Hi there,

we're using PowerShell for login scripts in an AD domain for quite some time right now and accidentally, because several settings weren't applied any more to new PCs, I came across something that looks like a quirk/bug to me:

On a machine with ENS 10.6.1 Threat Prevention installed and Exploit Protection active, try writing to a default value in Registry using PowerShell and New-ItemPorperty:

# Prerequisite
New-Item -Path HKCU:\Software\EnsTest -Force

# Works
New-ItemProperty -Path HKCU:\Software\EnsTest -Name 'Test' -PropertyType String -Value 'Some text' -Force

# '(default)' Crashes PowerShell
New-ItemProperty -Path HKCU:\Software\EnsTest -Name '(default)' -PropertyType String -Value 'Some text' -Force

PowerShell just closes (crashes) and only on writing to '(default)'. What is more, there is NO logging entry in the ENS event log so no indication of anything blocked or the like.

Windows Event  Log:

Name der fehlerhaften Anwendung: powershell.exe, Version: 10.0.17134.1, Zeitstempel: 0x05e7290f
Name des fehlerhaften Moduls: HIPHandlers64.dll, Version: 10.6.0.9246, Zeitstempel: 0x5ccff778
Ausnahmecode: 0xc000000d
Fehleroffset: 0x00000000000071cc
ID des fehlerhaften Prozesses: 0x12e0
Startzeit der fehlerhaften Anwendung: 0x01d51531df335502
Pfad der fehlerhaften Anwendung: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Pfad des fehlerhaften Moduls: C:\Program Files\McAfee\Endpoint Security\Threat Prevention\Ips\HIPHandlers64.dll
Berichtskennung: 66eb5fce-b3d2-4ee6-a75f-71267377e3ee
Vollständiger Name des fehlerhaften Pakets:
Anwendungs-ID, die relativ zum fehlerhaften Paket ist:

Tested on:

Windows 10 1803 & 1809 with current hotfixes

Endpoint Security Platform: 10.6.1.1206

Threat Protection: 10.6.1.1273

(managed by ePO)

If you turn "Exploit Protection" off in the administrative settings of ENS the command works/no crash.

Has anyone experienced this as well? Would that warrant a support ticket or am I overlooking something?

Thanks!

- Markus