I have the below query, can someone explain this.
While reviewing PowerShell command execution we encountered a scenario where PANGPS.exe file in the program files Palo alto installation folder was generating PowerShell commands. i want to understand the purpose of the execution of the PowerShell command along with the validity. Also we want to know that if disabled will there be any impact on the production environment? or where i can disable this.
The execution path and the PowerShell command are also highlighted below.
Execution PANGPS (signed by Paloalto) --> PANGPHIP (Signed by Paloalto) --> 32bitproxy.exe (signed by OPSWAT, Inc. )--> cmd Command (cmd.exe /S /C ""C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Get-AppxPackage | Where Name -match skydrive | Select-Object -Expand version" > "C:\Windows\TEMP\OPSBE4D.tmp" 2> "C:\Windows\TEMP\OPSBE4E.tmp")--> Powershell command
This is part of HIP and an expected process depending on how you have GlobalProtect configured, and in your particular example it appears to be looking to see if SkyDrive is installed, which is a super old marketing name for OneDrive that doesn't actually exist anymore as far as I'm aware. But ya, it's just HIP checking to see if that application is installed and what version it is if installed. Nothing malicious or anything like that, in fact you'd be telling it to do that in your config somewhere.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!