Product: PowerShell Studio 2023 (64 Bit)
Build: v5.8.216
OS: Windows 10 Enterprise (64 Bit)
Build: v10.0.19044.0
PowerShell version(s): 5.1.19041.2673
When we open PowerShell studio, we see the prompt to update the modules (I believe this is what is being updated, but don't recall the actual message). Once we do this, our antivirus flags cachebuilder.exe because the hash is changed. It seems that the hash is changed each time we launch PS Studio which causes a problem for our security team since the files are whitelisted by hash value. We wanted to check to see why this is constantly changing, and what we can do to prevent it from changing. If we can't prevent the change, what would be the suggested solution for this? For reference, this is being flagged in Carbon Black.
Current cachebuilder.exe hash which was flagged:2ec6b30ab22097958ed312747ead0e595cd910610e9b2406441bb7612d9de2a2
Message:
The application cachebuilder.exe ran a script C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\IpamServer\IpamGpo.psm1 that attempted to execute a suspicious script. This script performs highly suspicious process injection behavior. A Deny policy action was applied.
Cachebuilder.exe keeps triggering AV when launching PowerShell Studio
Forum rules
DO NOT POST LICENSE NUMBERS, ACTIVATION KEYS OR ANY OTHER LICENSING INFORMATION IN THIS FORUM.
Only the original author and our tech personnel can reply to a topic that is created in this forum. If you find a topic that relates to an issue you are having, please create a new topic and reference the other in your post.
Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
DO NOT POST LICENSE NUMBERS, ACTIVATION KEYS OR ANY OTHER LICENSING INFORMATION IN THIS FORUM.
Only the original author and our tech personnel can reply to a topic that is created in this forum. If you find a topic that relates to an issue you are having, please create a new topic and reference the other in your post.
Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
-
JRGITOrders
- Posts: 1
- Last visit: Wed Aug 02, 2023 7:06 am
Re: Cachebuilder.exe keeps triggering AV when launching PowerShell Studio
This is most likely a false positive. The cachebuilder.exe is for caching module information to use for the PowerShell Studio's editor. This process does involve loading the modules on your machine. The prompt you received was related to needing to update this information as modules on the machine have changed.
As for the hash value changing, I'll get back to you on that.
As for the hash value changing, I'll get back to you on that.
Brittney
SAPIEN Technologies, Inc.
SAPIEN Technologies, Inc.
-
Alexander Riedel
- Posts: 8488
- Last visit: Tue Apr 16, 2024 8:42 am
- Been upvoted: 37 times
Re: Cachebuilder.exe keeps triggering AV when launching PowerShell Studio
The cachebuilder process instantiates each module installed on your machine to extract its metadata and cache it.
If this uses modules of a suspicious nature on your machine, you should remove these modules. At the very least you should investigate what these modules do and why they are on your machine.
The CacheBuilder.exe must be digitally signed with the SAPIEN code signing certificate. Please verify that the signature on that file exists on your machine
and is intact. The hash value of cachebuilder.exe (the file, NOT the process) should never change.
We do not have access to your AV software used, so I cannot determine if this builds a file or a process hash. The latter changes with each instance.
At any rate I would advise you to submit the cachebuilder.exe from your machine to your AV vendor for verification.
Our files are constantly monitored and scanned, but we have of course no means of verifying what happens after it is installed on your system.
While I am quite certain the cachebuilder.exe hash thing will turn out to be a false positive, you can never be too careful. You should definitely submit the file.
I will get you the exact hash cachebuilder.exe should have and how to verify it in a few minutes.
If this uses modules of a suspicious nature on your machine, you should remove these modules. At the very least you should investigate what these modules do and why they are on your machine.
The CacheBuilder.exe must be digitally signed with the SAPIEN code signing certificate. Please verify that the signature on that file exists on your machine
and is intact. The hash value of cachebuilder.exe (the file, NOT the process) should never change.
We do not have access to your AV software used, so I cannot determine if this builds a file or a process hash. The latter changes with each instance.
At any rate I would advise you to submit the cachebuilder.exe from your machine to your AV vendor for verification.
Our files are constantly monitored and scanned, but we have of course no means of verifying what happens after it is installed on your system.
While I am quite certain the cachebuilder.exe hash thing will turn out to be a false positive, you can never be too careful. You should definitely submit the file.
I will get you the exact hash cachebuilder.exe should have and how to verify it in a few minutes.
Alexander Riedel
SAPIEN Technologies, Inc.
SAPIEN Technologies, Inc.
-
Alexander Riedel
- Posts: 8488
- Last visit: Tue Apr 16, 2024 8:42 am
- Been upvoted: 37 times
Re: Cachebuilder.exe keeps triggering AV when launching PowerShell Studio
You have two cachebuilder executable files in your installation. I obtained the hash values for both as shown below here:
- PS C:\WINDOWS\system32> get-filehash "C:\Program Files\SAPIEN Technologies, Inc\PowerShell Studio 2023\cachebuilder64\cachebuilder64.exe"
- Algorithm Hash Path
- --------- ---- ----
- SHA256 6F86ACB4BD8E79EDE7582FCD100CDF7B5012BADBC20DF41185E2659B0D38A5CD C:\Program Files\SAPIEN Technologies, Inc\PowerShell Studio 2023\cachebuilder64\cachebuilder64.exe
- PS C:\WINDOWS\system32> get-filehash "C:\Program Files\SAPIEN Technologies, Inc\PowerShell Studio 2023\cachebuilder32\cachebuilder.exe"
- Algorithm Hash Path
- --------- ---- ----
- SHA256 A4DD22CCBE87ACFC3F01F4EA81C12A1ED5418CB48F910BC4F547F685A4891AD4 C:\Program Files\SAPIEN Technologies, Inc\PowerShell Studio 2023\cachebuilder32\cachebuilder.exe
Alexander Riedel
SAPIEN Technologies, Inc.
SAPIEN Technologies, Inc.