Possible false positive: powershell.exe

[REDACTED]

Hello,

I just had Avast pop up saying it had moved powershell.exe into my virus chest because it detected malware. This seemed a little odd to me as Powershell is a built-in feature of Windows 10, so I decided to investigate it further. I uploaded the file listed in my virus chest to Virus Total, which shows the file as clean according to all 64 engines it could check against, including Avast: https://www.virustotal.com/#/file/ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa/detection.

I've also clicked "send to analysis" from within Avast Virus Chest, so I presume that gives the Avast team the file to look at.

I still seem to be able to run the Powershell app, even though it was apparently moved to the virus chest. I don't know how the virus chest works - does it allow files to still be executed but in a sandbox? Are there any negative consequences of running applications from the virus chest?

Is it safe for me to restore this file, given that no virus detection engine (including Avast, according to Virus Total) could find an issue with it?

[REDACTED]

This may be a related issue. Shortly after Avast moved powershell.exe to the virus chest, I started re-installing Docker for Windows, which had been misbehaving after an update this morning. Avast detected a supposed threat in Docker for Windows, which was installing via a fresh download from the official Docker website (https://docs.docker.com/docker-for-windows/install/#download-docker-for-windows).

I immediately restored the Docker for Windows installer from Avast's Virus Chest but the installer had already failed by that point. Now, when I try to run the installer again I get the following error:

Access to the path 'C:\Program Files\Docker\Docker\com.docker.service' is denied.

Has Avast just changed permissions on the docker service file and permanently blocked Docker from installing, despite me restoring it from the Virus Chest?

[REDACTED]

I restarted my PC, disabled Avast for 10 mins and reran the Docker For Windows installer successfully. However, when starting Docker For Windows, it failed again so I tried to submit a crash report. Whilst that was running, Avast again detected powershell.exe as a threat again and automatically moved it to the virus chest. I think that's what I was doing the first time Avast detected powershell.exe as a threat - sending a crash report in Docker for Windows.

[Asyn]

You can report a suspected FP here: https://www.avast.com/false-positive-file-form.php