Constant notification that pskill has been detected and blocked.

I have pskill from sysinternals on my computer as an ITPro and have just started to get popups that it has been detected and blocked. Probably one every 30 or 40 seconds.

I did install cylance yesterday and it's background scan is what triggered the detection of pskill and although cylance is currently not scanning the drive (as detected by the file count not increasing) Sophos home is still bugging me about it.

I have opened the console and said ignore but the alerts still keep coming. I've had 12 of them popup whilst writing this post.

Interestingly it hasn't popped up for any of the other tools that cylance detected - just this one and no, I'm not currently using pskill to do anything at the moment.

With cylance exited and not running I'm still getting the popups so it is not that software.

 

Update: Opened laptop when I came home and had to wait for about 50+ popups to slide into the screen. Then continued to get them every 20 seconds or so. Eventually killed all Sophos services to stop the problem.

  • i know psexec creates a windows service.

    i would bet that pskill does as well; if it does, _and_ that service is set to automatically run and set to recover if stopped, then you are getting a Windows service auto-start and auto-recover battling with Sophos.

     

    Look for the pskill service in services.msc and get the path to it, then add that path and file to your exclusion list in the dashboard.  (I have found that sometimes, adding a "local exclusion" on the desktop client isn't effective and have had to add the same exception in the web dashboard)

  • In reply to Eric Peacock:

    Couldn't see any (obvious) pskill service. I wouldn't expect this to run as a service as it's a one time app to kill something that is running on the machine whereas the psexec is used to listen for requests coming into the machine from a remote machine to do some work. 

    Having said that, I added the exclusion to the local exclusions list and as you said - that didn't make any difference.

    I did log add it to the web dashboard and that fixed the issue.

    It would still be nice to know why it keeps finding the same thing but at least I don't have the constant popups.

    Thanks for the help

  • In reply to Andy Helsby:

    Glad it got worked out.

    This will be the 8th or 10th time I've seen the Local Exclusion not work, and have to add to dashboard exceptions.

  • In reply to Eric Peacock:

    Hi Eric,

    The local exceptions should work, could you please share the snapshot of the settings on both local system and Sophos Home dashboard . Also let us know the application used so we may conduct the test .