albchen 0 Posted February 23, 2021 Share Posted February 23, 2021 Hi, I noticed in my PowerShell logs that there is a base-64 encoded command run by evernote.exe to open an image saved in C:\Users\myusername\Appdata\Local\Temp\Attachments\<unique id>\<another id>\image.png. I investigated the image and my system logs, and it appears that this command is just opening the image, and not executing any embedded scripts. However, the command caught my eye since it appears extremely suspicious. Would the EverNote team be able to kindly confirm this is normal behavior? Thank you. The encoded command was preceded with suspicious use of PowerShell: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell -NoProfile -NonInteractive –ExecutionPolicy Bypass -EncodedCommand Link to comment
Level 5* gazumped 12,070 Posted February 24, 2021 Level 5* Share Posted February 24, 2021 21 hours ago, albchen said: Would the EverNote team be able to kindly confirm this is normal behavior? Hi. The Evernote team might be able to, but most of us here are users, not developers. You could try https://twitter.com/evernotehelps Link to comment
Guest Posted February 24, 2021 Share Posted February 24, 2021 We do several powershell commands in the installer to detect and uninstall legacy Evernote clients. For example: "powershell.exe /c Get-AppxPackage Evernote.Evernote | Remove-AppxPackage" For external file opens we use https://www.electronjs.org/docs/api/shell#shellopenpathpath There is some older code that is being replaced that still uses it. You should see it the next version or two. Link to comment
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now