Avast detecting Powershell.exe as infected with AmsiEvasion-A

[Teddydogno1]

One of my computers rebooted last night with Windows update and when it restarted, Avast immediately detected that C:\windows\system32\WindowsPowershellv1.0\powershell.exe was infected with SCRIPT:AmsiEvasion-A and tried to move powershell to the Virus Chest.

I can re-trigger this "detection" by just OPENING a Powershell command window.  Don't have to run a script or anything.  Can't see how this is anything except a FALSE POSITIVE.

What is also interesting is that last week at work, we were seeing Windows Defender also alerting on this same PowerShell.exe in the same path with a similar named threat (MS naming but same "Amsi...").

Anyone else running into this? 

Hmm...this happened on my work PC which is also running SentinelOne.  My personal PC is running the same version of Avast and also rebooted with updates last night.  That PC is NOT detecting Powershell as a threat.  SentinelOne is also not detecting any threat on any of these systems.

rob

[kwiq]

Hi Teddydogno1
our scanner detected an attempt to disable amsi scanner - more details about amsi evasion can be found here :
https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/

Powershell loads a lot of modules during its start up. Probably one of them contains code which disables amsi.
Common powershell modules locations :
%PROGRAMFILES%\WindowsPowerShell\Modules\
%UserProfile%\Documents\WindowsPowerShell\Modules


I would recommend  to  run
 whole computer scan, capture powershell startup with procmon and send us  the log for analysis.


Download procmon from :
https://docs.microsoft.com/en-us/sysinternals/downloads/procmon

capture powershell startup and save the procmon log -> menu File -> Save.. . (all events, native procmon log)
 save the log file as  TTeddydogno1 _2021_6.zip  and upload it to our ftp server for  analysis https://support.avast.com/en-eu/article/FTP-file-upload

Have a nice day !

[Dan CCI]

Hello, I rebooted my PC today after having it up for at least a week... and started receiving the same notification. I'm running Avast Business Antivirus, just checked for the latest engine and definitions, fully updated. I also have SentinelOne agent running alongside Avast, and it's not showing any issues with PS modules being infected. What would you like me to send, and to where?

Side note: Avast forum's verification system is THE WORST I've come across in years. I've had to request other images every time I'm confronted by it, and it's no better on a 2K or 4K display. Yuck!

[Asyn]

Side note: Avast forum's verification system is THE WORST I've come across in years. I've had to request other images every time I'm confronted by it, and it's no better on a 2K or 4K display. Yuck!

Captcha is only needed for your first 3 posts. (Spam protection)

[rocksteady]

...I'm running Avast Business Antivirus,

Note: There is a separate forum section for Business Product users here: https://forum.avast.com/index.php?board=77.0
But if you are having this same specific problem, I guess you are OK to post here.

[Teddydogno1]

Interesting that SentinelOne is a common factor between my issue and the other poster.

I'll try to get the extra info soon.  Thanks.

rob

[Dan CCI]

That IS interesting re: S1, so I removed it completely from the system, rebooted into Safe Mode, ran cleanup tools for Avast after an uninstall, rebooted again and reinstalled Avast Business... and saw the same issue. Funny that it only flagged it after the latest restart of my computer, so it feels like possibly a Windows update triggered the issue. Uninstalled, ran cleanup again, and installed Bitdefender Endpoint Security, scanned the computer, no issues. Windows Defender: no issues.

It would be nice if Avast was actually putting a file in quarantine like it says it is, but no matter what I found no files stored there, and the web console had nothing to add to this.