Skip to content
vScope Support Page

Antivirus Alerts

Overview

To inventory Windows operating systems, vScope uses WMI or WinRM (depending on your preferences). This is called a Discovery. Both WMI and WinRM run scripts from the vScope server to fetch information from a remote (target) server. This can cause antiviruses to trigger alerts related to remote scripting. If you don’t want to run network discoveries, you can choose to disable your WMI/WinRM credential in Discovery Manager. Please be aware that this will lower the overall data quality in vScope since vScope will now only rely on secondary data sources.

Azure Security Center

Suspicious command line: powershell -exec bypass -encodedcommand

Azure Security Center can report about the command line “powershell -exec bypass -encodedcommand” being used during Discovery.

The command “-exec bypass” makes it possible to bypass the script execution policy in PowerShell. For example if it is set to “Restricted”, it’s not possible to run any scripts. Instead of setting the execution policy permanently on the machine, you can send a parameter to PowerShell which allows running the script in the encodedcommand.

MacAfee VirusScan

During the discovery of your environment, vScope utilizes VB script to perform certain functions. If you have MacAfee VirusScan installed on the machine running vScope, it might interfere with the discovery process. Symptoms may be error dialogs mentioning “cscript.exe” and faulting module ‘ScriptSn’.

Problem The following or similar error is displayed during the discovery process:

Problem Event Name:    BEX64 Application Name:    cscript.exe Application Version:    5.7.0.18005 Application Timestamp:    49e02b11 Fault Module Name:    ScriptSn.20120130135121.dll_unloaded Fault Module Version:    0.0.0.0 Fault Module Timestamp:    4d2ce476

Solution Disable the script scanning component of your antivirus software or disable the antivirus software completely.

Please refer to McAfee knowledge base for more information: https://kc.mcafee.com/corporate/index?page=content&id=KB71660

Windows Defender

  • Ensure that the incident includes the vScope server and the credential used for WMI.
  • Safly classify the alert as “False alert” since commands from a remote location are normal behavior for any network discovery.
  • If you do not recognize the server or credential used, this is not related to vScope’s discovery.