identified it as Heur.BZC.ZFV.Boxter.

aminnazari-devops · 2024-04-09T13:23:37+00:00

There was an error rendering this rich post.

Hello:)))
we use one of the Azure DevOps tasks that run to manage IIS in a remote server
for almost 5 months (after upgrading Azure DevOps) this task worked correctly and in November/2023 I got this error in the Azure DevOps panel "This s.c.r.i.p.t contains malicious content and has been blocked by your antivirus software"
I logged in to the server to check the Bitdefender panel to get more details and I could find this error in the panel "On-Access scanning has detected malicious behavior on C:\agent\Agent-Release-02_work_tasks\IISWebAppMgmt_0f5cd14f-3c01-4d5c-8f7a-eb96c5738dcc\3.2.0\Utility.ps1 and identified it as Heur.BZC.ZFV.Boxter.191.DEB17473.No action taken. The item will be handled further on by powershell.exe (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe). This is an Antimalware Scan Interface (AMSI) detection"

I can't understand the problem why Bitdefender must block it.
I think it's a false positive but I need to be sure, am I right?
also, I couldn't understand what AMSI does in Bitdefender and exactly with this PowerShell

I can give the link to the task that Azure DevOps uses to run if it could understand more about it

[*url removed by @Flexx*]

Find more posts tagged with

blocked

windows

Comments

Gjoksi

Hello.
Since you need help with business product, Andrei_S Enterprise (who provides support for business products) could take a look here and help you with the issue.
Also, you can always contact the Bitdefender business support:
https://www.bitdefender.com/business/support/en/71263-85158-contact.html
Regards.

Andrei_S Enterprise

Hello @aminnazari-devops ,

In order to confirm if the detection is a false positive we need our Antimalware team to analyze the file. Please submit a ticket directly to them attaching the file to https://www.bitdefender.com/business/submit.html .

Kind Regards,

Andrei

Flexx

https://community.bitdefender.com/en/discussion/comment/337584#Comment_337584

Hi Andrei,

Just a quick question:

I understand we have different forum submissions regarding the malware submission to the Bitdefender Malware Research Team. However, if we also use the home forum link to submit malware to the Bitdefender Malware Research Team, it will act the same. This is because any sample sent to the Malware Research Team will be checked for both products, whether it is for enterprise or home. This means that the malware researchers will know if the malware is detected by both or either one of the products, and can adjust detections accordingly for false positives or false negatives. Since there is only one Malware Research Team that deals with both enterprise and home malware detection, if I am not wrong.

Regards

Andrei_S Enterprise

Hello @Flexx ,

I have little visibility on the home products but I can say that indeed there is one Malware Research Team and when a file is analyzed for false positive or false negative detections and an adjustment is needed (remove or add a detection), the signature update that includes this adjustment will be applied to both home and enterprise engines.

Kind Regards,

Andrei

Flexx

https://community.bitdefender.com/en/discussion/comment/337638#Comment_337638

To add here, the confirmation I had from malware research in the past was that the business product has some signature-based detections that are not available in home products. The reason being that those particular files were only a threat to business organizations and not to home users, which in itself is a little weird.

Nevertheless, I appreciate your response. Thanks!

Regards

Andrei_S Enterprise

I think @Alexandru_BD from the consumer side of the business can provide his thoughts on this topic as he is more familiar than me with the home products.

@Alexandru_BD any thoughts on this?

Alexandru_BD

Hi,

Perhaps the malware researchers could share more insights to clarify the reasons behind this approach. My personal opinion is that this is related to more specific and in some cases unique requirements. I think the inclusion of certain signature-based detections in business solutions that may not be available in consumer products is driven by the distinct needs, threat landscapes, and risk profiles. These detections are often tailored to address specific threats and regulatory compliance requirements relevant to organizations, and they may be part of a comprehensive security strategy designed to protect sensitive data and critical infrastructure. But again, this doesn't mean that home user solutions are less efficient or their detection levels are inferior, it's just that business solutions often offer more extensive customization and configuration options than consumer-oriented security products. This allows organizations to tailor the security solution to their specific environment and threat landscape, including enabling or fine-tuning signature based detections based on their unique requirements.

Companies often have specialized requirements and regulatory compliance obligations that necessitate more advanced threat detection capabilities. Signature-based detections may be developed to address specific threats or compliance requirements relevant to their business. In a nutshell, we are talking about a different target audience and threat landscape.

The enterprise solutions are typically designed to protect organizations from sophisticated and targeted attacks, which may involve malware specifically crafted to exploit vulnerabilities in business environments. These threats may not be as prevalent or relevant to home users who are less likely to be targeted by such attacks. Therefore, business solutions may include specific signature-based detections tailored to the threats faced by organizations.

When learning these facts, it becomes obvious that the two solutions cannot be identical, hence their capabilities may differ, this also explains why the portfolio is split between home user solutions and business solutions, according to the specific needs and requirements of each of these two environments.

Flexx

https://community.bitdefender.com/en/discussion/comment/337679#Comment_337679

@Alexandru_BD the discussion isn't about different features, just about the way malware detection is done using signatures made by researchers. Other companies use the same signatures in both their home and business products, but Bitdefender doesn't. Bitdefender's own malware researchers confirmed this. It's normal to offer different AI and ML features to home and business users, but having different signatures seems strange. Could you talk to one of our malware researchers, especially those who work with Windows malware, to understand more?

Regards

aminnazari-devops

I say hi to all of you :)))

just I was a little confused,
I will submit a ticket again to analyze the files
but I wanna know what AMSI does at this level.
I mean rules of the AMSI handled on the Bitdefender side or does Windows manage AMSI and Bitdefender use their knowledge?

Best Wishes

Flexx

https://community.bitdefender.com/en/discussion/comment/337695#Comment_337695

@Andrei_S Enterprise will be back on Monday to address your query.

Regards

Andrei_S Enterprise

Hello @aminnazari-devops ,

I think this article covers your question https://www.bitdefender.com/business/support/en/77212-342932-on-execute.html#UUID-547ea373-3340-aa72-a552-29bebd4fb4c0 .

As per our documentation:

Antimalware Scan Interface Security Provider scans content at a deeper level using Windows Antimalware Scan Interface (AMSI) integration. Scripts, files, URLs, and others are sent by different services that require a security analysis before accessing, running, or writing them to the disk. Additionally, you can control whether to report the outcome of the Antimalware module analysis further to the AMSI services or not.

Kind Regards,

aminnazari-devops

https://community.bitdefender.com/en/discussion/comment/337787#Comment_337787

Thanks for your answer
the latest thing that prefer to ask is, when something is blocked by Bitdefender specially AMSI should check by Bitdefender team understand a false_positive or false_negative, or if it's on the Microsoft team to check the Windows AMSI
notice I don't know if this one is created by Bitdefender or if that's a service that Microsoft created and other applications can use.

Best Wishes

Andrei_S Enterprise

Hello,

AMSI it's just a tool (an interface) that we use for scanning for different types of objects but the detection is owned by Bitdefender so if a file is detected as false_positive or false_negative it is first necessary to be review by the antimalware team and if they consider the detection as false they will update the signature to exclude that object.

Kind Regards,

aminnazari-devops

Thanks a lot

Best Wishes

Flexx

https://community.bitdefender.com/en/discussion/comment/337683#Comment_337683

@Alexandru_BD did you had any conversation with the malware research team regarding this?

Regards

jfsharp

I am a Bitdefender home user.

I also received a "Suspicious activity blocked" message::

Feature:Antivirus

PowerShell tried to load a malicious resource detected as Heur.BZC.ZFV.Boxter.222.674CE53C and was blocked. Your device is safe.

I was attempting to run a (simple) PowerShell ****** that - supposedly - would "capture" a web-page and save it as an html-file locally using Firefox and "SendKeys" capability.

The text of the PowerShell ****** is:

[system.Diagnostics.Process]::Start("Firefox","https://www.cmegroup.com/markets/energy/crude-oil/light-sweet-crude.settlements.html")

Sleep 2;

$obj_Shell = New-Object -ComObject wscript.shell; $obj_Shell.AppActivate('Firefox'); Sleep 1;

$obj_Shell.SendKeys("^(f)a^(t){DOWN}{UP}{TAB}^(s)"); Sleep 3;

$obj_Shell.SendKeys("{ENTER}");

Select-String -Path "C:\temp\CME.html"

Regardless of the URL I use on the first line, I get the Bitdefender message.

I, as I believe the OP, believe this to be a "false-positive" but don't understand what is triggering it.

Can you provide more info? Is there a way to get around this?

Thanks.