Malicious Program temp file from Powershell

I keep getting alerts about a malicious program names W32/Exploit.gen. These tmp files are created by a legit program that uses Powershell. They all have something in common, the first part of the file name is 489314D86C55A948A225789DB7A93229_ with random characters for the rest of it. I tried creating a software exception for this selecting filename and putting the first part of the file with a * at the end. But keep getting the warnings. Anyone have a clue?

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @kcarpenter
    If the exception isn't working, it's likely being picked up as a false positive. I'd suggest creating a support case so that we can assist and take a look at your logs (please don't post those logs here as they may contain personally identifiable info.)

    You can create a case by using the support center link at the top right of the page.

    -James Carson
    WatchGuard Customer Support

  • David_CarroDavid_Carro WatchGuard Representative

    Hi, @kcarpenter.
    Normally this tmp file is created by us in order to generate a contextual detection. It is called a dummy file to make the AV detect something through ourselves. (hope that makes sense)
    Probably it is some call for an unwanted and "un-liked" procedure, and we are stopping the call.
    As @james.carson says it needs a case to be opened to support, for backend to check the exact issue. In order to speed up the process, you can send a psinfo, and the local detection log, as that is something we would need to identify the device and the detection.
    Simply collect the info and upload it (or attach it) along with your initial email:

    Saving the local detection log from a computer.

    Please follow these instructions directly on the affected computer

    • Double click on the Panda head icon located on the notifications area near the clock on the affected computer
    • Click on the area that shows the number of files blocked and files in quarantine.
    • Click on "View full report"
    • Click the "Folder" icon located on the top right next to the Printer icon.
    • Select a location and file name.

    We will need a copy of that file and the following report

    PSINFO

    Please generate the following information report from the computer with the issue

    • Download the following data collection tool: https://www.pandasecurity.com/psinfo
    • Double click on the downloaded compressPsInfo.zip file and then launch psinfo.exe.
    • Accept the license agreement.
    • Select the proper Product on the drop down (Aether).
    • Enter a description for the issue on the Problem field. If you already have a case number please start the problem description with it.
    • Enter your email address on the Contact information field.
    • Mark the box Do not send, save local to have the log saved on your computer so that it can be emailed back to us.
    • Click Start to begin the data collection process. The tool will disappear while it collects information.

    Eventually you will see a pop up letting you know that it's done and the location the file was saved.
    The format of the file name will be: COMPUTERNAME_[DATE-TIME]_PSInfo.7z

    We will need the resulting .7z file

    Long response, but will save time looking for the answer.

    David


    David Carro | Technical support
    WatchGuard Technologies, Inc. | www.watchguard.com

  • Yes, it was the AV itself creating the file. What is VERY bothersome is the fact there is no log telling me what program is having the issues. It tells support, but not me. Its very annoying to have to contact support to figure out what program is causing the issue. Logging seems to be missing from this product. I can't even install it on another machine because it detects another AV client. But it doesn't say what product. And I have removed everything I can find. Still says it. Is it really that hard to tell us what the exact issue is? Another support request I guess.

  • Carmen_GomezCarmen_Gomez WatchGuard Representative
    edited July 2022

    Hi @kcarpenter
    if that temporary file has been created, one more detection should appear on the console or on the local antivirus report in computer itself, but it may come out in previous days .

    Regarding the installation problem of the other computer, check if it appears in the web console which is the other antivirus. If it does not come out, we will need you to report the incident to technical support with a Psinfo from computer reproducing the installation issue to try to locate what is that other protection that the instalation process is detecting.

    Regards,
    Carmen

    Carmen Gomez| Technical support
    WatchGuard Technologies, Inc. | www.watchguard.com

    Carmen Gomez| Technical support
    WatchGuard Technologies, Inc. | www.watchguard.com

Sign In to comment.