Containment spammed by C_powershell.exe_xxxxxxxxx


When I checked the containment section today, I have like 80 pages with different C_powershell.exe_(random characters).ps1 on my device.

What is that?

The file path is,
C:\ProgramData\Comodo\Cis empscrpt\

It looks like this, but 80 pages of this,

C:\ProgramData\Comodo\Cis empscrpt\C_powershell.exe_E22BFC0204868944244CA02022FE63F024DB2854.ps1
1 Containment Policy Virtually Complete Not set
2018/05/17 08:50:06 AM

C:\ProgramData\Comodo\Cis empscrpt\C_powershell.exe_A5D4E3156AE9FB5B9BB3A81481E4D7B4909C1A83.ps1
1 Containment Policy Virtually Complete Not set
2018/05/17 08:50:03 AM

C:\ProgramData\Comodo\Cis empscrpt\C_powershell.exe_73F48F54CEE92278DDDEBC0415EC015F160AD51A.ps1
1 Containment Policy Virtually Complete Not set
2018/05/17 08:50:01 AM

C:\ProgramData\Comodo\Cis empscrpt\C_powershell.exe_A53D71CB1175D11CF1576D932BE678D1CA41D3D2.ps1
1 Containment Policy Virtually Complete Not set
2018/05/17 08:49:57 AM

C:\ProgramData\Comodo\Cis empscrpt\C_powershell.exe_ECE95A25731DDB49BB2A8A0AFA4E2ED6F2777D9C.ps1
1 Containment Policy Virtually Complete Not set
2018/05/17 08:49:55 AM

C:\ProgramData\Comodo\Cis empscrpt\C_powershell.exe_7B2AD3FBCD0E605D635E54637772829F01CF74EA.ps1
1 Containment Policy Virtually Complete Not set
2018/05/17 08:49:53 AM

C:\ProgramData\Comodo\Cis empscrpt\C_powershell.exe_69CA3F671CC6BF7E05850066D2C67B3A49519D32.ps1
1 Containment Policy Virtually Complete Not set
2018/05/17 08:49:50 AM

Hello @Noiden

Support team will get in touch with you shortly via email to investigate the issue.


Hi @Noiden

Support team will check to validate but these files are created when some other application tries to execute scripts on your computer. These scripts might be the source of what is called “Fileless malware” and our protection layers are in effect to protect you from those fileless malwares as well as all other attack vectors.

You can check this article to get more idea about fileless malware:

And this article to read how we protect against that as well as any other attack vector:

Also, here is a video that one of our fan created with the consumer version of the security client. He demonstrates how we catch fileless attacks and protect the endpoint:

Best regards,

Hi @Ilker

Thanks. For your information I think the program that is trying to create and run this script is LepideAuditor Freeware edition,


Hello @Noiden ,

We have responded to the support ticket we have created for you.
Please check the e-mail at your convenience.

Best regards,

I found that this was happening on a machine i was testing on
I think its actually another rmm agent that uses powershell that its containing.

@rockowwc ,

We will coordinate with you shortly via support email for any information that will help us in determining the root cause and solution for the said issue.

@Noiden, Thank you for giving us a response to the support email for your resolved issue.