https://live.paloaltonetworks.com/t5/general-topics/pan-gps-power-shell/m-p/393212#M90991 <P>Hello,</P><P>I have the below query, can someone explain this.</P><P>While reviewing PowerShell command execution we encountered a scenario where PANGPS.exe file in the program files Palo alto installation folder was generating PowerShell commands. i want to understand the purpose of the execution of the PowerShell command along with the validity. Also we want to know that if disabled will there be any impact on the production environment? or where i can disable this.</P><P>&nbsp;</P><P>The execution path and the PowerShell command are also highlighted below.</P><P>&nbsp;</P><P>Execution PANGPS (signed by Paloalto) &nbsp;--&gt; PANGPHIP (Signed by Paloalto) --&gt; 32bitproxy.exe (signed by OPSWAT, Inc. )--&gt; &nbsp;cmd Command (<STRONG>cmd.exe /S /C ""C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Get-AppxPackage | Where Name -match skydrive | Select-Object -Expand version" &gt; "C:\Windows\TEMP\OPSBE4D.tmp" 2&gt; "C:\Windows\TEMP\OPSBE4E.tmp"</STRONG>)--&gt; Powershell command</P><P>&nbsp;</P> Wed, 24 Mar 2021 08:02:59 GMT Jafar_Hussain 2021-03-24T08:02:59Z https://live.paloaltonetworks.com/t5/general-topics/pan-gps-power-shell/m-p/393212#M90991 <P>Hello,</P><P>I have the below query, can someone explain this.</P><P>While reviewing PowerShell command execution we encountered a scenario where PANGPS.exe file in the program files Palo alto installation folder was generating PowerShell commands. i want to understand the purpose of the execution of the PowerShell command along with the validity. Also we want to know that if disabled will there be any impact on the production environment? or where i can disable this.</P><P>&nbsp;</P><P>The execution path and the PowerShell command are also highlighted below.</P><P>&nbsp;</P><P>Execution PANGPS (signed by Paloalto) &nbsp;--&gt; PANGPHIP (Signed by Paloalto) --&gt; 32bitproxy.exe (signed by OPSWAT, Inc. )--&gt; &nbsp;cmd Command (<STRONG>cmd.exe /S /C ""C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Get-AppxPackage | Where Name -match skydrive | Select-Object -Expand version" &gt; "C:\Windows\TEMP\OPSBE4D.tmp" 2&gt; "C:\Windows\TEMP\OPSBE4E.tmp"</STRONG>)--&gt; Powershell command</P><P>&nbsp;</P> Wed, 24 Mar 2021 08:02:59 GMT https://live.paloaltonetworks.com/t5/general-topics/pan-gps-power-shell/m-p/393212#M90991 Jafar_Hussain 2021-03-24T08:02:59Z https://live.paloaltonetworks.com/t5/general-topics/pan-gps-power-shell/m-p/393271#M90999 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/124013">@Jafar_Hussain</a>,</P> <P>This is part of HIP and an expected process depending on how you have GlobalProtect configured, and in your particular example it appears to be looking to see if SkyDrive is installed, which is a super old marketing name for OneDrive that doesn't actually exist anymore as far as I'm aware. But ya, it's just HIP checking to see if that application is installed and what version it is if installed. Nothing malicious or anything like that, in fact you'd be telling it to do that in your config somewhere.&nbsp;</P> <P>&nbsp;</P> Wed, 24 Mar 2021 13:15:27 GMT https://live.paloaltonetworks.com/t5/general-topics/pan-gps-power-shell/m-p/393271#M90999 BPry 2021-03-24T13:15:27Z https://live.paloaltonetworks.com/t5/general-topics/pan-gps-power-shell/m-p/393282#M91002 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a></P><P>Thanks for your reply. if i uncheck below option. it will stop to gether information?</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Jafar_Hussain_0-1616592250452.png" style="width: 1005px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/30516i0E447703A4CE23EC/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Jafar_Hussain_0-1616592250452.png" alt="Jafar_Hussain_0-1616592250452.png" /></span></P><P>&nbsp;</P> Wed, 24 Mar 2021 13:24:28 GMT https://live.paloaltonetworks.com/t5/general-topics/pan-gps-power-shell/m-p/393282#M91002 Jafar_Hussain 2021-03-24T13:24:28Z https://live.paloaltonetworks.com/t5/general-topics/pan-gps-power-shell/m-p/393287#M91003 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;</P><P>Thanks for your reply. if i uncheck below option. it will stop to gether information?</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Jafar_Hussain_0-1616592450776.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/30517i998FE95904E2A403/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Jafar_Hussain_0-1616592450776.png" alt="Jafar_Hussain_0-1616592450776.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P> Wed, 24 Mar 2021 13:27:39 GMT https://live.paloaltonetworks.com/t5/general-topics/pan-gps-power-shell/m-p/393287#M91003 Jafar_Hussain 2021-03-24T13:27:39Z https://live.paloaltonetworks.com/t5/general-topics/pan-gps-power-shell/m-p/393291#M91006 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/124013">@Jafar_Hussain</a>,</P> <P>Correct. If you turn off that checkmark you'll stop seeing this check take place. Just verify that you actually aren't using it at all and you aren't enforcing any HIP profiles or anything like that.&nbsp;</P> Wed, 24 Mar 2021 13:38:32 GMT https://live.paloaltonetworks.com/t5/general-topics/pan-gps-power-shell/m-p/393291#M91006 BPry 2021-03-24T13:38:32Z