We’re currently implementing both CrowdStrike and Syncro at a couple of clients, and are having some trouble. Once CS is installed, any time we run a script with Syncro we’re getting a detection alert from CS. It happens when the Syncro PowerShell script module gets imported. I can duplicate the issue by just running an import-module in PS manually to import the Syncro module, even if I don’t actually run any commands with it.
Specifically CS has an issue with the get-screencapture function. We really don’t have a use case for that, so as an alternative to getting CS to stop flagging it, is it possible to just remove that from the module that gets pushed to all machines with Syncro installed? I’m currently trying to get CS support to assist us with the detection issue, but we’re not having much luck so far.
I highly doubt Syncro is going to take out a function of their module just for you. I do think the best way would be to work with CS on how to exclude this from causing the alert. CS Support is usually really good with helping out.
With that said, the Synco module downloads to ProgramData\Syncro\bin\module.psm1. If you are so inclined, take a copy of that module and rename it something else, and remove that function from it. Then use your newly renamed module when importing instead of the base Syncro one.
I’m not expecting them to make a global change, no. I was just curious if there was a way to customize the module as it’s used in our environment.
As far as CrowdStrike goes, we’re engaging them but they’re not being particularly helpful. Whitelisting the Syncro module isn’t doing anything because it’s PowerShell itself getting flagged as running the “malicious” code. We have a call set up with them tomorrow, but currently the suggestion is to create a blanket exclusion for PowerShell, which I’m not doing.
Right. Did you see the 2nd part of my post? I told you where to find the Syncro module and then you just have to rename it, take out the functions you don’t want, and then deploy that instead, and call that when Importing instead of the standard Syncro one. You can set up a script to always run as part of your base policy that deploys your modified module, that way you can always import it on any machine, just like the Syncro one.
I can do that, but my concern is what happens if/when Syncro updates their PowerShell module and pushes the new one down to client machines. Then I’m going to end up with literally 5000+ detection events all at once.
I thought you said it’s only triggering when you actually do the Import Syncro Module?
That’s why I said don’t use theirs anymore. Modify it, deploy it, and call your modified one from now on.
I dunno dude. Just trying to give you options. I personally don’t feel this is a Syncro issue and I doubt they will do anything about it.
So options imo seem to be wait for CS to figure out a better way to make an exception for this or use your own module.
I wish you luck in getting it resolved one way or another.
Is there no way in CS to flag it as safe?
I spent an hour on the phone with them today and still have a support case open. I’ve done everything possible to stop the alerts, but still they come. I’m up to over 1000 email alerts just for today so far.
Have you tried what I said? You seem to be resistant to the idea, but if I was getting that many false alerts, seems it would be a no brainer to try making the adjustment. Unless of course it’s tripping just having the module on the device but again, I thought you said it only trips during import of said module.
Hate to resurrect an older thread, but I’m running into this issue as well. My powershell scripts are still firing off, but CrowdStrike is flagging each as being potentially malicious and it’s causing my scripts to partially fail in some cases. Obviously we don’t want to add powershell as an overall exception, so I’m wondering what else we can do here. I will try to edit out the screenshot ability mentioned above, but it’s not a clean solution for this organization we manage.
Hey, sorry. I just saw this. IDK if you’re still having this problem, but what we ended up having to do was create a custom IOA in CrowdStrike. Within the alert you get for the screenshot, towards the top, click the button to create a custom IOA exclusion. Replace the image filename with this:
And the command line with this:
I made those regex statements to specifically match the pattern for the screenshot through Syncro, and hopefully not anything else. Unfortunately you do have to do this after you get an alert, because you can’t create custom IOA exclusions pre-emptively. Also, you can’t do this at the parent level if you’re an MSSP because inheritance isn’t working yet, so you have to do it per-child.
What we’ve been doing is using our Syncro script for CS deployment to push it out to one machine, run another script to trigger the alert once, create the custom IOA, then push to the rest of the machines. We’re just switching to CS though, so if you’re already deployed then you just do whatever. We’re just trying to reduce the number of initial alerts during setup.