Logseq runs powershell cmds with "–ExecutionPolicy Bypass -EncodedCommand .." which sent a red flag to my work's security team

kaushalmodi · January 8, 2022, 4:34pm

Hello,

In one of my logseq notes, I had saved a Jira sprint board URL.

When I clicked on that URL from logseq, I got an email from the security team at my work:

Our security controls have detected the following encoded PowerShell command run on your host: ..

Encoded command: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell -NoProfile -NonInteractive –ExecutionPolicy Bypass -EncodedCommand ..
Decoded command: Start ".."

Parent Process: logseq.exe
Parent Process Name: logseq

Can someone please throw some light on why the execution policy is bypassed? Is that necessary? If not, can that be disabled?

ThatGuy · January 8, 2022, 4:47pm

Might be worth posting this in the Logseq Discord - might get a quicker response

danzu · January 8, 2022, 5:14pm

This prevent the prompt and interruption during the installation. The Executionpolicy of powershell could be changed, but the adverse effect may add more frictions to the installation process. Alternatively, the security team could whitelist the application…please note that it depends on the security tools being used to monitor corporate computer assets.

kaushalmodi · January 8, 2022, 5:23pm

But I got that email when I clicked on one of the links saved in my notes, not when installing logseq.

Oddly installation of logseq didn’t trigger anything from the security team.

explorare · February 23, 2022, 10:38am

Got the same warning from my anti-virus software while clicking the tags in my note. The tags are generated by query command

Query example:  "All page tags"
#+BEGIN_QUERY
{:title "All page tags"
:query [:find ?tag-name
      :where
      [?tag :page/name ?tag-name]]
:view (fn [tags]
      [:div
       (for [tag (flatten tags)]
         [:a.tag.mr-1 {:href (str "/page/" tag)}
          (str "#" tag)])])}
#+END_QUERY

The detailed warning is

Detection: Executing suspicious scripts using PowerShell
Target Program: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
Target Command Line: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell -NoProfile -NonInteractive –ExecutionPolicy Bypass -EncodedCommand UwB0AGEAcgB0ACAAIgBgACIAZgBpAGwAZQA6AC8ALwAvAEMAOgAvAHAAYQBnAGUALwBmAGUAYgAlADIAMAAxADQAdABoACwAJQAyADAAMgAwADIAMgBgACIAIgA=
Result: Blocked

Process ID: 15236
Process: C:\Users\explo\AppData\Local\Logseq\app-0.5.9\Logseq.exe
Process Command line: "C:\Users\explo\AppData\Local\Logseq\app-0.5.9\Logseq.exe" 
Parent Process ID: 10032
Parent: C:\Users\explo\AppData\Local\Logseq\Logseq.exe
Parent process Command line: "C:\Users\explo\AppData\Local\Logseq\Logseq.exe"

s7726 · February 24, 2022, 5:55am

For the curious…
Here is the decoded command that it was running via PowerShell

Start "`"file:///C:/page/feb%2014th,%202022`""