Does Avast use Powershell (or why is it always starting?)

Hello,

I should start by saying that I always keep Windows’ Task Manager and Resource Monitor open as soon as I start my PC, so I can see suspicious processes & connections immediately, and to get a feeling for which processes are “normal” etc.

I’ve been doing that for months already, but only about 2 weeks ago Windows’ Powershell suddenly started to be automatically executed exactly 20 minutes after I turn on my PC, every time (seems to be a scheduled task), and after that keeps being executed in certain intervals. It’s not visible on the desktop, and only sometimes visible in Task Manager for a split second, but Resource Monitor shows what files it accesses for about half a minute or so.

Of course that really worried me because it had never happened before and could be caused by all kinds of things, but since I saw the Powershell access some Avast .dll & .log files, I thought it may be a new Avast function or something, so I came here to ask if that is the case? Here you can see some of the files that are being accessed, Avast files highlighted: https://i.imgur.com/VUUF96b.png

So is that actually an Avast (or Windows?) function, or do I need to be worried?

Hi Weiku,
it is a property of windows which loads amsi (amtimalware scan protection aswAMSI.dll) into script processes like poweshell, wscript.exe, cscript.exe etc.
For more details see https://docs.microsoft.com/en-us/windows/desktop/amsi/antimalware-scan-interface-portal

As you described it seems to be task which start on every PC boot.
You can try to open task scheduler and find it https://www.digitalcitizen.life/ways-start-task-scheduler-windows or via powershell Get-ScheduledTask cmdlet.

I think I found the scheduled task that causes this, it seems to be Microsoft\Windows\SMB\UninstallSMB1ClientTask, since that one actually does start a Powershell and shows that it has run every 20 minutes, which matches what I always see in Resource Monitor (even though it’s not always visible every 20 minutes there).

What I don’t understand is, if that’s actually some kind of “uninstall” thing for SMB1, why does it have to run daily and every 20 minutes? That doesn’t make much sense to me. Does anyone have any info on that?

The additional “arguments” of that scheduled task say: -ExecutionPolicy Unrestricted -NonInteractive -NoProfile -WindowStyle Hidden “& %windir%\system32\WindowsPowerShell\v1.0\Modules\SmbShare\DisableUnusedSmb1.ps1 -Scenario Client”

SMB1 is actually a security risk and should be unchecked. This should help you do exactly that:

https://screencast-o-matic.com/screenshots/u/Lh/1532647703003-88342.png

Hi Weiku,
I agree with bob3160 to remove smb1 feature, SMB1 has a severe security bug used for example by wanacry ransomeware !

Strange that this is a default setting on a fully up to date version of win10 Home 64bit, if it is such a risk, surely Microsoft should have disabled it ?

Or make sure you have applied this patch https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010

Microsoft even stated that if you’re using the latest version, that this SMB1 would already be unchecked. It was not. I unchecked it manually.
As kwiq stated, MS has released a patch that fixes the vulnerability. All you need to do is apply the patch. :slight_smile:

Thanks for the link, strange that on my win10 laptop, it has supposedly had all of the Program Updates and the patch Tuesday updates, yet this SMB was still present.

I manually removed it using the Programs and Features > Turn Windows Features on or off, as in Bobs image and it required a reboot afterwards.

Looking at the Security bulletin from 10/11/2017, it doesn’t mention windows version 1803 as that wasn’t out then. The latest version listed in the bulletin for win10 64bit was ‘Windows 10 Version 1607 for x64-based Systems.’ The Win 10 Creators Update, Windows version 1703 came after that plus Version 1709, plus Version 1803 all very large Windows Program updates, yet this setting survived that.

So I don’t know if running that old Security update retrospectively would be wise on a later windows 10 version/s ?
As in, could it have an unforeseen impact with anything else that might be reverted.

Or would the manual removal using the Programs and Features > Turn Windows Features on or off be sufficient, certainly for this vulnerability ?

Turning the feature OFF makes you safe (for this vulnerability). If it didn’t I wouldn’t be spreading that information during my presentations. :slight_smile:

I have no problem with having done the manual side of it , removing the feature as in your image.

I just didn’t want to run an OLD security bulletin when there has been two or more major program updates since then and how this might impact on later program version already updated. We don’t know exactly what Microsoft might have done in this security bulletin (other than what we did manually), we are meant to trust them.

They, Microsoft have said it should have removed/unchecked the SMB feature, yet both you and I have found that it is/was still enabled, trust is a double edged sword.

Always follow Trust with Verify. :slight_smile:
It’s a good rule to follow if you don’t want to get burned.

Since windows 10 fall creators update SMB1 feature is not installed by default.

Unless you are doing a clean install, it’s still there even on the latest release.

You are correct. Most people update and in that case, that feature is still there and needs to be disabled.

Thanks Bob. I checked here and used Trust and Verify. :wink: Good security practice.

Found to be unchecked and not an installed feature. Didn’t have to do anything here.

I didn’t have a clean 1803 install, it was upgraded from 1709, and yes, this SMB1 feature was also activated for me - I just disabled it. I have no idea if that will stop the Powershell stuff, I’ll let you know when I find out. However the second entry on bob3160’s image (“SMB Direct”) is also enabled, it says it’s for SMB 3.x. Should I disable that too or is it necessary for certain things to function? On bobs’ image it’s also disabled.

Read this: https://virtualizationreview.com/articles/2015/09/16/using-smb-direct-in-the-real-world.aspx
I don’t use virtualization so I probably don’t need it checked.