Containment spammed by C_powershell.exe_xxxxxxxxx

Hi,

When I checked the containment section today, I have like 80 pages with different C_powershell.exe_(random characters).ps1 on my device.

What is that?

The file path is,
C:\ProgramData\Comodo\Cis empscrpt\

It looks like this, but 80 pages of this,

C_powershell.exe_E22BFC0204868944244CA02022FE63F024DB2854.ps1
C:\ProgramData\Comodo\Cis empscrpt\C_powershell.exe_E22BFC0204868944244CA02022FE63F024DB2854.ps1
E22BFC0204868944244CA02022FE63F024DB2854
1 Containment Policy Virtually Complete Not set
2018/05/17 08:50:06 AM

C_powershell.exe_A5D4E3156AE9FB5B9BB3A81481E4D7B4909C1A83.ps1
C:\ProgramData\Comodo\Cis empscrpt\C_powershell.exe_A5D4E3156AE9FB5B9BB3A81481E4D7B4909C1A83.ps1
A5D4E3156AE9FB5B9BB3A81481E4D7B4909C1A83
1 Containment Policy Virtually Complete Not set
2018/05/17 08:50:03 AM

C_powershell.exe_73F48F54CEE92278DDDEBC0415EC015F160AD51A.ps1
C:\ProgramData\Comodo\Cis empscrpt\C_powershell.exe_73F48F54CEE92278DDDEBC0415EC015F160AD51A.ps1
73F48F54CEE92278DDDEBC0415EC015F160AD51A
1 Containment Policy Virtually Complete Not set
2018/05/17 08:50:01 AM

C_powershell.exe_A53D71CB1175D11CF1576D932BE678D1CA41D3D2.ps1
C:\ProgramData\Comodo\Cis empscrpt\C_powershell.exe_A53D71CB1175D11CF1576D932BE678D1CA41D3D2.ps1
A53D71CB1175D11CF1576D932BE678D1CA41D3D2
1 Containment Policy Virtually Complete Not set
2018/05/17 08:49:57 AM

C_powershell.exe_ECE95A25731DDB49BB2A8A0AFA4E2ED6F2777D9C.ps1
C:\ProgramData\Comodo\Cis empscrpt\C_powershell.exe_ECE95A25731DDB49BB2A8A0AFA4E2ED6F2777D9C.ps1
ECE95A25731DDB49BB2A8A0AFA4E2ED6F2777D9C
1 Containment Policy Virtually Complete Not set
2018/05/17 08:49:55 AM

C_powershell.exe_7B2AD3FBCD0E605D635E54637772829F01CF74EA.ps1
C:\ProgramData\Comodo\Cis empscrpt\C_powershell.exe_7B2AD3FBCD0E605D635E54637772829F01CF74EA.ps1
7B2AD3FBCD0E605D635E54637772829F01CF74EA
1 Containment Policy Virtually Complete Not set
2018/05/17 08:49:53 AM

C_powershell.exe_69CA3F671CC6BF7E05850066D2C67B3A49519D32.ps1
C:\ProgramData\Comodo\Cis empscrpt\C_powershell.exe_69CA3F671CC6BF7E05850066D2C67B3A49519D32.ps1
69CA3F671CC6BF7E05850066D2C67B3A49519D32
1 Containment Policy Virtually Complete Not set
2018/05/17 08:49:50 AM

Hello @Noiden

Support team will get in touch with you shortly via email to investigate the issue.

Regards,

Hi @Noiden

Support team will check to validate but these files are created when some other application tries to execute scripts on your computer. These scripts might be the source of what is called “Fileless malware” and our protection layers are in effect to protect you from those fileless malwares as well as all other attack vectors.

You can check this article to get more idea about fileless malware: https://antivirus.comodo.com/blog/computer-safety/increasing-fileless-malware-attacks/

And this article to read how we protect against that as well as any other attack vector: https://enterprise.comodo.com/what-we-do-for-detection-at-the-endpoint.php

Also, here is a video that one of our fan created with the consumer version of the security client. He demonstrates how we catch fileless attacks and protect the endpoint: https://www.youtube.com/watch?v=Xem53arxRo0

Best regards,
Ilker

Hi @Ilker

Thanks. For your information I think the program that is trying to create and run this script is LepideAuditor Freeware edition,
https://www.lepide.com/lepideauditor/freeware.html

Thanks.

Hello @Noiden ,

We have responded to the support ticket we have created for you.
Please check the e-mail at your convenience.

Best regards,

I found that this was happening on a machine i was testing on
I think its actually another rmm agent that uses powershell that its containing.

@rockowwc ,

We will coordinate with you shortly via support email for any information that will help us in determining the root cause and solution for the said issue.

@Noiden, Thank you for giving us a response to the support email for your resolved issue.