Powershell Potentially Malicious Application Blocked

Solved
YouXI Posted messages 5 Status Member -  
YouXI Posted messages 5 Status Member -

Hello, Bitdefender regularly sends me notifications of attacks blocked by PowerShell:

My Bitdefender is not up to date but when I start the update, the update search gets stuck at 22% and I don't dare uninstall and then reinstall Bitdefender for fear of an attack during that time.

Thank you in advance for your help.

3 answers

  1. Bruno83200_6929 Posted messages 725 Registration date   Status Member Last intervention   170
     

    Hello,

    According to your screenshots, it seems that Bitdefender is detecting suspicious behavior related to a PowerShell script that accesses and checks Windows registry keys (specifically in BagMRU, which manages folder view settings in Explorer). The code shown checks if a folder view setting is "broken" (via $isBroken), which could be related to a diagnostic tool or a legitimate script, but Bitdefender flags it as suspicious (signature AB30BF9243AD5IA0). This could be a false positive, as Bitdefender is known to generate them occasionally on normal Windows processes or harmless scripts.

    Regarding the update stuck at 22%:


    Issues with stuck updates in Bitdefender are common (often at 0%, 80%, or 84%, but 22% could be similar).

    Download the manual update tool from the Bitdefender website (bitdefender.com). Run it and see if it goes through. Sometimes, automatic updates get stuck, but the manual one works.


    Some updates may seem stuck but resume after 10-15 minutes (as noted for other percentages).

    Uninstall safely:

    Use the official Bitdefender uninstallation tool (available on their website) for a clean removal. Disconnect from the internet during the uninstallation/reinstallation if you're paranoid (it blocks network attacks).


    Reinstall immediately:

    Once uninstalled, install the new version right away. Bitdefender protection is not completely disabled during normal updates, but for a reinstallation, it takes a few minutes max.


    If you have Windows 10/11, the built-in firewall and Defender provide basic protection in the meantime.


    1
    1. brucine Posted messages 24863 Registration date   Status Member Last intervention   4 172
       

      Hello,

      In short, PowerShell is integrated into Windows and is not inherently malicious.

      It is certain scripts that can be, but some legitimate processes can use it, related or not to certain software (for example, it is the legitimate way to update the databases of my security software).

      A malicious PowerShell script or not won't just drop from the sky.

      It can be executed from malware embedded in an executable that we have downloaded, but otherwise, if it were to be executed online, it would need to penetrate the computer, and this time it is not the antivirus's role but that of the firewall and the security software's defense system to intercept abnormal calls to executables.

      1
      1. brucine Posted messages 24863 Registration date   Status Member Last intervention   4 172 > brucine Posted messages 24863 Registration date   Status Member Last intervention  
         

        In the case that interests us and unless a malicious executable has usurped it, it is likely that it is only a script resulting from Windows telemetry CompatTelRunner, which is supposed to check the compatibility of different applications and report it to Microsoft.

        It can be disabled.

        1
      2. YouXI Posted messages 5 Status Member 1 > brucine Posted messages 24863 Registration date   Status Member Last intervention  
         

        Hello, thank you for your information!

        0
    2. YouXI Posted messages 5 Status Member 1
       

      Hello, thank you very much for your message. Regarding Bitdefender, I tried the manual update tool (I wasn't aware of this technique, thanks for the info!) but it didn't seem to work, so I will reinstall it.

      Best regards

      0
  2. bazfile Posted messages 58493 Registration date   Status Moderator Last intervention   20 270
     

    Hello @YouXI StatusMember.

    Powershell is sometimes used for infections, particularly Trojan coin miners, to check if the PC is infected, do the following.

    Download FRST .

    Once downloaded save FRST on the desktop then right-click on FRST and choose Run as administrator which gives this:

    Wait for the message the tool is ready to operate to appear then click on Scan.


    For your information:

    If you have an alert from Microsoft Defender, disregard it, click on Additional Information then on Run anyway, see below.


    Be careful, wait for the messages that say the scan is complete to appear.

    At the end of the scan, the two reports FRST and Addition will be on the desktop.

    Send the FRST and ADDITION reports to https://pjjoint.malekal.com/ or https://www.catupload.com/.

    Then attach the two links generated by https://pjjoint.malekal.com/ or https://www.catupload.com/ in your response.


    bazfile
    Moderator/Security Contributor.
    a hello, a response, a thank you are always appreciated.

    1
    1. YouXI Posted messages 5 Status Member 1
       

      Hello, thank you for your help. I did what you told me; here are the 2 links:

      https://pjjoint.malekal.com/files.php?id=FRST_20250903_k5p12g14j14f7

      https://pjjoint.malekal.com/files.php?id=20250903_d7p7z10k1214

      0
  3. Bruno83200_6929 Posted messages 725 Registration date   Status Member Last intervention   170
     

    Hello,

    I have just reviewed your two reports.

    Personally, I don't see anything suspicious.

    Overall, your reports do not show any infection. The only real points of concern are:

    Update Bitdefender (or reinstall it).

    Clean up any remnants of Avira.

    Check if you need the unsigned Brother service.


    1
    1. YouXI Posted messages 5 Status Member 1
       

      Okay, thank you Bruno for your quick response and your advice :) !

      I wish you a pleasant evening

      Best regards

      1