines, Holm Security uses PowerShell commands to detect installed applications and assess vulnerabilities. While this provides more accurate results, PowerShell execution can sometimes trigger alerts in antivirus and security tools. This article explains the impact and how to configure your scan settings.

How PowerShell commands are used in scans

Authenticated scans on Windows rely on PowerShell commands for two key purposes:

  1. Vulnerability Detection: PowerShell runs commands to identify installed applications and assess potential security vulnerabilities on your Windows systems.
  2. Portable Application Detection: PowerShell can scan the file system to detect commonly used portable applications such as 7-Zip, Firefox, Chrome, PuTTY, and others.

Default behavior: PowerShell execution is disabled

By default, the scan engine is configured to NOT execute PowerShell commands during authenticated scans. This default setting:

  • Minimizes disruptions to your systems and network
  • Reduces the risk of triggering false alerts in Windows Defender and other antivirus solutions
  • Prevents security tools from misinterpreting scanner activity as potentially malicious

Tip: The default configuration prioritizes system stability. If you don't need the enhanced detection that PowerShell provides, leave this setting as is.

Impact of enabling PowerShell commands

Trade-off: Accuracy vs. Potential Disruptions

Benefit: Enhanced vulnerability detection and portable app discovery provide more comprehensive scan results.

Risk: Windows Defender, antivirus software, or other security monitoring tools may flag PowerShell activity as suspicious, triggering alerts or blocking the scan.

If your organization prioritizes scan accuracy and has antivirus solutions configured to allow security scanner activity, you can enable PowerShell execution by modifying your scan configuration.

How to configure PowerShell execution

Control PowerShell execution in your authenticated scans by managing two settings in your scan profile:

Option 1: Enable PowerShell for vulnerability detection

Disable Remote Command Execution on Windows

HID: HID-2-1-5344164

By default, this setting is ENABLED, which means PowerShell commands are BLOCKED.

To enable PowerShell commands: Remove or disable this HID code from your scan profile.

  • This setting is part of the General plugin category, which is included in the Standard scan configuration by default
  • If you use a customized scan configuration without the General category, you must explicitly add this HID to prevent PowerShell execution

Option 2: Enable portable application detection

Enable scanning of portable apps

HID: HID-2-1-5314830

This setting enables the detection of portable applications on your systems.

To enable this feature: Add this HID code to your scan profile.

  • This feature also relies on PowerShell execution
  • Only enable if you want to detect portable apps like 7-Zip, Firefox, Chrome, and PuTTY

Before enabling PowerShell commands

Caution: Before enabling PowerShell execution, verify with your security or antivirus team that your Windows security tools are configured to allow scanner activity. Without proper configuration, PowerShell commands may:

  • Trigger false positive alerts
  • Block the scan from completing
  • Interrupt production systems

Configuration workflow

To configure PowerShell execution in your authenticated scans:

  1. Open your scan profile configuration.
  2. Locate the scan settings or plugin management section.
  3. To enable PowerShell for vulnerability detection: Find HID-2-1-5344164 and remove or disable it.
  4. To enable portable app detection: Add HID-2-1-5314830 to the scan profile.
  5. Save your scan profile configuration.
  6. Run an authenticated scan and monitor for any alerts from antivirus solutions.

Understanding custom scan configurations

If you use a customized scan configuration:

  • General category included: The HID-2-1-5344164 setting is automatically included and will block PowerShell by default.
  • General category NOT included: You must manually add HID-2-1-5344164 to block PowerShell. Without this HID, PowerShell commands will execute by default.

Tip: Review your scan profile settings to understand whether the General category is included. This determines whether PowerShell blocking is automatic or requires manual configuration.

Related information

For detailed guidance on configuring authenticated scans, see the following article:

How do I configure a scan profile for authenticated scanning?