The same file is Blocked each fresh boot, on multiple PCs, which are not connected on the same Network, So my 2 Pcs and its also been blocked on my sons Pc.
C_powershell.exe_8B7E289409AF8458826730498C384FDA92B60EDC.ps1
I delete the file each time, but on reboot it will be back and blocked again, I have scanned the file in Virustotal, MalwareBytes Premium, and obviously Comodo, always comes back clean.
Should i unblock for components will that be ok, or is there another option for it.
I hate checking my comodo and always seeing blocked/unrecognised file.
In order to see what it is, go into:
C:\ProgramData\Comodo\Cis\tempscrpt
Then find the ps1 file and open it with Notepad and copy and paste the script here. Note that you may find that you have two ps1 files (just a random guess, but if you are running W11 24H2, they may refer to WMIC).
-ExecutionPolicy Restricted -Command
$Res = 0
$WMICFeature = Get-WindowsCapability -Online -Name âWMIC~~~~â
if ($WMICFeature -and $WMICFeature.State -eq âInstalledâ) {
$Res = 1
Thanks for reply, above is all the text in the file.
1 Like
Short answer- itâs a legit powershell script that Windows runs. You can change it to trusted and shouldnât be troubled again.
Longer Answer- WMIC (Windows Management Instrumentation) is being discontinued in Windows but for whatever Microsofty reason that script still runs to see if is installed or not. The reason why it is being dcâd in favor of PowerShell is that it isnât essential anymore AND it can be exploited by Malware writers (itâs a LoLbin).
For Fun you can exploit it yourself easily and safely:
1). copy this into notepad and save it as exploit.bat
@echo off
wmic.exe datafile where âName=âC:\windows\system32\notepad.exeââ call Copy âC:\users\public\notepad.exeâ
Now WITH CONTAINMENT ENABLED run the file, then look in your C:\users\public directory. You should just see sub-directories.
Now turn OFF Containment and run the batch file again- now look in the C:\users\public directory- See whatâs in there now?
Although the above exploit is totally safe, a script of this sort can add further commands (certainly not by me, being Kind and Gentle) to connect out to a malicious server and download and copy any file (like malware) onto somewhere on your system which is not good at all.
Note also that if you send the script that you created to Virustotal
(MD5:858af1ff93d1d9cc1f8f0b90c6c32e32)
it will show up as clean. Comodo however realizes that this acts like a potential nasty LoLbin and will contain it, another strength that Comodo has over other Anti-malware applications that is rarely (if ever) discussed.
3 Likes
I get them regularly with my Lenovo OEM software running background health and update checks so I can either add that executable to exploit excusions in miscellaneous or just keep whitelisting. I prefer doing the latter and I can always check them manually anyway.
1 Like
Thanks for replies, so if i just unblock it for components shown in blocked by column that will be it done, and no more of it reappearing as blocked right. and its totally harmless.