Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Endpoint Standard: .ps1 script alerted as known malware and blocked

Endpoint Standard: .ps1 script alerted as known malware and blocked

Environment

  • Endpoint Standard Sensor: 3.6

Symptoms

  • Powershell executed script blocked with alert similar to:
    • The application powershell.exe ran a script file.ps1 that attempted to execute known malware. This script performs highly suspicious process injection behavior. A Deny policy action was applied.
  • Adding the SHA of the script to the Approved list does not fix anything

Cause

AMSI rules preventing the execution of the script

Resolution

  1. If not already done, add the script hash to Enforce > Reputation > Approved List
  2. Upgrade to sensor version 3.7

Additional Notes


Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎08-16-2021
Views:
1367
Contributors