False Positive From Running Powershell Commands Batch File At Command Prompt. Any Suggestions?

DIVERSE
DIVERSE ✭✭✭

FALSE POSITIVE

I got a false positive today from running Powershell commands through a batch file at the command prompt in Windows 8.1 x64 with BIS 26.0.32.116. 

In short, the Skript I run looks for differences between files at two user-specified paths (vaguely like the command "fc", but batched and using analogous Powershell commands). BTW, the command prompt was not elevated (i.e. it did not have Administrator rights). I ran the Skript I think twice successfully with no complaints from BIS, and only on the third occasion BIS took action: the CMD window got immediately shut down, and I was unable to re-open any CMD window (for a period of several minutes). I think the Windows message was something like "Don't have privileges to run ...." [I had also run the same Skript once-only yesterday, with no action from BIS.]  

INITIAL (CURSORY) NOTIFICATION

Initially I just got a notification in the System Tray saying something along the lines of "Threat detected. Please wait while it is disinfected." It was kind of frustrating that I couldn't get any further information about this supposed threat by clicking the notification or by opening the main BIS interface.  

And if I had been able to immediately confirm that (as I suspected, based on what I was doing and the fact that CMD suddenly shut down) the issue was with 'safe' commands that I had initiated at the command prompt, then I might have had the opportunity to override the disinfection process — a similar way to the ability of the user to cancel the scanning of a USB drive that was auto-initiated when plugged in. 

SUBSEQUENT (MORE DETAILED) NOTIFICATION

After roughly 3 or 4 minutes a new notification was listed in the main GUI, and below are the resulting screenshots.

INTERLUDE

I got blocked from posting this several times by Cloudflare (even with a different IP and ISP!). Maybe something to do with the word "Skript", which I have spell in the German way to avoid it from being replaced with "******".  

This is now my fifth or sixth roughly my tenth attempt to post, and by crikey it's frustrating!!!

LATER BEHAVIOUR/CONFIGURATION

Fortunately, BIS did not delete either my batch file (* . bat) or my Powershell Skript file (*. ps1). [They are set as read-only, although I assume that wouldn't be the governing factor.]  

I found after trying again ~15 or 20 minutes afterward that I can now open the command prompt again. However, there was no evident notification to me, the user, explaining that the "disinfection" process is now complete, and the executable (cmd . exe) is now safe to use again.  

Note: it seems that the 'filenames' (without spaces) were triggering Cloudflare to prevent me from posting!

FUTURE OPTIONS

I would like to run this type of Skript again in future.  

What would be the best way to avoid the false-positive from BIS?  

  • I am speculating that I could white-list cmd . exe, but I am reluctant to do that (without specific reassurances).  
  • I would be more open to white-listing my Skript files, but I don't think BIS is basing it's actions on the particular Skript file names, but rather the aggregate of commands issued within the command prompt.  
  • Alternatively, I would be willing to send through these two small Skript files to Bitdefender, for them to analyse.

A selection of the Cloudflare identifiers for forum post debugging*:

Cloudflare Ray ID: 7851e4653eb95ac0 •

Cloudflare Ray ID: 7851f7dfbe283772 •

Cloudflare Ray ID: 7852061029f53772 •

* Just imagine that: a post about a false positive threat detection [by BIS], that was (repeatedly!) incorrectly flagged [by Cloudflare] as a malicious post!!!

-- DIVERSE

EDITED by @Gjoksi

The original post and the next comments by the OP merged into single original post.

Best Answer

  • Flexx
    Flexx Defender of the month mod
    edited January 8 Answer ✓

    Well this is something that you would have to give an explanation in detail to malware researchers & hence you will have to provide the "s c r i p t" files to them and the way to run them.

    Kindly share your query with bitdefender support team by dropping them an email at [email protected] and telling them the procedure to run the two batch files so that they can further share the "s c r i p t" files and the procedure to run them with malware researchers.

    The support team will reply back to your query within next 24-48 hours excluding weekends.

    As far as detection shown in the image goes, it is a behavior blocker that kicked in and has nothing to do with signature based detection that are created by malware researchers.

    Regards

    OMEN Laptop 15-en1037AX (Bitdefender Total Security) & Samsung Galaxy S22 Ultra (Bitdefender Mobile Security)

Answers

  • DIVERSE
    DIVERSE ✭✭✭

    Thanks for merging my posts, Gjoski. I suppose I could have done that too, but emotionally I was too far gone....

    Flexx, thanks for confirming my hunch that it was more likely a behaviour-blocker, so white-listing of files wouldn't be a workaround.

    I have emailed the team at the address you provided. ...In fact, I had been considering whether to only email BD privately in the first place, but then opted for the forum post because I considered that other users may possibly come across something similar, but also because I provided some critiques / constructive criticism of the notification process, and (lack of) opportunity for users to override the "disinfection" process — which I hope didn't get completely lost amongst the other technical details. (Oh, and besides the somewhat-less-diplomatic complaints about Cloudflare!)

    —DIVERSE

  • DIVERSE
    DIVERSE ✭✭✭

    Besides the option of emailing the file, I discovered there's also a website form at

    Just mentioning it here for completeness.

    Also, as a follow-up, the team at Bitdefender did analyse the file, and (after a couple of weeks, as far as I vaguely recall) in a later version of the Bitdefender Internet Security software I was able to run my Skript without problem.

    So it is pleasing that they took the feedback on and improved the product to enhance the customer experience :-)