Exe generated by Powershell Pro Tool is detected as a virus

We are currently using powershell pro tool version 5.7.2 with visual studio 2019.

When we compile the code and exe gets generated, cyclance antivirus deletes the exe file in next few seconds.

We have tried it with previous version of visual studio and powershell pro tool but no help.

To a surprise, when we compile a .net project cyclance antivirus doesn’t delete the exe file.

How we can avoid it to be detected as a malware.

Can you share what packaging settings you are using? I wonder if obfuscation might cause this or if it’s something else with our package. I can also try to reach out to Cyclance to see if they can provide some insight.

We are currently using the below settings:

Please let me know if you require any further information.

Hi Adam, Please let me know if you need any further info. We are in middle of some project and this issue looks like a showstopper. It would be great if you can provide some solution for the same.

I’ve opened a support request with Cylance and waiting to hear back on a resolution.

Hi Adam, Can you please confirm if we have any further updates on the same.

Hi @adayama,

Still waiting to hear back from Cylance. I’ve sent them another message to get an update on the case.

Hi Adam,

Please let me know if we have any informaiton on it from Cylance team. We are in the middle of the project and it’s a showstopper for us.

Hi Adam,

This is Vijay Kumar from Aristocrat, we want some quick solution around this issue. Please let me know if we can connect on priority. Our production release is stuck due to this issue.

Thanks & Regards
Vijay Kumar

I don’t know anything about PowerShell Pro but I do generate .exe’s from PS scripts using another method and I found that unless I sign the .exe with a code signing cert then my AV picks it up as a virus. If there’s an option to sign the .exe using a cert then it would be worth trying that.

(Powershell Pro might already do this, so if so ignore me! I haven’t used it before) .

Thanks for the suggestion, Tom.

@vijay.kumar - I’ve contacted Cylance a few times and they still haven’t given me any status on the file I uploaded to them. You may want to try and open a ticket as well.

hey @adam I’m having this problem as well with Cortex XDR AV.

When “packaging as an executable” from visual studio (not VSC) is there a way to sign the resulting exe with a code signing cert?

I see the option for visual studio code to “sign on save” but this is a bit different.

There currently isn’t an option to code sign the assembly directly. You can use SignTool to do so after the fact: SignTool - Win32 apps | Microsoft Docs

Recently, I’ve had some success submitting executables to vendors to have them validate and white list them.

Thanks adam-

The problem I’m having with that though is the Cortex XDR snags it immediately after compile.

I don’t think the signtool will have a chance to get at it before Cortex snags it up.

Ah, interesting. Let’s take this offline so I can get some more info. Can you email support@ironmansoftware.com?

I want to get a hold of a binary and send it to Cortex to see what’s up.

Hello all,
Is there any update on the status of this. I did search, but it seems to have ended here. I have a similar issue and have worked around it just using the ps1 bundling and a cmd to call it. which is fine for testing. but won’t last as a solution.

This is still an issue and depends on which antivirus software you are using and properties of your executable. The best solution is to get the compiled executable whitelisted by your AV vendor.

Some things that you can do to help with flagging:

Thanks Adam. Signing with our pfx seems to have alleviated the problem internally. But running against www.virustotal.com shows 16 AVs that will detect it as a virus. Removing the obfuscation dropped the number to 13.