False Positive From Running Powershell Commands Batch File At Command Prompt. Any Suggestions?
I got a false positive today from running Powershell commands through a batch file at the command prompt in Windows 8.1 x64 with BIS 220.127.116.11.
In short, the Skript I run looks for differences between files at two user-specified paths (vaguely like the command "fc", but batched and using analogous Powershell commands). BTW, the command prompt was not elevated (i.e. it did not have Administrator rights). I ran the Skript I think twice successfully with no complaints from BIS, and only on the third occasion BIS took action: the CMD window got immediately shut down, and I was unable to re-open any CMD window (for a period of several minutes). I think the Windows message was something like "Don't have privileges to run ...." [I had also run the same Skript once-only yesterday, with no action from BIS.]
INITIAL (CURSORY) NOTIFICATION
Initially I just got a notification in the System Tray saying something along the lines of "Threat detected. Please wait while it is disinfected." It was kind of frustrating that I couldn't get any further information about this supposed threat by clicking the notification or by opening the main BIS interface.
And if I had been able to immediately confirm that (as I suspected, based on what I was doing and the fact that CMD suddenly shut down) the issue was with 'safe' commands that I had initiated at the command prompt, then I might have had the opportunity to override the disinfection process — a similar way to the ability of the user to cancel the scanning of a USB drive that was auto-initiated when plugged in.
SUBSEQUENT (MORE DETAILED) NOTIFICATION
After roughly 3 or 4 minutes a new notification was listed in the main GUI, and below are the resulting screenshots.
I got blocked from posting this several times by Cloudflare (even with a different IP and ISP!). Maybe something to do with the word "Skript", which I have spell in the German way to avoid it from being replaced with "******".
This is now
my fifth or sixth roughly my tenth attempt to post, and by crikey it's frustrating!!!
Fortunately, BIS did not delete either my batch file (* . bat) or my Powershell Skript file (*. ps1). [They are set as read-only, although I assume that wouldn't be the governing factor.]
I found after trying again ~15 or 20 minutes afterward that I can now open the command prompt again. However, there was no evident notification to me, the user, explaining that the "disinfection" process is now complete, and the executable (cmd . exe) is now safe to use again.
Note: it seems that the 'filenames' (without spaces) were triggering Cloudflare to prevent me from posting!
I would like to run this type of Skript again in future.
What would be the best way to avoid the false-positive from BIS?
- I am speculating that I could white-list cmd . exe, but I am reluctant to do that (without specific reassurances).
- I would be more open to white-listing my Skript files, but I don't think BIS is basing it's actions on the particular Skript file names, but rather the aggregate of commands issued within the command prompt.
- Alternatively, I would be willing to send through these two small Skript files to Bitdefender, for them to analyse.
A selection of the Cloudflare identifiers for forum post debugging*:
Cloudflare Ray ID: 7851e4653eb95ac0 •
Cloudflare Ray ID: 7851f7dfbe283772 •
Cloudflare Ray ID: 7852061029f53772 •
* Just imagine that: a post about a false positive threat detection [by BIS], that was (repeatedly!) incorrectly flagged [by Cloudflare] as a malicious post!!!
EDITED by @Gjoksi
The original post and the next comments by the OP merged into single original post.