JSReport webshell causing CrowdStrike alerts



  • I'm using JSReport for HTML to PDF and my InfoSec team is getting alerts due to the download and running of JSReport, is there anything I should be doing that would prevent this?

    In my Startup.cs I've started the service as follows:

    services.AddJsReport(new LocalReporting().UseBinary(JsReportBinary.GetBinary()).KillRunningJsReportProcesses().AsUtility().Create());

    In my controller I'm using the ChromePdf recipe

    HttpContext.JsReportFeature().Recipe(Recipe.ChromePdf)



  • Could you please share what urls/ips does your team collected?
    I tried to monitor the network and don't see external requests.



  • Sorry, I must have misunderstood what was happening. It doesnt appear to be JSReport itself thats causing problems. It appears to be IIS downloading and executing over and over that's being flagged. Is there any way to store the executable on the server and reference that instead of downloading and running the exe?



  • The executable is compiled into the jsreport.Binary.dll manifest.
    There is no download happening during the start. The binary with its parts is only extracted into the user's temp folder during the first start.



  • Apparently this is still throwing alerts for some reason. Should simply removing .KillRunningJsReportProcesses() take care of this? Or is there something more I need to do to prevent this from happening?

    0_1642515289009_Exception (2).png



  • I'm not sure what exactly is the problem you want to prevent?

    The KillRunningJsReportProcesses is an explicit call to kill all background jsreport processes.
    The jsreport binary process is also automatically killed on the domain unload https://github.com/jsreport/jsreport-dotnet-local/blob/master/jsreport.Local/Internal/LocalUtilityReportingService.cs#L112



  • I'm really just looking for help preventing this alert to satisfy my security team. Is there anyway to prevent the binary process from being killed automatically? I apologize as I'm really not familiar with anything behind the scenes. I'm just looking for a remedy so I don't need to find another PDF solution when this one works great because of these alerts.



  • So the problem is that when your app shuts down, it also kills the background process? I think this is actually correct behavior.

    Maybe what you are looking for is IIS configuration to always keep the app domain loaded. The default IIS behavior is to automatically stop your APP if it isn't in use.
    https://docs.hangfire.io/en/latest/deployment-to-production/making-aspnet-app-always-running.html#:~:text=Right-click on the same,waiting for the initial request.


Log in to reply
 

Looks like your connection to jsreport forum was lost, please wait while we try to reconnect.