Advice Request NPE detection - Microsoft.PowerShell\"ExecutionPolicy"

[JB007]

Hello
NPE detected a threat on my PC.
I'm wondering if it is a false positive or a malware ?
____________________________
Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell\"ExecutionPolicy"
____________________________

File Thumbprint - SHA:
Not Available
____________________________

 

[Ink]

Due to Norton Power Eraser's aggressive scanning, it is likely to be a False Positive.

How often are you scanning with NPE?

 

[Vitali Ortzi]

False positive detection.

about Execution Policies - PowerShell

Describes the PowerShell execution policies and explains how to manage them.

docs.microsoft.com

 

[JB007]

Due to Norton Power Eraser's aggressive scanning, it is likely to be a False Positive.

How often are you scanning with NPE?

It's the first time since some years.
There is the possibility to choose "repair". Is it good ?

 

[Vitali Ortzi]

Open the reg key to see what setting you set to execution policy.
And I don't recommend using any automatic repair on any registry component.

 

[Ink]

I would Ignore.

What does NPE mean by "repair"? Does it delete the registry key?

 

[Vitali Ortzi]

I would Ignore.

What does NPE mean by "repair"? Does it delete the registry key?

who knows what problem it will bring.
Ignore is a good idea unless you want to set the reg key to Microsoft recommended.

 

[SeriousHoax]

It's not false positive but not malicious either. It's rather a security issue/hole. A program that you've installed probably changed the default restriction policy and this should be reverted back to the default restricted value. To fix it,
Run Powershell as administrator then type/copy-paste this "Set-ExecutionPolicy restricted -Force" without the quotation mark and hit enter.
This should fix this issue. After this, re-scan with NPE and this would be gone

 

[Ink]

It's not false positive but not malicious either. It's rather a security issue/hole.

Do you think Windows users should be using tools such as Norton Power Eraser? Or are there other tools available to find mis-configured OS settings?

 

[SeriousHoax]

Do you think Windows users should be using tools such as Norton Power Eraser? Or are there other tools available to find mis-configured OS settings?

Norton Power Eraser actually looks for registry modification that could've potentially be done by malwares. So it won't find all the mis-configured settings. I'm not sure if there are programs that can do so because a lot of modification can be done by a user which are not dangerous. ESET has a tool called "System cleaner" built into their product that can revert all the system settings back to the default value but this is recommended only if the system was infected. There's "sfc /scannow" that can fix some corrupt system files. The best thing to do is to keep a system image backup of a clean, stable system and if something goes wrong then revert back to it.

 

[MacDefender]

Do you think Windows users should be using tools such as Norton Power Eraser? Or are there other tools available to find mis-configured OS settings?

I think you should only be using power cleaning tools like Norton Power Eraser or similar products if you strongly suspect your system was already compromised by malware. For example, if you executed malware and your AV didn't react to it (hopefully in the context of malware testing!). Or you're asked to help clean up a family member's machine, etc.

NPE and similar tools will scrutinize your system for any sort of unusual configuration that could be indicative of malware, but it could also be indicative of a variety of normal actions that people take. For example, you might've run some PowerShell script for changing hidden power management settings or other things that resulted in changing your execution policy.

I think it's more important to understand why the setting originally changed...

 

[Gandalf_The_Grey]

Do you think Windows users should be using tools such as Norton Power Eraser? Or are there other tools available to find mis-configured OS settings?

Kaspersky Security Cloud (Free) has a check (scan) for weak/unsafe settings and Windows troubleshooting.
Both look for and can correct mis-configured OS settings.
Weak settings control in the operating system:

Weak settings control in the operating system

help.kaspersky.com

Microsoft Windows Troubleshooting Wizard:

Troubleshooting the operating system by using the Microsoft Windows Troubleshooting Wizard

help.kaspersky.com

The first runs always or if disabled on demand.
The second is advised to run after an infection is removed but is also great to run after a fresh install of Windows to check for (other) potentially unsafe settings.

 

[cruelsister]

JB- Before assuming a FP, try this:

1). Go to All Programs and open WindowsPowershell\WindowsPowerShell
2). in the window that opens type:

get-executionpolicy

You should get a result that says Restricted

If you don't, something may have changed the default Policy.

 

[oldschool]

I think you should only be using power cleaning tools like Norton Power Eraser or similar products if you strongly suspect your system was already compromised by malware.

Indeed. And users are probably best served not to use boutique or aqgressive programs like NPE unless they fully understand how they work and are able to make qualified judgments. Better to use apps suited to skill level, or learn the hard way.

 

[cruelsister]

And as a second opinion scanner NPE is certainly not the cats-meow.

 

[bjm_]

Hello
NPE detected a threat on my PC.
I'm wondering if it is a false positive or a malware ?
____________________________
Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell\"ExecutionPolicy"
____________________________

What's NPE version # ?

Um, stand alone NPE or built in Norton NPE ?
I had similar a while back:

as I recall:
I created a Restore Point before FIX NOW expecting that NPE would not create a Restore Point with FIX NOW.
FWIW ~
https://www.bleepingcomputer.com/forums/t/684564/repeatedly-finding-same-threat/
https://community.norton.com/en/forums/norton-power-eraser-recurrent-powershell-problem

 

[goodjohnjr]

And as a second opinion scanner NPE is certainly not the cats-meow.

Hello Cruelsister,

What are your current recommended free second opinion scanners?

At this time I have Malwarebytes AdwCleaner, which is for PUPs mostly (I wish that it was more general purpose like a portable version of Malwarebytes), and I am looking to replace Norton Power Eraser (I do not like how you have to manually download new versions from their website, how there are two scans instead of just one unified one, and like AdwCleaner there is no context menu scan option unfortunately).

Thank you,
-John Jr

 

[JB007]

JB- Before assuming a FP, try this:

1). Go to All Programs and open WindowsPowershell\WindowsPowerShell
2). in the window that opens type:

get-executionpolicy

You should get a result that says Restricted

If you don't, something may have changed the default Policy.

Thanks @cruelsister
I get "unrestricted"
What can I do ?

 

[JB007]

What's NPE version # ?
View attachment 241318
Um, stand alone NPE or built in Norton NPE ?
I had similar a while back:
View attachment 241319View attachment 241314View attachment 241315View attachment 241316View attachment 241317
as I recall:
I created a Restore Point before FIX NOW expecting that NPE would not create a Restore Point with FIX NOW.
FWIW ~
https://www.bleepingcomputer.com/forums/t/684564/repeatedly-finding-same-threat/
https://community.norton.com/en/forums/norton-power-eraser-recurrent-powershell-problem

Thanks @bjm_
I is the same version like you.

 

[MacDefender]

@SeriousHoax was right on with his post 8, Q&A - NPE detection - Microsoft.PowerShell\"ExecutionPolicy"