Showing results for 
Show  only  | Search instead for 
Did you mean: 


L4 Transporter


I have the below query, can someone explain this.

While reviewing PowerShell command execution we encountered a scenario where PANGPS.exe file in the program files Palo alto installation folder was generating PowerShell commands. i want to understand the purpose of the execution of the PowerShell command along with the validity. Also we want to know that if disabled will there be any impact on the production environment? or where i can disable this.


The execution path and the PowerShell command are also highlighted below.


Execution PANGPS (signed by Paloalto)  --> PANGPHIP (Signed by Paloalto) --> 32bitproxy.exe (signed by OPSWAT, Inc. )-->  cmd Command (cmd.exe /S /C ""C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Get-AppxPackage | Where Name -match skydrive | Select-Object -Expand version" > "C:\Windows\TEMP\OPSBE4D.tmp" 2> "C:\Windows\TEMP\OPSBE4E.tmp")--> Powershell command



Cyber Elite
Cyber Elite


This is part of HIP and an expected process depending on how you have GlobalProtect configured, and in your particular example it appears to be looking to see if SkyDrive is installed, which is a super old marketing name for OneDrive that doesn't actually exist anymore as far as I'm aware. But ya, it's just HIP checking to see if that application is installed and what version it is if installed. Nothing malicious or anything like that, in fact you'd be telling it to do that in your config somewhere. 



Thanks for your reply. if i uncheck below option. it will stop to gether information?




Thanks for your reply. if i uncheck below option. it will stop to gether information?





Correct. If you turn off that checkmark you'll stop seeing this check take place. Just verify that you actually aren't using it at all and you aren't enforcing any HIP profiles or anything like that. 

  • 4 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!