GitLive icon indicating copy to clipboard operation
GitLive copied to clipboard

Published 20 hours ago verified publisher icon GitLiveApp

Plugin startup triggers symantec end-point protection, powershell command is blocked

Open rcastagno opened this issue 9 months ago • 6 comments

After last update I'm getting two symantec errors each time I start Idea, and more specifically each time a start up the plugin.

I verified, and the stopped command looks like this

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -EncodedCommand JgAgAHsACgBbAEMAbwBuAHMAbwBsAGUAXQA6ADoATwB1AHQAcAB1AHQARQBuAGMAbwBkAGkAbgBnACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgACgBBAGQAZAAtAFQAeQBwAGUAIABAACIACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwAKAHAAdQBiAGwAaQBjACAAYwBsAGEAcwBzACAARABpAHIAIAB7AAoAIAAgAFsARABsAGwASQBtAHAAbwByAHQAKAAiAHMAaABlAGwAbAAzADIALgBkAGwAbAAiACkAXQAKACAAIABwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAUwBIAEcAZQB0AEsAbgBvAHcAbgBGAG8AbABkAGUAcgBQAGEAdABoACgAWwBNAGEAcgBzAGgAYQBsAEEAcwAoAFUAbgBtAGEAbgBhAGcAZQBkAFQAeQBwAGUALgBMAFAAUwB0AHIAdQBjAHQAKQBdACAARwB1AGkAZAAgAHIAZgBpAGQALAAgAHUAaQBuAHQAIABkAHcARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGgAVABvAGsAZQBuACwAIABvAHUAdAAgAEkAbgB0AFAAdAByACAAcABzAHoAUABhAHQAaAApADsACgAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAHMAdAByAGkAbgBnACAARwBlAHQASwBuAG8AdwBuAEYAbwBsAGQAZQByAFAAYQB0AGgAKABzAHQAcgBpAG4AZwAgAHIAZgBpAGQAKQAgAHsACgAgACAAIAAgAEkAbgB0AFAAdAByACAAcABzAHoAUABhAHQAaAA7AAoAIAAgACAAIABpAGYAIAAoAFMASABHAGUAdABLAG4AbwB3AG4ARgBvAGwAZABlAHIAUABhAHQAaAAoAG4AZQB3ACAARwB1AGkAZAAoAHIAZgBpAGQAKQAsACAAMAAsACAASQBuAHQAUAB0AHIALgBaAGUAcgBvACwAIABvAHUAdAAgAHAAcwB6AFAAYQB0AGgAKQAgACEAPQAgADAAKQAgAHIAZQB0AHUAcgBuACAAIgAiADsACgAgACAAIAAgAHMAdAByAGkAbgBnACAAcABhAHQAaAAgAD0AIABNAGEAcgBzAGgAYQBsAC4AUAB0AHIAVABvAFMAdAByAGkAbgBnAFUAbgBpACgAcABzAHoAUABhAHQAaAApADsACgAgACAAIAAgAE0AYQByAHMAaABhAGwALgBGAHIAZQBlAEMAbwBUAGEAcwBrAE0AZQBtACgAcABzAHoAUABhAHQAaAApADsACgAgACAAIAAgAHIAZQB0AHUAcgBuACAAcABhAHQAaAA7AAoAIAAgAH0ACgB9AAoAIgBAAAoAWwBEAGkAcgBdADoAOgBHAGUAdABLAG4AbwB3AG4ARgBvAGwAZABlAHIAUABhAHQAaAAoACIAMwBFAEIANgA4ADUARABCAC0ANgA1AEYAOQAtADQAQwBGADYALQBBADAAMwBBAC0ARQAzAEUARgA2ADUANwAyADkARgAzAEQAIgApAAoAWwBEAGkAcgBdADoAOgBHAGUAdABLAG4AbwB3AG4ARgBvAGwAZABlAHIAUABhAHQAaAAoACIARgAxAEIAMwAyADcAOAA1AC0ANgBGAEIAQQAtADQARgBDAEYALQA5AEQANQA1AC0ANwBCADgARQA3AEYAMQA1ADcAMAA5ADEAIgApAAoAfQA=

which can be decoded to

& {
[Console]::OutputEncoding = [System.Text.Encoding]::UTF8
Add-Type @"
using System;
using System.Runtime.InteropServices;
public class Dir {
  [DllImport("shell32.dll")]
  private static extern int SHGetKnownFolderPath([MarshalAs(UnmanagedType.LPStruct)] Guid rfid, uint dwFlags, IntPtr hToken, out IntPtr pszPath);
  public static string GetKnownFolderPath(string rfid) {
    IntPtr pszPath;
    if (SHGetKnownFolderPath(new Guid(rfid), 0, IntPtr.Zero, out pszPath) != 0) return "";
    string path = Marshal.PtrToStringUni(pszPath);
    Marshal.FreeCoTaskMem(pszPath);
    return path;
  }
}
"@
[Dir]::GetKnownFolderPath("3EB685DB-65F9-4CF6-A03A-E3EF65729F3D")
[Dir]::GetKnownFolderPath("F1B32785-6FBA-4FCF-9D55-7B8E7F157091")
}

I've been able to track it down to the directories-26.jar package which seems to do some convoluted spins to determine a bunch of "default folders", but I've been unable to determine the actual usage of those calls.

The fundamental problem is that encoded powershell commands are blocked as they are a security threat.

I'd like to know:

  1. why it is done this way
  2. what's the actual usage by the plugin, that is, is it fundamental for the correct functioning of the plugin, or can it run correctly even it those commands fail
  3. where is this library from (that is, if it's yours, or third party)

For the time being, I'm disabling this pugin.

rcastagno avatar Apr 30 '24 09:04 rcastagno

Hi @rcastagno thanks for the detailed report, this is the library, looks like it might be a known issue https://github.com/dirs-dev/directories-jvm/issues/28

It's used to get the location to store caches, hopefully the issue will be fixed soon but in the meantime we'll see if it's possible to get the cache directory directly from the IntelliJ SDK

nbransby avatar Apr 30 '24 10:04 nbransby

Thanks for the quick response. I'll relay this info to our sysadmins.

rcastagno avatar Apr 30 '24 12:04 rcastagno

A fix for this will be released before the end of the week. In the meantime do you have VS Code installed and are you able to let us know if it also triggers symantec end-point protection?

nbransby avatar May 01 '24 17:05 nbransby

VS Code 1.88.1 does not trigger Symantec end-point protection

rcastagno avatar May 02 '24 16:05 rcastagno

Sorry, I didn't do a very good job of explaining myself! I meant VS Code with the GitLive extension installed.

Also, good news: Version 17.1.1 of the GitLive JetBrains plugin is available that should fix your issue.

nbransby avatar May 03 '24 02:05 nbransby

Sorry, brain was not on at that moment.

BTW, new version seems good on both VS Code and Idea, thanks!

rcastagno avatar May 03 '24 09:05 rcastagno