To stay updated on your favorite discussions, please create an account or log in. Then, click the Bookmark icon to subscribe and receive notifications.

F-Secure blocks powershell

KlausRN
KlausRN W/ Alumni Posts: 3 Security Scout

As of this morning (2020-03-03) we're unable to execute powershell commands on both client workstations and servers.

Even a simple get-childitem returns:

The 'Get-ChildItem' command was found in the module 'Microsoft.PowerShell.Management', but the module could not be loaded.

If we stop the "F-Secure Ultralight Network Hoster" service, the commands executes just right.


Also when we try to execute a PS1-file we get the following error:

"This script contains malicious content and has been blocked by your antivirus software."

Answers

  • KlausRN
    KlausRN W/ Alumni Posts: 3 Security Scout

    Can anyone verify this?


    Client Security: v14.21

    Def: 2020-03-03_02


    Server Security: 14.00

    Def: 2020-03-03_02

  • el_veicco
    el_veicco W/ Alumni Posts: 1 Security Scout

    Same problem here. Does not occur with similar machines without F-Secure installed.

  • DannyMalvang
    DannyMalvang W/ Alumni Posts: 10 Security Scout

    I have the same issue. Disabling F-Secure resolves the issue so it is F-Secure doing something.

    But there is nothing is logged so I can't see what is going on

    /Danny

  • DannyMalvang
    DannyMalvang W/ Alumni Posts: 10 Security Scout

    New update pushed through right now. It works again

    /Danny

  • Kaup
    Kaup W/ Alumni Posts: 2 Security Scout

    Same issue here. Updated Policy Manager from version 14.02 to 14.41 yesterday. Clients using version 14.02 and 14.21.

    VBS and Powershell script get blocked without showing any information in F-Secure.

  • KlausRN
    KlausRN W/ Alumni Posts: 3 Security Scout

    Yes, same here.

    /Klaus

  • Kaup
    Kaup W/ Alumni Posts: 2 Security Scout
  • MonikaL
    MonikaL W/ Alumni Posts: 206 W/ Former Staff
    edited March 2020

    Hi,

    The false positive detection Trojan-Spy:W32/Powershell_Mimikatz.B that is causing Real-Time scanning to block the Windows PowerShell from being executed, has already been removed and the changes are made by 03-03-2020 09:00 UTC

    This detection unintentionally triggered on Windows Powershell and was introduced in the version F-Secure Hydra Update 2020-03-03_01 at 2020-03-03 05:50 UTC.

    The fix was released on the following version F-Secure Hydra Update 2020-03-03_02 at 2020-03-03 08:22 UTC.

    Regards,

    Monika

This discussion has been closed.