Threat Description: IDP.HELU.PSWM6%s_cmd

[nynjguy]

Hi

We are receiving tons of alerts in the same client with this threat but I image is a false positive, Can you help me to figure it out? I scan system and they are clean, I also use malwarebytes as back up.

Description: The device is infected with a security threat.
Details:
Threat Description: IDP.HELU.PSWM6%s_cmd
Threat Severity: Infection
Threat Shield: Behavior Shield
Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Virus Action: Fix automatically - means try to Repair, if it fails, try to Move to Chest, and if even that fails, delete
Group: Default
Date and Time: 3/3/2020 10:56:29 AM
Notes:
Alert Name: Default

[nynjguy]

Here is the screenshot of the error.

[Pondus]

Report it to avast lab >>  https://forum.avast.com/index.php?topic=14433.msg1289438#msg1289438

[Chris1038]

HI Nynjguy,

By any chance are you running Nessus (Tennable.IO) agents on your machines as well?

[PDI]

Hi Nynjguy,

could you follow these steps https://support.avast.com/en-us/article/33/ and write the Ticket ID here in the comments?

We cannot really help you when only screen should is provided.

Thanks,
PDI

[nynjguy]

HI Nynjguy,

By any chance are you running Nessus (Tennable.IO) agents on your machines as well?

  Yes we are doing Tenable IO scanning every week, this may be>?

[nynjguy]

Hi Nynjguy,

could you follow these steps https://support.avast.com/en-us/article/33/ and write the Ticket ID here in the comments?

We cannot really help you when only screen should is provided.

Thanks,
PDI

The case number is 10221416

[PDI]

Hi,

we did change the detection and it'd be fixed in the VPS tomorrow.

Regards,
PDI

[Chris1038]

HI Nynjguy,

By any chance are you running Nessus (Tennable.IO) agents on your machines as well?

  Yes we are doing Tenable IO scanning every week, this may be>?

We run the Nessus SCAN Everyday, I've been in touch with them and asked me to enable advanced logging. It is still on my list of things to do. But from the tests that I have done here it does seem the Nessus is causing the issue.

[nynjguy]

HI Nynjguy,

By any chance are you running Nessus (Tennable.IO) agents on your machines as well?

  Yes we are doing Tenable IO scanning every week, this may be>?

We run the Nessus SCAN Everyday, I've been in touch with them and asked me to enable advanced logging. It is still on my list of things to do. But from the tests that I have done here it does seem the Nessus is causing the issue.

Makes sense, I just check and run an Tenable IO agent scan and avast went crazy again, this is getting annoying. Reports powershell.exe or CMD.exe too.

[PDI]

Hi,

please be patient. The fix'd be released today as I wrote yesterday.

Regards,
PDI

[nynjguy]

Hi

Today we start seeing the same error again in all of our system, the fixed did work for a while but just came back.


An Avast Business CloudCare High-Priority Alert Occurred.

Description: The device is infected with a security threat.
Details:
Threat Description: IDP.HELU.PSWM7%s_cmd
Threat Severity: Infection
Threat Shield: Behavior Shield
Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Virus Action: Fix automatically - means try to Repair, if it fails, try to Move to Chest, and if even that fails, delete
Customer:
Group: Default
Device:
Date and Time: 4/14/2020 11:05:38 AM
Notes:
Alert Name: Default

Click here to view this alert in the CloudCare portal.

[PDI]

Hi,

was there any update to the Nessus software?

Thanks,
PDI

[nynjguy]

Not that I'm aware, but is the same thing. Nessus and Tenable IO always uses CMD or Powershell to scan the machines.

I check all the warning is the exact same thing as the one before. Anything you need from us to help out?

[PDI]

Hi,

it's ok for now. I'll let you know when the fix is ready or if we need more information.

Regards,
PDI