AV Trojan detection on PowerShell Studio packages

[ClipperXTP]

Hi all
Has anyone run into issue whereby corporate AV scanner (in my case Mc-Afee) blocks projects compiled in Powershell Studio, incorrectly flagging it as a trojan?



Previously, company's scanning policy was to observer and not block A M S I threats, but now policy is blocking my Powershell Studio applications and they will no longer run.

From Windows Event Log:
<MyFileName.exe> The Trojan AMSI-FHR!E59B99583451 was detected and blocked

The Trojan name is randomized every time the executable I built in PowerShell Studio is run.

The AV scanner does not have a problem if:
1. If I run the project from within the PowerShell studio 2019 application
2. I run the script as a standalone powershell script

Changing the AV policy is not an option.
I have built the project as a Windows Form
I have written all the code myself - consolidated from ad hoc scripts I have written over a period of time.
With the exception of a line that queries the remote registry service and starts it if it is not running, all the code does is read wmi info from remote machines. Removing the start-service command does not help.
WinRM is disabled across the board so there are no invoke commands in the script.
There are some posts on Mc-Afee board about trojan false positives on AMSI scanning, but invariably they refer powershell scripts running invoke commands on remote machines.
Anyone got any ideas?

[jvierra]

Please post product questions in the product forum for PowerShell Studio.

[Alexander Riedel]

This is too important to not answer here:

Probably a false positive, but we cannot know or check what is on your machine.
Anti-Virus vendors compare byte sequences from infected files to files on your computer. Sometimes these sequences occur in other files without them actually being infected.
This is generally because they use sequences as short as possible to make the scan go faster (less bytes to compare). That can lead to them being too short.

Regardless, the proper thing to do is to submit a file flagged as infected to your anti-virus vendor. They can then determine if it is truly infected or if it is a false positive.
All anti-virus vendors have a mechanism for doing that and they can then update their tables for future versions.
We cannot submit any files, because they would not come from YOUR machine where it detects the problem, so that would be meaningless.

You can also upload your file to virustotal.com
One or two may detect a trojan, one or two may detect another malware. If different things are detected, it is usually a sign for a false positive.
The vast majority of scanners, usually 70 something of them, will find nothing wrong.

Again, I tested with a file from my computer, which means nothing for you. You must do that yourself and you really should submit a file to your virus scanner software vendor directly.

[ClipperXTP]

Alexander

Thank you for your response.
Just to clarify, this is not isolated to my machine. The tool and various iterations of the tool I built using PowerShell Studio 2019 are used by a big team of engineers.
The issue is that AMSI scanning which was introduced on Windows 10 - https://docs.microsoft.com/en-us/window ... msi-helps- is flagging the threat the the AV software. Whereas previously the AV scanner was set to 'observe' AMSI threats, it is now set to block in my organization. That the so called 'trojan''s name is a random sequence of characters that changes any time the compiled executable is run - AMSI generates a random string - is testament to the fact that this is not an identified trojan but rather a generic threat that McAfee puts in its 'trojan' basked as Windows has passed it over as such. Manually scanning the .exe with McAfee does not throw up any such flags and no threat is detected, so it is indeed a false positive.

I am trying to understand why I can run the script in Powershell ISE without AMSI seeing a threat, and run the project from within PowerShell Studio 2019 without the AMSI seeing a threat, but when I build the project to an .exe, it will no longer launch and is incorrectly identified as a threat?

[Alexander Riedel]

Apples and Oranges. One is a script, the packaged exe is a C# assembly. If you look at the packaged exe with a hex editor you will not see the script.
If I had to guess, the packaged exe host a powershell engine. Maybe that is all it needs. Do you duly digitally sign your exes when packaging?
After doing some reading:
This how AMSI detects script code that is handed to a engine after decoding: https://docs.microsoft.com/en-us/window ... amsi-helps
That in itself is not a problem. It is how McAfee evaluates this at runtime, which only they can answer and fix.

[ClipperXTP]

Many thanks for taking the time. I was able to find the line of code that McAfee was having an issue with, all good now.
New-Object System.Net.WebClient).DownloadString("URL..)

- this was seen as a threat once compiled.

[Alexander Riedel]

Thank you for letting us know.

[ALIENQuake]

Yep, McAfee is crap, replace the code with Invoke-WebRequest and it will be fine.

[ClipperXTP]

Thanks ALIENQuake, yes I did that