Powershell exploit

SiSmaSiSma
in WatchGuard EPDR/EDR/EPP

From this morning on about 90 clients i have this issue:
WatchGuard EPDR has detected the activity of an exploit that compromised the following program: "SYSTEM|\WindowsPowerShell\v1.0\powershell.exe",
Path of the compromised program: SYSTEM|\WindowsPowerShell\v1.0\powershell.exe
Hash of the compromised program: 2E5A8590CF6848968FC23DE3FA1E25F1

False positive or what? Any ideas?

Comments

  • Patrice_LTPatrice_LT

    Hi,

    Same problem here on 80 computers.

    Any news ?

    Regards,

    Patrice

  • Patrice_LTPatrice_LT

    The exploit reported is "Exploit/NetReflectiveLoader" on powershell.exe

  • Patrice_LTPatrice_LT

    @SiSma : are you using intune or Microsoft Defender ?

  • SiSmaSiSma
    edited November 28

    @Patrice_LT said:
    @SiSma : are you using intune or Microsoft Defender ?

    Yes Defender...you too?

  • David_CarroDavid_Carro WatchGuard Representative

    The solution to the antiexploit detection to the Defender file has already been deployed.
    They should stop giving this message as soon as they get the update.

    Sorry for the inconvenience.

    David Carro | Technical support
    WatchGuard Technologies, Inc. | www.watchguard.com

  • Rakesh_MishraRakesh_Mishra

    Same Problem with our users also , any idea to resolve

  • David_CarroDavid_Carro WatchGuard Representative

    Hello, @Rakesh_Mishra

    The solution to the anti exploit detection to the Defender file has already been deployed last Thursday the 28th
    Probably this device has just been started today, since last Thursday.
    Let it update, the detection will stop.

    David Carro | Technical support
    WatchGuard Technologies, Inc. | www.watchguard.com

Sign In to comment.