To stay updated on your favorite discussions, please create an account or log in. Then, click the Bookmark icon to subscribe and receive notifications.

F-Secure blocks powershell

KlausRN
KlausRN Posts: 3 Contributor

As of this morning (2020-03-03) we're unable to execute powershell commands on both client workstations and servers.

Even a simple get-childitem returns:

The 'Get-ChildItem' command was found in the module 'Microsoft.PowerShell.Management', but the module could not be loaded.

If we stop the "F-Secure Ultralight Network Hoster" service, the commands executes just right.


Also when we try to execute a PS1-file we get the following error:

"This script contains malicious content and has been blocked by your antivirus software."

Answers

  • KlausRN
    KlausRN Posts: 3 Contributor

    Can anyone verify this?


    Client Security: v14.21

    Def: 2020-03-03_02


    Server Security: 14.00

    Def: 2020-03-03_02

  • el_veicco
    el_veicco Posts: 1 Contributor

    Same problem here. Does not occur with similar machines without F-Secure installed.

  • DannyMalvang
    DannyMalvang Posts: 10 Contributor

    I have the same issue. Disabling F-Secure resolves the issue so it is F-Secure doing something.

    But there is nothing is logged so I can't see what is going on

    /Danny

  • DannyMalvang
    DannyMalvang Posts: 10 Contributor

    New update pushed through right now. It works again

    /Danny

  • Kaup
    Kaup Member Posts: 2 Contributor

    Same issue here. Updated Policy Manager from version 14.02 to 14.41 yesterday. Clients using version 14.02 and 14.21.

    VBS and Powershell script get blocked without showing any information in F-Secure.

  • KlausRN
    KlausRN Posts: 3 Contributor

    Yes, same here.

    /Klaus

  • Kaup
    Kaup Member Posts: 2 Contributor
  • MonikaL
    MonikaL Posts: 205
    edited March 2020

    Hi,

    The false positive detection Trojan-Spy:W32/Powershell_Mimikatz.B that is causing Real-Time scanning to block the Windows PowerShell from being executed, has already been removed and the changes are made by 03-03-2020 09:00 UTC

    This detection unintentionally triggered on Windows Powershell and was introduced in the version F-Secure Hydra Update 2020-03-03_01 at 2020-03-03 05:50 UTC.

    The fix was released on the following version F-Secure Hydra Update 2020-03-03_02 at 2020-03-03 08:22 UTC.

    Regards,

    Monika

This discussion has been closed.

Categories