Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Plugin startup triggers symantec end-point protection, powershell command is blocked #153

Closed
rcastagno opened this issue Apr 30, 2024 · 6 comments
Closed

Plugin startup triggers symantec end-point protection, powershell command is blocked #153

rcastagno opened this issue Apr 30, 2024 · 6 comments

Comments

@rcastagno
Copy link

After last update I'm getting two symantec errors each time I start Idea, and more specifically each time a start up the plugin.

I verified, and the stopped command looks like this

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -EncodedCommand JgAgAHsACgBbAEMAbwBuAHMAbwBsAGUAXQA6ADoATwB1AHQAcAB1AHQARQBuAGMAbwBkAGkAbgBnACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgACgBBAGQAZAAtAFQAeQBwAGUAIABAACIACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwAKAHAAdQBiAGwAaQBjACAAYwBsAGEAcwBzACAARABpAHIAIAB7AAoAIAAgAFsARABsAGwASQBtAHAAbwByAHQAKAAiAHMAaABlAGwAbAAzADIALgBkAGwAbAAiACkAXQAKACAAIABwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAUwBIAEcAZQB0AEsAbgBvAHcAbgBGAG8AbABkAGUAcgBQAGEAdABoACgAWwBNAGEAcgBzAGgAYQBsAEEAcwAoAFUAbgBtAGEAbgBhAGcAZQBkAFQAeQBwAGUALgBMAFAAUwB0AHIAdQBjAHQAKQBdACAARwB1AGkAZAAgAHIAZgBpAGQALAAgAHUAaQBuAHQAIABkAHcARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGgAVABvAGsAZQBuACwAIABvAHUAdAAgAEkAbgB0AFAAdAByACAAcABzAHoAUABhAHQAaAApADsACgAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAHMAdAByAGkAbgBnACAARwBlAHQASwBuAG8AdwBuAEYAbwBsAGQAZQByAFAAYQB0AGgAKABzAHQAcgBpAG4AZwAgAHIAZgBpAGQAKQAgAHsACgAgACAAIAAgAEkAbgB0AFAAdAByACAAcABzAHoAUABhAHQAaAA7AAoAIAAgACAAIABpAGYAIAAoAFMASABHAGUAdABLAG4AbwB3AG4ARgBvAGwAZABlAHIAUABhAHQAaAAoAG4AZQB3ACAARwB1AGkAZAAoAHIAZgBpAGQAKQAsACAAMAAsACAASQBuAHQAUAB0AHIALgBaAGUAcgBvACwAIABvAHUAdAAgAHAAcwB6AFAAYQB0AGgAKQAgACEAPQAgADAAKQAgAHIAZQB0AHUAcgBuACAAIgAiADsACgAgACAAIAAgAHMAdAByAGkAbgBnACAAcABhAHQAaAAgAD0AIABNAGEAcgBzAGgAYQBsAC4AUAB0AHIAVABvAFMAdAByAGkAbgBnAFUAbgBpACgAcABzAHoAUABhAHQAaAApADsACgAgACAAIAAgAE0AYQByAHMAaABhAGwALgBGAHIAZQBlAEMAbwBUAGEAcwBrAE0AZQBtACgAcABzAHoAUABhAHQAaAApADsACgAgACAAIAAgAHIAZQB0AHUAcgBuACAAcABhAHQAaAA7AAoAIAAgAH0ACgB9AAoAIgBAAAoAWwBEAGkAcgBdADoAOgBHAGUAdABLAG4AbwB3AG4ARgBvAGwAZABlAHIAUABhAHQAaAAoACIAMwBFAEIANgA4ADUARABCAC0ANgA1AEYAOQAtADQAQwBGADYALQBBADAAMwBBAC0ARQAzAEUARgA2ADUANwAyADkARgAzAEQAIgApAAoAWwBEAGkAcgBdADoAOgBHAGUAdABLAG4AbwB3AG4ARgBvAGwAZABlAHIAUABhAHQAaAAoACIARgAxAEIAMwAyADcAOAA1AC0ANgBGAEIAQQAtADQARgBDAEYALQA5AEQANQA1AC0ANwBCADgARQA3AEYAMQA1ADcAMAA5ADEAIgApAAoAfQA=

which can be decoded to

& {
[Console]::OutputEncoding = [System.Text.Encoding]::UTF8
Add-Type @"
using System;
using System.Runtime.InteropServices;
public class Dir {
  [DllImport("shell32.dll")]
  private static extern int SHGetKnownFolderPath([MarshalAs(UnmanagedType.LPStruct)] Guid rfid, uint dwFlags, IntPtr hToken, out IntPtr pszPath);
  public static string GetKnownFolderPath(string rfid) {
    IntPtr pszPath;
    if (SHGetKnownFolderPath(new Guid(rfid), 0, IntPtr.Zero, out pszPath) != 0) return "";
    string path = Marshal.PtrToStringUni(pszPath);
    Marshal.FreeCoTaskMem(pszPath);
    return path;
  }
}
"@
[Dir]::GetKnownFolderPath("3EB685DB-65F9-4CF6-A03A-E3EF65729F3D")
[Dir]::GetKnownFolderPath("F1B32785-6FBA-4FCF-9D55-7B8E7F157091")
}

I've been able to track it down to the directories-26.jar package which seems to do some convoluted spins to determine a bunch of "default folders", but I've been unable to determine the actual usage of those calls.

The fundamental problem is that encoded powershell commands are blocked as they are a security threat.

I'd like to know:

  1. why it is done this way
  2. what's the actual usage by the plugin, that is, is it fundamental for the correct functioning of the plugin, or can it run correctly even it those commands fail
  3. where is this library from (that is, if it's yours, or third party)

For the time being, I'm disabling this pugin.
@nbransby
Copy link
Member

Hi @rcastagno thanks for the detailed report, this is the library, looks like it might be a known issue dirs-dev/directories-jvm#28

It's used to get the location to store caches, hopefully the issue will be fixed soon but in the meantime we'll see if it's possible to get the cache directory directly from the IntelliJ SDK

@rcastagno
Copy link
Author

Thanks for the quick response.
I'll relay this info to our sysadmins.

@nbransby
Copy link
Member

nbransby commented May 1, 2024

A fix for this will be released before the end of the week. In the meantime do you have VS Code installed and are you able to let us know if it also triggers symantec end-point protection?

@rcastagno
Copy link
Author

VS Code 1.88.1 does not trigger Symantec end-point protection

@nbransby
Copy link
Member

nbransby commented May 3, 2024

Sorry, I didn't do a very good job of explaining myself! I meant VS Code with the GitLive extension installed.

Also, good news: Version 17.1.1 of the GitLive JetBrains plugin is available that should fix your issue.

@rcastagno
Copy link
Author

Sorry, brain was not on at that moment.

BTW, new version seems good on both VS Code and Idea, thanks!

@nbransby nbransby closed this as completed Aug 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rcastagno @nbransby