Since 2 weeks or more I get every hour an alert from a powershell that try to execute conhost.exe with always a new ID. It’s starting to get annoying since I don’t find a way to stop it from popping.
Most of this .ps1 are targetting signal-desktop-win-1.5.1.exe with “Get-AuthenticodeSignature” in “C:\Users\AppData\Local\Temp\up-EKoZ0S\signal-desktop-win-1.5.1.exe”.
Is this legit?
If it is the same powershell script you can change the file rating to trusted in the file list, or you can turn off embedded code detection for powershell.
Thanks for the help,
No it’s always a new named script, I posted a random one for example. But since I asked my question here, I don’t have alert popping anymore (for now)! I don’t have rebooted or anything.
I just had to get a new system, reinstalled Comodo (First!) and now I’m getting the same errors.
About every 30 minutes or so, Comodo pops up asking about Powershell script.
I have almost ‘verified’ that Comodo is actually making the scripts, but still not sure.
I have tried blocking, trusting, sandboxing, allowing… nothing works, because a new one is generated.
They are all located here: C:\ProgramData\Comodo\Cis\tempscrpt
Here are all of the scripts. I don’t know why they are out of order, but DOS is crazy that way.
They seem to start the day I installed Comodo:
09/03/2018 05:58 PM 250 C_powershell.exe_02E37BD86906297B556AF396831DD98521DC4630.ps1
09/04/2018 06:00 AM 249 C_powershell.exe_0C72EA6F5B325FD593D57408B19091F0E58AA329.ps1
09/01/2018 12:58 PM 238 C_powershell.exe_1E7DE114EF42066BB14B314A42B6412E876AFD9E.ps1
08/29/2018 12:57 PM 131 C_powershell.exe_1EDB96BD4DB86EFEDA95EAD3BBECBF4AB32FA102.ps1
09/01/2018 09:58 PM 250 C_powershell.exe_2167FA91202836409FD3A6FBD500B3E687CA502A.ps1
09/02/2018 05:58 PM 249 C_powershell.exe_34EFB497022B52791C4B049495320FE0F8B3B4E7.ps1
09/09/2018 09:17 PM 250 C_powershell.exe_3C7419CBD6C07152A9F1EC7D85E2ABF14A2EFFFE.ps1
09/03/2018 11:58 AM 249 C_powershell.exe_59A47EA3B4BDBFBEE2F3FF77D88A362D117348FA.ps1
08/29/2018 12:57 PM 58 C_powershell.exe_5D8019764535E0DD792F0C18F90A89A8C92F26F7.ps1
09/07/2018 03:58 PM 250 C_powershell.exe_5FF3E05F844C68FBE5A3F11C917934A2BCADE781.ps1
09/07/2018 10:58 AM 250 C_powershell.exe_6E0C7AF415B9D2A01C8A8C2D34AE2F283FA23E75.ps1
09/03/2018 10:58 AM 249 C_powershell.exe_7786A466CE2140D87D004C7A5B1EE7358D4ECD64.ps1
09/07/2018 09:58 AM 250 C_powershell.exe_94FACE226726C26C91541A4189718342D1D73B88.ps1
09/03/2018 06:58 PM 250 C_powershell.exe_A1186333843792662F9F08355902DBFACD6ED426.ps1
09/04/2018 02:59 AM 258 C_powershell.exe_A210837F62CB42978817F71DD304812DB8102209.ps1
09/10/2018 09:17 AM 250 C_powershell.exe_ABDBBD9891C9ED17F71D84926B03F2EEF30280B9.ps1
08/31/2018 09:00 PM 136 C_powershell.exe_D315AA066D2736D516432D963BDCA988097C167F.ps1
09/03/2018 08:58 PM 258 C_powershell.exe_E85D1778091013BAE0424DEA997B8898C5ACFFDE.ps1
09/02/2018 02:14 PM 250 C_powershell.exe_ED1A72B292B9F36DC257DFC18598C69735B38593.ps1
Any ideas on fixing this?
| o| _____
| o| / O /
\ o/ O /
You should view the contents of those files to get an idea as to what application might be reason CIS is creating these temporary script files.
Yeah, that would have been the easy thing to do, had I thought of it.
For anyone else, I right-clicked one of the files and clicked Edit (opening in Notepad would work as well).
Guess what? Carbonite Backup is the culprit.
Hopefully this will help others.
Thanks for the push in the right direction, FutureTech!