F-Secure blocks powershell

KlausRN

As of this morning (2020-03-03) we're unable to execute powershell commands on both client workstations and servers.

Even a simple get-childitem returns:

The 'Get-ChildItem' command was found in the module 'Microsoft.PowerShell.Management', but the module could not be loaded.

If we stop the "F-Secure Ultralight Network Hoster" service, the commands executes just right.

Also when we try to execute a PS1-file we get the following error:

"This script contains malicious content and has been blocked by your antivirus software."

KlausRN

Can anyone verify this?

Client Security: v14.21

Def: 2020-03-03_02

Server Security: 14.00

Def: 2020-03-03_02

el_veicco

Same problem here. Does not occur with similar machines without F-Secure installed.

DannyMalvang

I have the same issue. Disabling F-Secure resolves the issue so it is F-Secure doing something.

But there is nothing is logged so I can't see what is going on

/Danny

DannyMalvang

New update pushed through right now. It works again

/Danny

Kaup

Same issue here. Updated Policy Manager from version 14.02 to 14.41 yesterday. Clients using version 14.02 and 14.21.

VBS and Powershell script get blocked without showing any information in F-Secure.

KlausRN

Yes, same here.

/Klaus

Kaup

https://community.f-secure.com/en/discussion/comment/122423#Comment_122423

I can confirm this. New Update fixed it! Thanks.

MonikaL

Hi,

The false positive detection Trojan-Spy:W32/Powershell_Mimikatz.B that is causing Real-Time scanning to block the Windows PowerShell from being executed, has already been removed and the changes are made by 03-03-2020 09:00 UTC

This detection unintentionally triggered on Windows Powershell and was introduced in the version F-Secure Hydra Update 2020-03-03_01 at 2020-03-03 05:50 UTC.

The fix was released on the following version F-Secure Hydra Update 2020-03-03_02 at 2020-03-03 08:22 UTC.

Regards,

Monika