PowerShell Execution Threat is False Positive
PowerShell is a very well know and important component of Windows. Recently I performed a Threat scan with Symantec Diagnostic Tool and detected High-Risk alert in my Windows 10 machine regarding PowerShell Execution Policy.
The Alert triggered regarding the malicious PowerShell key in my system and I should remove this.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell\”ExecutionPolicy”
The path of this regkey looks like legitimate and before taking any action blindly on AV result, let’s ask google on this issue.
What is PowerShell Execution Policy and Why we use this?
PowerShell’s execution policy is a safety feature that controls the conditions under which PowerShell loads configuration files and runs scripts. This feature helps prevent the execution of malicious scripts.
How can we configure this? (As per official answer from Microsoft)
Note: Serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. To backup and restore registry key, refer Microsoft article on How to back up and restore the registry in Windows.
Press Windows and R key together on your Keyboard.
Type Regedit and hit enter.
Navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
In the right pane, right click on the empty area and select New > select DWORD (32-BIT VALUE).
Type: ExecutionPolicy
Set the string value ExecutionPolicy to one of the following values: Restricted, AllSigned, RemoteSigned, Unrestricted, Undefined.
Conclusion:
As per publicly available information regarding this PowerShell key, I didn’t find any malicious and suspicious behavior. Microsoft didn't recommend removing this. This regkey is very important for PowerShell execution policy.
Final Words:
The tool helps us to detect the issues in our system, Never trust on result blindly.