False Positive From Running Powershell Commands Batch File At Command Prompt. Any Suggestions?

DIVERSE
DIVERSE ✭✭✭

FALSE POSITIVE

I got a false positive today from running Powershell commands through a batch file at the command prompt in Windows 8.1 x64 with BIS 26.0.32.116. 

In short, the Skript I run looks for differences between files at two user-specified paths (vaguely like the command "fc", but batched and using analogous Powershell commands). BTW, the command prompt was not elevated (i.e. it did not have Administrator rights). I ran the Skript I think twice successfully with no complaints from BIS, and only on the third occasion BIS took action: the CMD window got immediately shut down, and I was unable to re-open any CMD window (for a period of several minutes). I think the Windows message was something like "Don't have privileges to run ...." [I had also run the same Skript once-only yesterday, with no action from BIS.]  

INITIAL (CURSORY) NOTIFICATION

Initially I just got a notification in the System Tray saying something along the lines of "Threat detected. Please wait while it is disinfected." It was kind of frustrating that I couldn't get any further information about this supposed threat by clicking the notification or by opening the main BIS interface.  

And if I had been able to immediately confirm that (as I suspected, based on what I was doing and the fact that CMD suddenly shut down) the issue was with 'safe' commands that I had initiated at the command prompt, then I might have had the opportunity to override the disinfection process — a similar way to the ability of the user to cancel the scanning of a USB drive that was auto-initiated when plugged in. 

SUBSEQUENT (MORE DETAILED) NOTIFICATION

After roughly 3 or 4 minutes a new notification was listed in the main GUI, and below are the resulting screenshots.

INTERLUDE

I got blocked from posting this several times by Cloudflare (even with a different IP and ISP!). Maybe something to do with the word "Skript", which I have spell in the German way to avoid it from being replaced with "******".  

This is now my fifth or sixth roughly my tenth attempt to post, and by crikey it's frustrating!!!

LATER BEHAVIOUR/CONFIGURATION

Fortunately, BIS did not delete either my batch file (* . bat) or my Powershell Skript file (*. ps1). [They are set as read-only, although I assume that wouldn't be the governing factor.]  

I found after trying again ~15 or 20 minutes afterward that I can now open the command prompt again. However, there was no evident notification to me, the user, explaining that the "disinfection" process is now complete, and the executable (cmd . exe) is now safe to use again.  

Note: it seems that the 'filenames' (without spaces) were triggering Cloudflare to prevent me from posting!

FUTURE OPTIONS

I would like to run this type of Skript again in future.  

What would be the best way to avoid the false-positive from BIS?  

  • I am speculating that I could white-list cmd . exe, but I am reluctant to do that (without specific reassurances).  
  • I would be more open to white-listing my Skript files, but I don't think BIS is basing it's actions on the particular Skript file names, but rather the aggregate of commands issued within the command prompt.  
  • Alternatively, I would be willing to send through these two small Skript files to Bitdefender, for them to analyse.

A selection of the Cloudflare identifiers for forum post debugging*:

Cloudflare Ray ID: 7851e4653eb95ac0 •

Cloudflare Ray ID: 7851f7dfbe283772 •

Cloudflare Ray ID: 7852061029f53772 •

* Just imagine that: a post about a false positive threat detection [by BIS], that was (repeatedly!) incorrectly flagged [by Cloudflare] as a malicious post!!!

-- DIVERSE

EDITED by @Gjoksi

The original post and the next comments by the OP merged into single original post.

Best Answer

  • Flexx
    Flexx mod
    edited January 2023 Answer ✓

    Well this is something that you would have to give an explanation in detail to malware researchers & hence you will have to provide the "s c r i p t" files to them and the way to run them.

    Kindly share your query with bitdefender support team by dropping them an email at bitsy@bitdefender.com and telling them the procedure to run the two batch files so that they can further share the "s c r i p t" files and the procedure to run them with malware researchers.

    The support team will reply back to your query within next 24-48 hours excluding weekends.

    As far as detection shown in the image goes, it is a behavior blocker that kicked in and has nothing to do with signature based detection that are created by malware researchers.

    Regards

    Life happens, Coffee helps!

    Show your Attitude, when you reach that Altitude!

    Bitdefender Ultimate Security Plus (user)

Answers

  • DIVERSE
    DIVERSE ✭✭✭

    Thanks for merging my posts, Gjoski. I suppose I could have done that too, but emotionally I was too far gone....

    Flexx, thanks for confirming my hunch that it was more likely a behaviour-blocker, so white-listing of files wouldn't be a workaround.

    I have emailed the team at the address you provided. ...In fact, I had been considering whether to only email BD privately in the first place, but then opted for the forum post because I considered that other users may possibly come across something similar, but also because I provided some critiques / constructive criticism of the notification process, and (lack of) opportunity for users to override the "disinfection" process — which I hope didn't get completely lost amongst the other technical details. (Oh, and besides the somewhat-less-diplomatic complaints about Cloudflare!)

    —DIVERSE

  • Besides the option of emailing the file, I discovered there's also a website form at

    Just mentioning it here for completeness.

    Also, as a follow-up, the team at Bitdefender did analyse the file, and (after a couple of weeks, as far as I vaguely recall) in a later version of the Bitdefender Internet Security software I was able to run my Skript without problem.

    So it is pleasing that they took the feedback on and improved the product to enhance the customer experience :-)