False Positive From Running Powershell Commands Batch File At Command Prompt. Any Suggestions?

FALSE POSITIVE
I got a false positive today from running Powershell commands through a batch file at the command prompt in Windows 8.1 x64 with BIS 26.0.32.116.
In short, the Skript I run looks for differences between files at two user-specified paths (vaguely like the command "fc", but batched and using analogous Powershell commands). BTW, the command prompt was not elevated (i.e. it did not have Administrator rights). I ran the Skript I think twice successfully with no complaints from BIS, and only on the third occasion BIS took action: the CMD window got immediately shut down, and I was unable to re-open any CMD window (for a period of several minutes). I think the Windows message was something like "Don't have privileges to run ...." [I had also run the same Skript once-only yesterday, with no action from BIS.]
INITIAL (CURSORY) NOTIFICATION
Initially I just got a notification in the System Tray saying something along the lines of "Threat detected. Please wait while it is disinfected." It was kind of frustrating that I couldn't get any further information about this supposed threat by clicking the notification or by opening the main BIS interface.
And if I had been able to immediately confirm that (as I suspected, based on what I was doing and the fact that CMD suddenly shut down) the issue was with 'safe' commands that I had initiated at the command prompt, then I might have had the opportunity to override the disinfection process — a similar way to the ability of the user to cancel the scanning of a USB drive that was auto-initiated when plugged in.
SUBSEQUENT (MORE DETAILED) NOTIFICATION
After roughly 3 or 4 minutes a new notification was listed in the main GUI, and below are the resulting screenshots.
INTERLUDE
I got blocked from posting this several times by Cloudflare (even with a different IP and ISP!). Maybe something to do with the word "Skript", which I have spell in the German way to avoid it from being replaced with "******".
This is now my fifth or sixth roughly my tenth attempt to post, and by crikey it's frustrating!!!
LATER BEHAVIOUR/CONFIGURATION
Fortunately, BIS did not delete either my batch file (* . bat) or my Powershell Skript file (*. ps1). [They are set as read-only, although I assume that wouldn't be the governing factor.]
I found after trying again ~15 or 20 minutes afterward that I can now open the command prompt again. However, there was no evident notification to me, the user, explaining that the "disinfection" process is now complete, and the executable (cmd . exe) is now safe to use again.
Note: it seems that the 'filenames' (without spaces) were triggering Cloudflare to prevent me from posting!
FUTURE OPTIONS
I would like to run this type of Skript again in future.
What would be the best way to avoid the false-positive from BIS?
- I am speculating that I could white-list cmd . exe, but I am reluctant to do that (without specific reassurances).
- I would be more open to white-listing my Skript files, but I don't think BIS is basing it's actions on the particular Skript file names, but rather the aggregate of commands issued within the command prompt.
- Alternatively, I would be willing to send through these two small Skript files to Bitdefender, for them to analyse.
A selection of the Cloudflare identifiers for forum post debugging*:
Cloudflare Ray ID: 7851e4653eb95ac0 •
Cloudflare Ray ID: 7851f7dfbe283772 •
Cloudflare Ray ID: 7852061029f53772 •
* Just imagine that: a post about a false positive threat detection [by BIS], that was (repeatedly!) incorrectly flagged [by Cloudflare] as a malicious post!!!
-- DIVERSE
EDITED by @Gjoksi
The original post and the next comments by the OP merged into single original post.
Best Answer
-
Well this is something that you would have to give an explanation in detail to malware researchers & hence you will have to provide the "s c r i p t" files to them and the way to run them.
Kindly share your query with bitdefender support team by dropping them an email at [email protected] and telling them the procedure to run the two batch files so that they can further share the "s c r i p t" files and the procedure to run them with malware researchers.
The support team will reply back to your query within next 24-48 hours excluding weekends.
As far as detection shown in the image goes, it is a behavior blocker that kicked in and has nothing to do with signature based detection that are created by malware researchers.
Regards
OMEN Laptop 15-en1037AX (Bitdefender Total Security) & Samsung Galaxy S22 Ultra (Bitdefender Mobile Security)
1
Answers
-
Thanks for merging my posts, Gjoski. I suppose I could have done that too, but emotionally I was too far gone....
Flexx, thanks for confirming my hunch that it was more likely a behaviour-blocker, so white-listing of files wouldn't be a workaround.
I have emailed the team at the address you provided. ...In fact, I had been considering whether to only email BD privately in the first place, but then opted for the forum post because I considered that other users may possibly come across something similar, but also because I provided some critiques / constructive criticism of the notification process, and (lack of) opportunity for users to override the "disinfection" process — which I hope didn't get completely lost amongst the other technical details. (Oh, and besides the somewhat-less-diplomatic complaints about Cloudflare!)
—DIVERSE
1 -
Besides the option of emailing the file, I discovered there's also a website form at
Just mentioning it here for completeness.
Also, as a follow-up, the team at Bitdefender did analyse the file, and (after a couple of weeks, as far as I vaguely recall) in a later version of the Bitdefender Internet Security software I was able to run my Skript without problem.
So it is pleasing that they took the feedback on and improved the product to enhance the customer experience :-)
2