Endpoint Protection

  • Private Community
 View Only

  • 1.  Powershell.exe flagged by SEP

    Posted Aug 19, 2019 08:36 AM

    This might be a basic question but I'm not really a security expert. SEP has flagged powershell.exe on a user's computer so they sent me the ticket (I'm desktop support) and I'm not sure if I should worry or what the appropriate action should be. I tried searching on google but didn't find an answer. I copied the notes I have below. Thanks.

     

    Risk name: SONAR.AM.PS!g1 
    File path: c:\windows\system32\windowspowershell\v1.0\powershell.exe 
    Event time: Aug 13, 2019 11:04:49 AM 
    Database insert time: Aug 16, 2019 3:38:42 PM 
    Source: Heuristic Scan 
    Description: 
    User: SYSTEM 
    Computer: Computername 
    IP Address: xxx.xxx.xx.xxx 
    Domain: Default 
    Server: Server
    Client Group: My Company\AWclients 
    Action taken on risk: Access denied 



  • 2.  RE: Powershell.exe flagged by SEP

    Posted Aug 19, 2019 10:40 AM

    Hi Mr. Hansen,

    Thanks for the post.  My next question would be: what was PowerShell doing that got it blocked?  

    Check the logs to see if it has details. 

    What You Can Do About Powershell Threats
    https://www.symantec.com/connect/articles/what-you-can-do-about-powershell-threats

    If the commands that PS is performing are not ones that are expected, investigate further!



  • 3.  RE: Powershell.exe flagged by SEP

    Posted Aug 21, 2019 04:17 AM

    Hi Mr. Hansen,

    Just a ping to see if you had made any progress?  Please do update the thread when you get the chance.



  • 4.  RE: Powershell.exe flagged by SEP
    Best Answer

    Posted Aug 21, 2019 04:33 AM

    Hi Mr. Hansen

     

    Technical Description of the detection based on the message you posted would be:
    Symantec heuristic detection was able to detect suspicious launches of the PowerShell.exe process.

    Since SONAR.AM.PS!g1 is a heuristic detection to detect suspicious launches of the PowerShell.exe process. 

    The Powershell activity that was being performed was not ligtimitate or that the code had some loophole which caused the application to drift from its baseline functionality.  

    So as to protect from such unknown Unintentioal breaches baseline changes are monitored and threat is marked when ever there is a deviation. 

    In a nutshell: I would say, Suggest the user to Check if there was something that was not correctly typed in the code or try running the code from Powershell ISE line by line.

     

    Regards, 
    EK



  • 5.  RE: Powershell.exe flagged by SEP

    Posted Aug 21, 2019 08:43 AM

    Thanks for the info, I feel like I understand a bit better now.

     

    It turns out my responsibility as the desktop guy is just to have the user run a full system scan to make sure nothing is detected. 



  • 6.  RE: Powershell.exe flagged by SEP

    Posted Aug 21, 2019 09:13 AM

    Here's a two minute video which may be useful to those who are reading this thread:

    https://youtu.be/fe5Mbszdu9M