Comodo just gave me an HIPS alert on a file called: C_powershell.exe_E3B5D353AF2971C75A14B8580A0BB30D51DC801F.ps1.
This concerns me because its very name screams malicious.
The alert was as follows: :C_powershell.exe_E3B5D353AF2971C75A14B8580A0BB30D51DC801F.ps1 is trying to execute conhost.exe".
It had the following advice: “conhost.exe is a safe executable. However the parent application C_powershell.exe_E3B5D353AF2971C75A14B8580A0BB30D51DC801F.ps1 could not be recognized. Once the application is executed, its parent will have the full control over its execution. If C_powershell.exe_E3B5D353AF2971C75A14B8580A0BB30D51DC801F.ps1 is one of your everyday applications, you can safely allow this request.”
Upon checking, I see that the file is located in C:\ProgramData\Comodo\Cis\tempscrpt. Although I can’t find this folder or file on my computer, it seems to be stored in one of Comodo’s own folders. So is Comodo reporting one of it’s own files as potentially malicious, or simply unknown.
I’ve also checked some websites, and I’m concerned that this file can be malware and could be dangerous.
Does anyone have any opinions on this. Would love to hear some feedback from Comodo. Should I try to remove it? If yes, how?
The ProgramData folder is a hidden folder by default so you would need to change folder options to show hidden files and folders. What you are seeing is embedded-code detection feature which means an application was trying to execute powershell commands and it was turned into a powershell script file, so it can be monitored like other script files.
We are aware of this issue and the team is working on it.
For time being you can just disable embedded-code detection for powershell in order to avoid the popup.
Kindly report back if you any other issues.