When a user opens chrome out of local.exe, it runs the command
C:\Windows\System32\WindowsPowerShell\v1.0\powershell -NoProfile -NonInteractive –ExecutionPolicy Bypass -EncodedCommand [REDACTED BASE64] that decodes to
"" -ArgumentList ""http://[REDACTED INTERNAL DOMAIN]
"" which appears to be suspicious behavior to AV software.
Is it possible to configure whether the command is encoded when powershell runs it, since it causes antivirus software to treat the executible with suspicion.
- Does this happen for all sites in Local, or just one in particular?
As far as I can tell it happens when a user views any local site
Click the “Open Site” button that opens a site that you are working on.
Which version of Local is being used?
What Operating System (OS) and OS version is being used?
Windows 10 Enterprise