===> False Positives <===

[Mops21]

Hi

Can you check this please see my screenshot

With best Regards
Mops21

[Curson]

Hi Mops21,

This look like false positives.
Could you please make an archive containing these files and attach it with your next reply ?

Regards.

[Mops21]

Hi

Yes here are the Files but the first second Files can I not find on my System where the Folder exist no

https://www.sendspace.com/file/8ztbws

With best Regards
Mops21

[Curson]

Hi Mops21,

Thank your very much.
The archive contains the most important files, so it's alright.

Regards.

[Mops21]

Hi

Also need you the other 2 Files anymore right or need you the 2 Files

With best Regards
Mops21

[Curson]

Hi Mops21,

No, the archive contained all the files we need.
However, it may take time until this is fixed. Please ignore these detections for the time being.

Regards.

[Mops21]

Hi

Okay thank you very much for your Infos

With best Regards
Mops21

[Curson]

Hi Mops21,

You are very welcome.
Thanks again for your feedback.

Regards.

[techknowledge]

The powershell script that calls rogue killer via my MSP gets killed by rogue killer. As a result code after the portion that runs roguekiller does not run.
The powershell script in the log will change with each run.

Thank you for your time.

Scan log file:

Code: [Select]

RogueKillerCMD V2.5.3.0 (x64) [Nov  8 2019] (Premium) by Adlice Software
mail : https://adlice.com/contact/
Website : https://adlice.com/download/roguekillercmd/
Operating System : Windows 10 (10.0.17763) 64 bits
Started in : Normal mode
User : SYSTEM [Admin rights]
Started from : C:\Programdata\TechKnowledgeCleanup\bin\scanners\roguekiller\roguekillercmd.exe
[[SIGNATURES]] : 20191112_105343, [[DRIVER]] : LOADED
Mode : Standard Scan, Remove -- Date : 2019/11/12 11:42:02 (Duration : 00:03:54)
Switches : -reportformat txt -reportpath C:\Programdata\TechKnowledgeCleanup\logs\RogueKillerLog.txt -portable-license C:\Programdata\TechKnowledgeCleanup\bin\scanners\roguekiller\rk.lic

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Remove ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
[Mal.Powershell ([[MALICIOUS]])] powershell.exe -- %ProgramFiles%\Pulseway\automation_c15ddc4a_4ca5_4033_9985_ae772f03c0cc.ps1 -> ERROR [0]

[Curson]

Hi techknowledge,

Thanks for your feedback.
Could you please zip the detected powershell script and attach it with your next reply ?

Regards.

[techknowledge]

Unfortunately I will not be able to provide the script. However the script itself is not important in this situation. There are many scripts that I run through my MSP. They all run from that folder.

I fully understand not being able to white list a folder.
I was thinking more along the lines of providing a whitelist command line argument. If n argument already exists, could I get documentation on how to use it?

As it stands I have been forced to omit RougueKiller from my cleanup process.

Thank you again for your time, I do appreciate it.

[Curson]

Hi techknowledge,

There does not exist such a switch at the moment.
Maybe, you could share the script with sensitive information removed ? Which parameters are passed to Powershell binary along the script ?


Regards.

[techknowledge]

I understand now.
$args = @"
-scan "-reportformat txt -reportpath $ThisApplicationLogFile -portable-license $roguekillerlicense" -autodelete -no_interact
"@
Start-Process -FilePath $roguekillerexe -ArgumentList $args -Wait -RedirectStandardError $stdErrLog -NoNewWindow

Would it be change out -autodelete with something? I get the log sent every time it runs. If there is anything found in the log it goes direct to a tech rather than the general logging email address.

Could we create a follow up script that uses the log file to delete things previous found? That way we would avoid a second scan.

[Tigzy]

Hey, sorry for the delay.
I'll be looking into it very shortly.

[Tigzy]

So indeed yes we detect when a powershell script is beeing executed.
However since it's a process only it won't be deleted, just stopped.

The easy fix for us would be to whitelist the file with a pattern, is that ok ?
Can you tell me what rule you file name follows ?

Regards,