I have about 15 computers in an office and 8 of them have been blocking powershell and showing those 2 hits. IDP.HELU.PSS17- File-less malware and IDP.HELU.PLN35- File-less malware. Both hits were blocked by the behavior shield. I have Malwarebytes business suite, and one of those PCs, Malwarebytes Anti-Ransomware popped up yesterday and said it blocked HxTsr.exe from running, which after some research is a normal Outlook file, but it can become compromised. Does anyone have any suggestions as to what I should do to mitigate any more risk of attacks?
have you tested HxTsr.exe at www.virustotal.com ?
It’s clean. Any thoughts on the fileless malware? some times Avast is flagging it at 1 or 2 am, but other times it’s at 9 or 10 am.
Run an FRST scan on one of the affected systems. Fileless malware uses Windows files to it’s own benefit.
Do you guys have an internal IT department that can handle this?
I am the IT department ;D. I have an outside IT firm I can contact for some support, I just like to exhaust all roads before I contact them. I have attached the logs.
Hello,
mentioned HELU detections are most probably really true positive detections and you have been protected agains PowerSniff and Poweliks. If you are convinced that the HELU detections are false positives, we would like to see the powershell commandl line leading to detection.
If you are unable to get to the command line, please send me the first and last block from GUID parameter from c:\program files\avast software\avast\setup\setup.ini
Thank You.
Ah. Thank you ApoC