ATD keeps blocking powershell, how to get rid of it?
Powershell keeps being blocked witjh the following command lines:
powershell -ep bypass -c &{$y= gc eCednSi.log; $y | iex})
Avery method to get rid of it or to find the cause did fail, what should I do?
Thank you very much
Comments
-
Hello.
I've seen topics here in the Community about Bitdefender's Advanced Threat Defense blocking PowerShell scripts or something connected with PowerShell.
I think that only the malware research engineers at Bitdefender Labs can help you.
So, you should do the following steps:
First, take screenshot(s) of the issue,
create a log file on your Windows device using Bitdefender Support Tool, by following these steps:
https://www.bitdefender.com/consumer/support/answer/1733/
and
create a log file on your Windows device using BDsysLog, by following these steps:
https://www.bitdefender.com/consumer/support/answer/1922/
Next, contact Bitdefender Consumer Support by e-mail:
with short description of the issue.
After that, you will get an automated reply by the Bitdefender Customer Care Team, with your ticket number.
Now, in reply to that automated reply, you can send the screenshot(s) you already took and the log files you already created in the first step.
Since you are all done, just wait for the support engineers to investigate your issue and find a solution to fix the issue.
Remember that the screenshot(s) and the log files will help a lot to the support engineers for better and faster investigation on your issue and finding a solution.
Regards.
1 -
Hello @Urbaman and welcome to the Community!
Advanced Threat Defense continuously monitors the applications and processes running on your computer. It monitors suspicious activities such as copying files to important Windows operating system folders, executing or injecting code into other processes, multiplying them, changing Windows registry or installing drivers.
It uses an innovative way of detecting ransomware and zero-day threats in real-time using advanced heuristic methods. This method is different from traditional malware detection, which involves identifying malware using the virus signature database.
Bitdefender is monitoring a list of processes that are known to be used in performing fileless attacks. This list includes processes such as autoit.exe, bitsadmin.exe, cscript.exe, java.exe, javaw.exe, miprvse.exe, net.exe, netsh.exe, powershell.exe, powershell_ise.exe, py.exe, python.exe, regedit.exe, regsvr32.exe, rundll32.exe, schtasks.exe, and wscript.exe.
When a new process starts on the machine protected by Bitdefender technologies, the command-line is extracted and sent as a buffer to the scanning engines, augmenting the scanning context with information regarding the original process path and the parent process. The buffers identified as commands (cmd’s), found in other file types, like LNK, JOB, BAT and PS1 are also scanned.
There have been numerous attacks that shared the Powershell component, hence the need to be on guard against any possible attacks exploiting it. User generated scripts may end up being detected as false positives in this context.
For this scenario, you may submit the false positive detection to our malware labs using the form at the link below:
https://www.bitdefender.com/consumer/support/answer/29358/
Fileless malware infections appeared in August 2014, when the Poweliks Trojan made its debut. It was initially engineered to perform click-fraud, but it evolved into a registry-based threat. This specimen found its way into the system by exploiting a Microsoft Word vulnerability. It used PowerShell and JavaScript along with shellcode to jumpstart its in-memory execution.
Another fileless malware specimen that gained attention in 2015 was Kovter. In that incarnation, the Kovter’s infection technique closely resembled that of Poweliks. Even when starting the infection with a malicious Windows executable, the specimen removed that file after storing obfuscated or encrypted artifacts in the registry. At least one of its variations maintained persistence by using a shortcut file that executed JavaScript. This ****** launched PowerShell and executed shellcode to launch a non-malicious application after injecting malicious code into it.
In mid-2016, the PowerSniff infection began with a Microsoft Word document with a malicious macro. The in-memory mechanics of this specimen resembled some aspects of Kovter and involved a PowerShell ****** that executed shellcode, which decoded and executed additional malicious payload, operating solely in memory. PowerSniff had the ability to temporarily save a malicious DLL to the file system.
In early 2017, another sophisticated attack, named POSHSPY, used the Windows Management Instrumentation (WMI) capabilities of the OS to maintain persistence and relied on PowerShell for its payload. The specimen had the ability to download executable files, which it would save to the file system.
Best regards.
Premium Security & Bitdefender Endpoint Security Tools user
3