Product: PowerShell Studio 2022 (64 Bit)
Build: v5.8.208
OS: Windows 10 Enterprise (64 Bit)
Build: v10.0.22000.0
Running on Windows 10 and Windows 11
When opening Powershell Studio, Bitdefender indicates "Suspicious activity blocked" - "PowerShell tried to load a malicious resource detected as Heur.BZC.ZFV.Boxter.21.92FB3D75 and was blocked. Your device is safe." Bitdefender also detects some of the EXE files created by Powershell Studio as malware.
In CrowdStrike, when compiling scripts, we are getting alerts as well:
SEVERITY : Medium
OBJECTIVE : Falcon Detection Method
TACTIC & TECHNIQUE : Machine Learning via Sensor-based ML
TECHNIQUE ID : CST0007
SPECIFIC TO THIS DETECTION : A file written to the file-system meets the machine learning-based on-sensor AV protection's medium confidence threshold for malicious files.
TRIGGERING INDICATOR : Associated IOC (SHA256 on file write)
GLOBAL PREVALENCE : Unique
LOCAL PREVALENCE : Unique
IOC MANAGEMENT ACTION : None
Associated File : \Device\HarddiskVolume4\xxxxx\Scripting\SAPIEN\PowerShellStudio\Projects\xxxxx\bin\x64\RCXE748.tmp
Crowdstrike also detects some of our EXE files as malware.
Antivirus solutions detecting Powershell Studio as a virus
Forum rules
DO NOT POST LICENSE NUMBERS, ACTIVATION KEYS OR ANY OTHER LICENSING INFORMATION IN THIS FORUM.
Only the original author and our tech personnel can reply to a topic that is created in this forum. If you find a topic that relates to an issue you are having, please create a new topic and reference the other in your post.
Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
DO NOT POST LICENSE NUMBERS, ACTIVATION KEYS OR ANY OTHER LICENSING INFORMATION IN THIS FORUM.
Only the original author and our tech personnel can reply to a topic that is created in this forum. If you find a topic that relates to an issue you are having, please create a new topic and reference the other in your post.
Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
- Alexander Riedel
- Posts: 8479
- Last visit: Thu Mar 28, 2024 9:29 am
- Been upvoted: 37 times
Re: Antivirus solutions detecting Powershell Studio as a virus
All our software is continuously scanned for malicious software and all our downloads are showing no signs of problems.
Unfortunately we have no way of knowing, controlling or verifying what happens on your computer.
We generally recommend uploading suspicious files to https://www.virustotal.com/gui/home/upload
It will tell you which engines flag a file. In general if a small number of engines flag a file for different malware it can be considered a false positive.
To be absolutely safe, submit the files flagged to YOUR virus or malware scanning software vendor.
Please do not submit your potentially infected files to us.
Unfortunately we have no way of knowing, controlling or verifying what happens on your computer.
We generally recommend uploading suspicious files to https://www.virustotal.com/gui/home/upload
It will tell you which engines flag a file. In general if a small number of engines flag a file for different malware it can be considered a false positive.
To be absolutely safe, submit the files flagged to YOUR virus or malware scanning software vendor.
Please do not submit your potentially infected files to us.
Alexander Riedel
SAPIEN Technologies, Inc.
SAPIEN Technologies, Inc.
Re: Antivirus solutions detecting Powershell Studio as a virus
Thank for your quick reply.
This does not really address the issue.
- The first issue is Bitdefender popping up a message "Suspicious activity blocked" when we open PowerShell Studio.
- The second issue is the .tmp being flagged by Crowdstrike when we run "Deploy" to create an EXE file; this .tmp file is created during the "Deploy" process and remove after the process is done.
This does not really address the issue.
- The first issue is Bitdefender popping up a message "Suspicious activity blocked" when we open PowerShell Studio.
- The second issue is the .tmp being flagged by Crowdstrike when we run "Deploy" to create an EXE file; this .tmp file is created during the "Deploy" process and remove after the process is done.
- Alexander Riedel
- Posts: 8479
- Last visit: Thu Mar 28, 2024 9:29 am
- Been upvoted: 37 times
Re: Antivirus solutions detecting Powershell Studio as a virus
I apologize if I was not clear on that.
There is really nothing for us to address.
We have no alerts on any virus scan.
We cannot determine what happens on your computer.
We have absolutely no access to your computer.
We cannot investigate what your antivirus vendor does or does not do.
We are not using your malware detection software.
We cannot contact them to verify your files.
As this happens on your computer you must follow the steps outlined and contact your vendor. We cannot do that for you.
There is really nothing for us to address.
We have no alerts on any virus scan.
We cannot determine what happens on your computer.
We have absolutely no access to your computer.
We cannot investigate what your antivirus vendor does or does not do.
We are not using your malware detection software.
We cannot contact them to verify your files.
As this happens on your computer you must follow the steps outlined and contact your vendor. We cannot do that for you.
Alexander Riedel
SAPIEN Technologies, Inc.
SAPIEN Technologies, Inc.
- Alexander Riedel
- Posts: 8479
- Last visit: Thu Mar 28, 2024 9:29 am
- Been upvoted: 37 times
Re: Antivirus solutions detecting Powershell Studio as a virus
Reviewing your initial post, I notice you wrote:
"Suspicious activity blocked" - "PowerShell tried to load a malicious resource detected as Heur.BZC.ZFV.Boxter.21.92FB3D75
If it is PowerShell loading something, it is likely the console embedded in PowerShell Studio.
Which would point to some kind of module loading from a profile. That would have nothing to do with PowerShell Studio and should also show up if you open ANY console.
"Suspicious activity blocked" - "PowerShell tried to load a malicious resource detected as Heur.BZC.ZFV.Boxter.21.92FB3D75
If it is PowerShell loading something, it is likely the console embedded in PowerShell Studio.
Which would point to some kind of module loading from a profile. That would have nothing to do with PowerShell Studio and should also show up if you open ANY console.
Alexander Riedel
SAPIEN Technologies, Inc.
SAPIEN Technologies, Inc.
Re: Antivirus solutions detecting Powershell Studio as a virus
I removed all modules from my "\Documents\WindowsPowerShell\Modules" folder
Bitdefender is no longer popping up the message "Suspicious activity blocked"
Thank you for the catch.
Bitdefender is no longer popping up the message "Suspicious activity blocked"
Thank you for the catch.