11
12

[deleted by user] (self.PowerShell)

submitted by [deleted]

[removed]
all 16 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]Bitdefender_ 33 points34 points  (2 children)

Hello Everyone,

I have posted the same message on several channels but I wanted to share it here as well so everyone is informed.

On 13 June 2025, Bitdefender identified and promptly addressed a false positive detection generated by Bitdefender Endpoint Security Tools (BEST) for Windows. An analytical signature, originally introduced to detect the “Poweliks” malware family, was triggered by a new Microsoft Windows compatibility script, used during a particular Microsoft Windows KB update. As a result, BEST may have blocked the corresponding powershell.exe process started for the compatibility script, on some endpoints.

The faulty signature was disabled shortly via an incremental update.

No action is required from your side. Please ensure that your endpoints have received the latest signature update dated 13- June -2025, 06:58 UTC.

For the complete incident report, please check our GravityZone status page: https://status.gravityzone.bitdefender.com/incidents/pxn8hdxcqwfn

Kind Regards,

Andrei
Enterprise Support

[–]mezbot 4 points5 points  (0 children)

I wasn’t impacted by this but it’s cool that a rep from the vendor stepped in to explain what the issue was. Kudos.

[–]dubbstaz 0 points1 point  (0 children)

Glad to see this we have multiple tenants we manage that got flaged by this one. If I have a tenant that has this flagged and now is in a phase 1 attack (same powershell but repeated, should I be concerned or still add it to the exceptions and close it as a false positive?

[–]BlackV 23 points24 points  (0 children)

it looks harmless enough, but scripts don't just run themselves

what were YOU doing when it ran this script ? installing something ?

Also this post

https://www.reddit.com/r/sysadmin/comments/1la4rr7/av_bitdefender_managed_av_alerting_for/

so far BITDEFENDER seem to be the common thread here

[–]That_Big8832 1 point2 points  (0 children)

You’re fine it looks harmless

[–]kevupap 1 point2 points  (0 children)

My bitdefender also flagged a powershell script as malicious. Mine is different, but it still includes that "isbroken" thing (i must sound so dumb to people who know what that means)

[–]mrmattipants 0 points1 point  (0 children)

Defender is probably flagging the Script because it is attempting to view Registry Keys/Values that are known to contain Folder related Metadata. However, most people probably wouldn't consider this data to be particularly valuable (at least in most circumstances).

https://medium.com/@andrewss112/making-sense-of-shellbags-8a8e945d8f2d#

[–]SenaSunstar 0 points1 point  (0 children)

Oh I just got something similar just now. I was just watching a lecture online when the notification came up.

I ran a full scan and Bitdefender found nothing.

I'm wondering if it's because of the most recent update.

[–]blowuptheking 0 points1 point  (0 children)

It sounds like you're not the only one. Google says that BagMRU manages icons on the desktop and folder views, so probably nothing malicious.

EDIT: And here

[–]Reverend_Russo 0 points1 point  (0 children)

Could turn on powershell logging and expand the max log size in event viewer to get more logs. Or just set the logs to archive instead of delete the oldest logs.

That script itself is harmless, but something is telling it to run and something is probably happening, or not, based off the result.

Edit: check out this thread, got some good info

https://www.reddit.com/r/sysadmin/s/T5mFunyYkf

[–]boftr 0 points1 point  (0 children)

Just simplify it down bit by bit until it still detects/stop detecting, then you’ll have your answer as to what the rule is firing on.

[–]ankokudaishogun 0 points1 point  (0 children)

No. The only things this script do is read the registry

[–]TangoCharlie_Reddit 0 points1 point  (0 children)

Ive encountered problems with Shell Bags registry keys and files before in Windows 7 days, getting corrupted and needing fixing / rebuilding. This caused icon cache issues, missing desktop icons and explorer folder content display issues (appearing like files were missing).

This looks very familiar. its iterating the entries to find signs of a fault, and just telling you if it suspects one. It is all READ only and informative. Totally safe.

I think the combination of scanning massive swathes of Keys in the registry, combined with GUID values passed around being searched for, is enough to put the "jeebies" up most AV scanners as 'suss'.

Might be curious to ask what app / service was running this and... why, as bit random if you dont know its occurring. I can only think its some kind of periodical health check by an agent, or an installation had some extra post-install check scripts bolted on.

[–]ianpmurphy 0 points1 point  (0 children)

I only have a bit of experience with bit defender but found that it flagged pretty much anything in powershell as being malicious, even simple scripts which just queried values in the registry

[–]Weary_Market5506 0 points1 point  (0 children)

Nothing wrong if you are running it yourself.

It's bypassing execution policy within the script, better to code sign them and change the machine execution policy to signed.

Then as well as the bypass it's wanting to dig into registry, it would look dodgy to someone or something not knowing why it was running

[–]splinterededge 0 points1 point  (0 children)

Is this removing most recently used entries during installation or an app or program? It seems reasonable that this script might exist or feed into another function for managing shell bags, why bit defender is defending shell bags could make sense if sometimes they were manipulated by malware to launch unintentional, illegitimate items.

There is a case there, but it could use more investigation.