Author Topic: Avast keeps moving PowerShell.exe to the chest even with exclusion  (Read 4873 times)

0 Members and 1 Guest are viewing this topic.

Offline avast.nospam4sba

  • Newbie
  • *
  • Posts: 18
Hi,

Since yesterday Avast has made Visual Studio Code unusable because its "Behavior Shield" triggers a "IDP.HELU.PSE16 - Fileless malware" -- see screenshot.

Adding an exclusion for C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe doesn't help.

I'll have to live with disabling the "Behavior Shield" for now, but given that PowerShell.exe is a critical part of Windows and of my developer work, I'd like a fix ASAP.
 

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 67305
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Avast keeps moving PowerShell.exe to the chest even with exclusion
« Reply #1 on: March 30, 2019, 08:12:08 AM »
You can report a suspected FP (File/Website) here: https://www.avast.com/false-positive-file-form.php
Win 8.1 [x64] - Avast PremSec 20.9.2433.Beta1 [UI.569] - CC 5.72 - EEK - FF ESR 78.4 [NS/AOS/uBO/PB] - TB 78.3.3 - SB/CP/SL/DU.B
Deutschsprachiger Bereich -> Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline avast.nospam4sba

  • Newbie
  • *
  • Posts: 18
Re: Avast keeps moving PowerShell.exe to the chest even with exclusion
« Reply #2 on: March 30, 2019, 08:15:43 AM »
Already done before I posted here. Note that this is "fileless" FP IOW Avast doesn't think the file contains malware, but that it behaves strangely.

Offline PDI

  • Avast team
  • Full Member
  • *
  • Posts: 118
Re: Avast keeps moving PowerShell.exe to the chest even with exclusion
« Reply #3 on: March 30, 2019, 09:07:58 AM »
Hi avast.nospam4sba,

please send us the support package https://support.avast.com/en-eu/article/Submit-support-file and post the Ticket ID into this post.

Thanks,
PDI

Offline avast.nospam4sba

  • Newbie
  • *
  • Posts: 18
Re: Avast keeps moving PowerShell.exe to the chest even with exclusion
« Reply #4 on: March 30, 2019, 09:50:47 AM »
The tool fails with "Cannot generate support file, error code: 12002".

Tried a second time, same error.

[Update: could be linked to my Orange Livebox's firewall that IIRC blocks FTP; I've contacted Avast support directly and provided them with the files]
« Last Edit: April 01, 2019, 10:55:11 PM by avast.nospam4sba »

Offline tpnorton

  • Newbie
  • *
  • Posts: 1
Re: Avast keeps moving PowerShell.exe to the chest even with exclusion
« Reply #5 on: March 30, 2019, 01:36:04 PM »
I am seeing the exact same behaviour with Visual Studio Code and Powershell.exe

Avast says its put powershell.exe in the virus vault - but it has not - exclusions dont work either

VSC - becomes unusable

Disabling Behaviour Shield - does "fix" the problem

Offline jnewby72

  • Newbie
  • *
  • Posts: 1
Re: Avast keeps moving PowerShell.exe to the chest even with exclusion
« Reply #6 on: April 02, 2019, 04:29:51 AM »
I can vouch for this behavior as well.

The "offending cmdlet" or script is part of the powershell extension for Visual Studio Code.

Thanks,
Jody

Offline LesF

  • Jr. Member
  • **
  • Posts: 26
Re: Avast keeps moving PowerShell.exe to the chest even with exclusion
« Reply #7 on: April 03, 2019, 10:02:43 AM »
It also blocks installation of Visual Studio 2019 Community.
Just what I didn't need, a hung up halfway installation.


Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36760
Re: Avast keeps moving PowerShell.exe to the chest even with exclusion
« Reply #8 on: April 03, 2019, 10:29:01 AM »
It also blocks installation of Visual Studio 2019 Community.
Just what I didn't need, a hung up halfway installation.
Does avast give a message, if so what does it say? ... screenshot



Offline avast.nospam4sba

  • Newbie
  • *
  • Posts: 18
Re: Avast keeps moving PowerShell.exe to the chest even with exclusion
« Reply #9 on: April 03, 2019, 10:22:57 PM »
Avast support reports that the fix was included in VPS version 190402-02.

I'm currently running 190304-4 and can't repro the issue anymore.

Offline Chrispy5

  • Newbie
  • *
  • Posts: 10
Re: Avast keeps moving PowerShell.exe to the chest even with exclusion
« Reply #10 on: May 11, 2019, 07:08:18 PM »
I can confirm that I received the same message (only once) when installing Visual Studio 2019 Community today.
Program version: 19.4.2374
Virus definitions: 190511-2

The difference for me is that the installation didn't stop, but completed successfully!
« Last Edit: May 11, 2019, 07:11:13 PM by chrispy.page »

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 67305
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Avast keeps moving PowerShell.exe to the chest even with exclusion
« Reply #11 on: May 11, 2019, 07:10:30 PM »
See Reply #3.
Win 8.1 [x64] - Avast PremSec 20.9.2433.Beta1 [UI.569] - CC 5.72 - EEK - FF ESR 78.4 [NS/AOS/uBO/PB] - TB 78.3.3 - SB/CP/SL/DU.B
Deutschsprachiger Bereich -> Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline Chrispy5

  • Newbie
  • *
  • Posts: 10
Re: Avast keeps moving PowerShell.exe to the chest even with exclusion
« Reply #12 on: May 11, 2019, 07:50:07 PM »
I'm afraid I can't as my Avast is a free version.

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 67305
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Avast keeps moving PowerShell.exe to the chest even with exclusion
« Reply #13 on: May 11, 2019, 07:51:24 PM »
I'm afraid I can't as my Avast is a free version.
Sure you can, follow instructions: https://support.avast.com/article/33/ and post your File-ID here afterwards.
Win 8.1 [x64] - Avast PremSec 20.9.2433.Beta1 [UI.569] - CC 5.72 - EEK - FF ESR 78.4 [NS/AOS/uBO/PB] - TB 78.3.3 - SB/CP/SL/DU.B
Deutschsprachiger Bereich -> Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline Chrispy5

  • Newbie
  • *
  • Posts: 10
Re: Avast keeps moving PowerShell.exe to the chest even with exclusion
« Reply #14 on: May 11, 2019, 09:25:02 PM »
OK, here goes...

File ID: LVE04

Got confused because it asked me to go to the support portal to get a "Ticket ID".

Hope this helps.