Antivirus solutions detecting Powershell Studio as a virus

This forum can be browsed by the general public. Posting is limited to current SAPIEN license holders with active maintenance and does not offer a response time guarantee.
Forum rules
DO NOT POST LICENSE NUMBERS, ACTIVATION KEYS OR ANY OTHER LICENSING INFORMATION IN THIS FORUM.
Only the original author and our tech personnel can reply to a topic that is created in this forum. If you find a topic that relates to an issue you are having, please create a new topic and reference the other in your post.

Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
This topic is 1 year and 8 months old and has exceeded the time allowed for comments. Please begin a new topic or use the search feature to find a similar but newer topic.
User avatar
ngb01414
Posts: 3
Last visit: Sat Oct 29, 2022 5:00 am

Antivirus solutions detecting Powershell Studio as a virus

Post by ngb01414 »

Product: PowerShell Studio 2022 (64 Bit)
Build: v5.8.208
OS: Windows 10 Enterprise (64 Bit)
Build: v10.0.22000.0

Running on Windows 10 and Windows 11

When opening Powershell Studio, Bitdefender indicates "Suspicious activity blocked" - "PowerShell tried to load a malicious resource detected as Heur.BZC.ZFV.Boxter.21.92FB3D75 and was blocked. Your device is safe." Bitdefender also detects some of the EXE files created by Powershell Studio as malware.

In CrowdStrike, when compiling scripts, we are getting alerts as well:
SEVERITY : Medium
OBJECTIVE : Falcon Detection Method
TACTIC & TECHNIQUE : Machine Learning via Sensor-based ML
TECHNIQUE ID : CST0007
SPECIFIC TO THIS DETECTION : A file written to the file-system meets the machine learning-based on-sensor AV protection's medium confidence threshold for malicious files.
TRIGGERING INDICATOR : Associated IOC (SHA256 on file write)
GLOBAL PREVALENCE : Unique
LOCAL PREVALENCE : Unique
IOC MANAGEMENT ACTION : None
Associated File : \Device\HarddiskVolume4\xxxxx\Scripting\SAPIEN\PowerShellStudio\Projects\xxxxx\bin\x64\RCXE748.tmp

Crowdstrike also detects some of our EXE files as malware.
User avatar
Alexander Riedel
Posts: 8479
Last visit: Thu Mar 28, 2024 9:29 am
Answers: 20
Been upvoted: 37 times

Re: Antivirus solutions detecting Powershell Studio as a virus

Post by Alexander Riedel »

All our software is continuously scanned for malicious software and all our downloads are showing no signs of problems.
Unfortunately we have no way of knowing, controlling or verifying what happens on your computer.

We generally recommend uploading suspicious files to https://www.virustotal.com/gui/home/upload
It will tell you which engines flag a file. In general if a small number of engines flag a file for different malware it can be considered a false positive.
To be absolutely safe, submit the files flagged to YOUR virus or malware scanning software vendor.
Please do not submit your potentially infected files to us.
Alexander Riedel
SAPIEN Technologies, Inc.
User avatar
ngb01414
Posts: 3
Last visit: Sat Oct 29, 2022 5:00 am

Re: Antivirus solutions detecting Powershell Studio as a virus

Post by ngb01414 »

Thank for your quick reply.

This does not really address the issue.
- The first issue is Bitdefender popping up a message "Suspicious activity blocked" when we open PowerShell Studio.
- The second issue is the .tmp being flagged by Crowdstrike when we run "Deploy" to create an EXE file; this .tmp file is created during the "Deploy" process and remove after the process is done.
User avatar
Alexander Riedel
Posts: 8479
Last visit: Thu Mar 28, 2024 9:29 am
Answers: 20
Been upvoted: 37 times

Re: Antivirus solutions detecting Powershell Studio as a virus

Post by Alexander Riedel »

I apologize if I was not clear on that.
There is really nothing for us to address.

We have no alerts on any virus scan.

We cannot determine what happens on your computer.
We have absolutely no access to your computer.
We cannot investigate what your antivirus vendor does or does not do.
We are not using your malware detection software.
We cannot contact them to verify your files.

As this happens on your computer you must follow the steps outlined and contact your vendor. We cannot do that for you.
Alexander Riedel
SAPIEN Technologies, Inc.
User avatar
Alexander Riedel
Posts: 8479
Last visit: Thu Mar 28, 2024 9:29 am
Answers: 20
Been upvoted: 37 times

Re: Antivirus solutions detecting Powershell Studio as a virus

Post by Alexander Riedel »

Reviewing your initial post, I notice you wrote:
"Suspicious activity blocked" - "PowerShell tried to load a malicious resource detected as Heur.BZC.ZFV.Boxter.21.92FB3D75
If it is PowerShell loading something, it is likely the console embedded in PowerShell Studio.
Which would point to some kind of module loading from a profile. That would have nothing to do with PowerShell Studio and should also show up if you open ANY console.
Alexander Riedel
SAPIEN Technologies, Inc.
User avatar
ngb01414
Posts: 3
Last visit: Sat Oct 29, 2022 5:00 am

Re: Antivirus solutions detecting Powershell Studio as a virus

Post by ngb01414 »

I removed all modules from my "\Documents\WindowsPowerShell\Modules" folder
Bitdefender is no longer popping up the message "Suspicious activity blocked"

Thank you for the catch.
This topic is 1 year and 8 months old and has exceeded the time allowed for comments. Please begin a new topic or use the search feature to find a similar but newer topic.