Hello
yesterday i got a windows update
today after starting the PC i got a notification about an application contained:C_powershell.exe______ .ps1
i opened the file in notepad and got: -ExecutionPolicy Restricted -Command Write-Host ‘Final result: 1’;
any idea what it is?:
-can i remove it from the blocked application,since if it’s a windows component,i don’t want to restrict it.
there is another powershell file in the comodo’s tempscrpt folder,but it didn’t get blocked/run virtually:
(-ExecutionPolicy Unrestricted -NonInteractive -NoProfile -WindowStyle Hidden “& C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\DisableUnusedSmb1.ps1 -Scenario Client”)
i have auto-containement enabled and HIPS disabled
What you are seeing is Embedded Code Detection feature in action, you can safely delete the contents of the ‘tempscrpt’ folder since they are essentially Fileless Scripts turned into files by Embedded Code Detection.
About Windows Update, Comodo enables Embedded Code Detection by default for powershell.exe, if it would cause any problem with Windows Update I don’t think they would leave that setting enabled by default, there is no need to worry if Powershell Scripts get blocked during Windows Updates.
i don’t know if it’s related to windows update,
but since i had one yesterday i thought it might be related,and i only got the notification about the application contained today(a day after).
and since C_powershell.exe .ps1 got contained,there might be a good reason for it.(when looking up on google i saw there was a powersell.exe malware(fileless exploits).
so what you’re saying is that i can delete the content of tmpscrpt folder and/or remove it from the blocked application and that’s it?
how can i see the origin of why this script was created;
in this thread for example https://forums.comodo.com/
the person managed to track it to a certain software, but all i get buy opening it in note pad or PS is -ExecutionPolicy Restricted -Command Write-Host ‘Final result: 1’; as stated above.
Either delete the files from the ‘tempscrpt’ folder or open the Blocked Applications list and press Remove.
Here is a explanation on the WriteHost powershell command.
There is also this interesting thread about a similar issue made by a Reddit user.
You’re welcome, actually my knowledge on Powershell stuff is limited so I invite anyone with knowledge on Powershell to share your thoughts here. Also according to the user in this post seems this Powershell Script is started by CompatTelRunner.exe which is a legitimate Windows application, by checking Windows Event Logs you will probably discover what app started this script.
i looked in the event viewer in the PS section and others,and didn’t see something odd looking in the time it occurred.
(as far as i understand and know what and where to look for).