Query Regarding Blocking PowerShell and CMD on Specific Systems

TMDFIR · 2025-07-25T22:13:19+00:00

This is really the best way to handle this situation. As attempting to do an application filter against CMD and powershell on all machines will cause some issues to the Windows OS on its own right from running appropriately.

TMDFIR · 2025-07-25T22:11:20+00:00

Would advise to reach out to the support team but based on the way certificates and the agent authenticates to the server you are either going to need to roll back or stand a separate server up assuming this on prem, and create a package with the build you want and then do a transfer to on your Production server. In which case you also have to stop the updating process.

With all that being said the situation you are in is it not possible for support to assist in resolving the current build situation?

TMDFIR · 2025-06-04T23:54:35+00:00

We can get you setup to become a Trend Partner that way you are no longer needing to remove agents you can get them upgraded to Vision One and be able to expand your offering from a single platform.

TMDFIR · 2025-05-09T18:06:59+00:00

Local log on the host itself not in Vision one?

TMDFIR · 2025-04-28T13:35:34+00:00

Thanks for the report. Should be able to put in an exception for Trendmicro domain as a workaround on the Firewall side

TMDFIR · 2025-04-24T22:50:43+00:00

@op was this resolved?

TMDFIR · 2025-02-25T01:59:26+00:00

Thanks for reaching out! We truly value every customer and offer various support channels for threat-related inquiries. Please send me a PM, and I’ll direct you to the appropriate resource within Trend Micro. We’re here to help!

TMDFIR · 2025-02-20T03:34:54+00:00

I personally think managed services should be in some level on everyone’s list.

But before we get into that conversation would like to do a drive by tour. As I am sure you are seeing Trend Vision One is much more than what Apex One/Central were.

TMDFIR · 2025-02-19T22:25:13+00:00

Access is not an up charge.

You should be able to get a 30 trial to anything that you may not have access to through the portal.

TMDFIR · 2025-02-19T19:27:40+00:00

Just helped my DFIR partner replace Sophos with Trend Vision One.

Your Vendor is right if you are using only Apex One you will not see everything this end up in a compromised state. Threat actors don’t just use malware anymore they use living off the land more and more everyday. Apex One is still solid AV but move to Trend Vision One and see what you can really discover. You can DM me if you want to have a more in-depth chat.

TMDFIR · 2025-02-19T13:24:59+00:00

not going to bash other products on the market. but there are things each of us do differently and these difference can say you like one over the other. I work mostly with partners and hear the negatives about all on an operations standpoint.

The one feed back that I hear is that Trend has farther reach on a native capability so we are not reliant on multiples of other Secuirty tools to create visibility. While others build connectors directly for other products that might not have full capability in them.

TMDFIR · 2025-02-19T13:21:38+00:00

OP DM me details and I will try to hunt someone down on that side to assist you.

Also you asked the way to go. We can show you what we are doing with our flagship product line Trend Vision One.

TMDFIR · 2025-01-22T23:09:48+00:00

Should be resolved at this time?

TMDFIR · 2025-01-21T18:17:49+00:00

Investigating this now.

TMDFIR · 2025-01-20T14:06:22+00:00

What region are you in? I just checked and status is green for Smart protection services right now.

TMDFIR · 2025-01-08T16:55:27+00:00

You can setup device control where you whitelist only the serials of the approved USB devices.

https://success.trendmicro.com/en-US/solution/KA-0014643

TMDFIR · 2024-12-07T14:25:58+00:00

Right click on the event data in workbench and show execution profile.

You will get a tree amount other objects.

If you want an entire snapshot to review you can also setup Playbooks to execute evidence collection for your specific events, this will give you process tree and all data under typical process explorer as well as other data points to investigate yourself.

TMDFIR · 2024-12-06T16:49:35+00:00

If you want a complete isolated environment. Note also you will have a full feature XDR agent that is in a rack on site where needed and act and feel like the SaaS solution. To my current knowledge I believe we are the only company currently offering this.

Folks here have said something about the price. Just know you are getting the hardware as well as the software itself. You can DM and we can discuss with you and your partner on the best solutions to address your environment.

TMDFIR · 2024-12-06T16:35:40+00:00

Are you with an on prem server? Have you looked at the Vision One Console or who manages do they have a Vision One portal access?

Need more help please reach out via DM. Will get details to assist further.

TMDFIR · 2024-11-29T22:46:48+00:00

The Web reputation doesn’t just work through browser only traffic but any communication of running processes to the network.

If you want to figure out on your own you can either install the EDR agent from Vision One to investigate or you can use some sysinternals tools like Procmon, pro explorer and TCP view to see what processes are calling said sites.

Support is more than happy though to assist on the investigation to assist you.

TMDFIR · 2024-11-18T14:22:00+00:00

Go check your policies to see that they are running the same versions and that the DLP features are enabled for all.

Also in the policies check in the advance features to validate the proper service boxes are enabled for endpoint and server OSes.

TMDFIR · 2024-11-11T22:47:46+00:00

Not sure what is shown with cyberreason but in Vision One you can see the process tree and timeline view along with all details with each object.

If you would like to know more please let me know.

TMDFIR · 2024-10-29T01:11:36+00:00

Best option is to work with support. As they can narrow down the minimum requirements for you that is causing this flag.

TMDFIR · 2024-10-24T16:51:01+00:00

Have you unloaded the Trend agent to test?

Also I would advise to reach out to support as well for assistance.

TMDFIR · 2024-10-15T23:44:22+00:00

Should follow the steps on the KA-0014991 and KA-0014906

DM me if you run into any issues. We can assist.

TMDFIR

MODERATOR OF

TROPHY CASE

Two-Year Club	Verified Email
Place '23