Avast keeps moving PowerShell.exe to the chest even with exclusion

Hi,

Since yesterday Avast has made Visual Studio Code unusable because its “Behavior Shield” triggers a “IDP.HELU.PSE16 - Fileless malware” – see screenshot.

Adding an exclusion for C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe doesn’t help.

I’ll have to live with disabling the “Behavior Shield” for now, but given that PowerShell.exe is a critical part of Windows and of my developer work, I’d like a fix ASAP.

You can report a suspected FP (File/Website) here: https://www.avast.com/false-positive-file-form.php

Already done before I posted here. Note that this is “fileless” FP IOW Avast doesn’t think the file contains malware, but that it behaves strangely.

Hi avast.nospam4sba,

please send us the support package https://support.avast.com/en-eu/article/Submit-support-file and post the Ticket ID into this post.

Thanks,
PDI

The tool fails with “Cannot generate support file, error code: 12002”.

Tried a second time, same error.

[Update: could be linked to my Orange Livebox’s firewall that IIRC blocks FTP; I’ve contacted Avast support directly and provided them with the files]

I am seeing the exact same behaviour with Visual Studio Code and Powershell.exe

Avast says its put powershell.exe in the virus vault - but it has not - exclusions dont work either

VSC - becomes unusable

Disabling Behaviour Shield - does “fix” the problem

I can vouch for this behavior as well.

The “offending cmdlet” or script is part of the powershell extension for Visual Studio Code.

Thanks,
Jody

It also blocks installation of Visual Studio 2019 Community.
Just what I didn’t need, a hung up halfway installation.

Does avast give a message, if so what does it say? … screenshot

Avast support reports that the fix was included in VPS version 190402-02.

I’m currently running 190304-4 and can’t repro the issue anymore.

I can confirm that I received the same message (only once) when installing Visual Studio 2019 Community today.
Program version: 19.4.2374
Virus definitions: 190511-2

The difference for me is that the installation didn’t stop, but completed successfully!

See Reply #3.

I’m afraid I can’t as my Avast is a free version.

Sure you can, follow instructions: https://support.avast.com/article/33/ and post your File-ID here afterwards.

OK, here goes…

File ID: LVE04

Got confused because it asked me to go to the support portal to get a “Ticket ID”.

Hope this helps.

Hi

Has anyone solved this problem yet?

I’ve a powershell script in which I have to store a password (I know this is unsafe, but there is no way around). For this reason I am obfuscating it, for at least a minimum of security. Additionally, I have to make a workaround by calling it from a batch script, otherwise it doesn’t works correctly.

And sometimes if the script gets run, avast says that powershell.exe has been moved to virus container. I’ve already set exclusions for the scripts and the powershell file, but avast seems to constantly ignore this. And also if I’m looking into the virus chest, there is no new file, but powershell doesn’t work any more until I reboot my system.

So is there any way to tell avast to leave my files alone exept disabling behaviour shield? I’d really like to avoid that.

Thanks for your help :slight_smile:

Greetings
WhiteHat