Threat Description: IDP.HELU.PSWM6%s_cmd

Hi

We are receiving tons of alerts in the same client with this threat but I image is a false positive, Can you help me to figure it out? I scan system and they are clean, I also use malwarebytes as back up.

Description: The device is infected with a security threat.
Details:
Threat Description: IDP.HELU.PSWM6%s_cmd
Threat Severity: Infection
Threat Shield: Behavior Shield
Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Virus Action: Fix automatically - means try to Repair, if it fails, try to Move to Chest, and if even that fails, delete
Group: Default
Date and Time: 3/3/2020 10:56:29 AM
Notes:
Alert Name: Default

Here is the screenshot of the error.

Report it to avast lab >> https://forum.avast.com/index.php?topic=14433.msg1289438#msg1289438

HI Nynjguy,

By any chance are you running Nessus (Tennable.IO) agents on your machines as well?

Hi Nynjguy,

could you follow these steps https://support.avast.com/en-us/article/33/ and write the Ticket ID here in the comments?

We cannot really help you when only screen should is provided.

Thanks,
PDI

Yes we are doing Tenable IO scanning every week, this may be>?

The case number is 10221416

Hi,

we did change the detection and it’d be fixed in the VPS tomorrow.

Regards,
PDI

We run the Nessus SCAN Everyday, I’ve been in touch with them and asked me to enable advanced logging. It is still on my list of things to do. But from the tests that I have done here it does seem the Nessus is causing the issue.

Makes sense, I just check and run an Tenable IO agent scan and avast went crazy again, this is getting annoying. Reports powershell.exe or CMD.exe too.

Hi,

please be patient. The fix’d be released today as I wrote yesterday.

Regards,
PDI

Hi

Today we start seeing the same error again in all of our system, the fixed did work for a while but just came back.

An Avast Business CloudCare High-Priority Alert Occurred.

Description: The device is infected with a security threat.
Details:
Threat Description: IDP.HELU.PSWM7%s_cmd
Threat Severity: Infection
Threat Shield: Behavior Shield
Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Virus Action: Fix automatically - means try to Repair, if it fails, try to Move to Chest, and if even that fails, delete
Customer:
Group: Default
Device:
Date and Time: 4/14/2020 11:05:38 AM
Notes:
Alert Name: Default

Click here to view this alert in the CloudCare portal.

Hi,

was there any update to the Nessus software?

Thanks,
PDI

Not that I’m aware, but is the same thing. Nessus and Tenable IO always uses CMD or Powershell to scan the machines.

I check all the warning is the exact same thing as the one before. Anything you need from us to help out?

Hi,

it’s ok for now. I’ll let you know when the fix is ready or if we need more information.

Regards,
PDI

Hi,

the fix should be released tomorrow.

Regards,
PDI

Thank you so much!

Hi

The error came back again today on few users, can you help me please.

Everything is whitelist, no idea why this keep happening with Tenable IO.

The error came back again today on few users, can you help me please.
How to report stuff is still found at the same place, see sticky posts at top in this forum section

direct link https://forum.avast.com/index.php?topic=14433.msg1289438#msg1289438

Hi nynjguy,

as it’s different detection you should create a new topic so it won’t be lost.

We cannot help you based on your current input but there is possibility to create an exclusion from the detection dialog for this detection.
We’d need support package to check if there is something we can go.

Regards,
PDI