When a user opens chrome out of local.exe, it runs the command C:\Windows\System32\WindowsPowerShell\v1.0\powershell -NoProfile -NonInteractive –ExecutionPolicy Bypass -EncodedCommand [REDACTED BASE64] that decodes to Start ""chrome"" -ArgumentList ""http://[REDACTED INTERNAL DOMAIN]"" which appears to be suspicious behavior to AV software.
Is it possible to configure whether the command is encoded when powershell runs it, since it causes antivirus software to treat the executible with suspicion.
Troubleshooting Questions
Does this happen for all sites in Local, or just one in particular?
As far as I can tell it happens when a user views any local site
Replication
Click the “Open Site” button that opens a site that you are working on.
System Details
Which version of Local is being used?
6.6.1.20230202.4(VirusTotal)
What Operating System (OS) and OS version is being used?
Windows 10 Enterprise
Sorry I don’t have an answer to your specific question, but I do want to help if possible. Are you unable to open any Local sites due to this? Or getting any other errors or warnings while developing?
Within your machine are you able to do any allowing for Local within security or antivirus checkers to help out?
My users aren’t experiencing any problems, it’s that it keeps setting off antivirus alarms, which adds to the noise of our AV environment.
I know nothing about Local so if there’s anything you need just treat me like a 5 year old and I can run down the requested info.
Thank you!
Thanks. If there’s a valid purpose that’s not a problem, our processes require that we document the reason for the exception so we’d just need to know why it’s doing it that way.
I’ve raised this with our Dev team, and the short answer is that the command is generated by an upstream library, and barring any changes to the library we likely wouldn’t add an option to change it within Local. Not to say that it may not see a change in the future, but right now it wouldn’t have any priority or ETA.