Keep getting message "powershell.exe" has been blocked. How do I remove it?

  • 2
  • Problem
  • Updated 1 month ago
  • Solved
At boot up and once an hour after, I get a pop up saying that TrendMicro has blocked powershell.exe from accessing a folder.  I googled powershell.exe and found that it is a legit MS program, but also often used by hackers, sometimes for ransomware.  The advice to remove it is "scan with your security software".  I have done so, several times, but the scan shows no issues.  The pop up and warning keeps on coming up.  Rebooting does not help.  One online tip said to look in the C: drive.  I did that, and found 4 powershell.exe files that were recently created so I deleted them.  They come back, however, and the hourly pop-ups continue.  Obviously I have a malware program that is trying to access my files and TrendMicro is blocking it.  Thank you, TM!  Now, how do I remove the program entirely?  Here is a screenshot:

Photo of atlas3326

atlas3326

  • 122 Points 100 badge 2x thumb

Posted 2 months ago

  • 2
Photo of TM_Pia

TM_Pia, Employee

  • 1,006 Points 1k badge 2x thumb
Hi, atlas3326!

I'm sorry to hear about this experience.

May I please know If you have configured Folder Shield on your Security Program? If so, what folders are included in this feature?

Also, you can try adding C:\Windows\System32\WindowsPowerShell to your Exception List.

Let me know how it goes.

~Pia
Photo of atlas3326

atlas3326

  • 122 Points 100 badge 2x thumb
Yes, the Folder shield is configured for my C: folder.

Just to be clear, I want to clear the powershell.exe program that is causing the pop-ups, not just clear the pop-ups.  I assume that powershell.exe is malware and TM is blocking it, so the pop-ups warning there is a problem is a good thing.  TM not finding the malware during a full scan is NOT a good thing.
Photo of TM_Pia

TM_Pia, Employee

  • 1,006 Points 1k badge 2x thumb
Hi, atlas3326!

PowerShell.exe is a legitimate product component of Windows that is not advisable to be deleted. 

To further troubleshoot this issue, please expect an email within 10-15 minutes. We'll continue conversing through it.

~Pia
Photo of Bill Gibbons

Bill Gibbons

  • 82 Points 75 badge 2x thumb
I have the same issue too. Here is my concern:
Security 101: The Rise of Fileless Threats that Abuse PowerShell ...
ttps://www.trendmicro.com/.../security-101-the-rise-of-fileless-threats-that-abuse-po...
Filess malware that abuse Windows' PowerShell are now increasingly becoming ... Fileless infections are also a staple feature in exploit kits such as Angler.

Please advise...


Photo of atlas3326

atlas3326

  • 122 Points 100 badge 2x thumb
Bill, thanks for that link, it explained a lot.  The concerns it talks about are what I was worried about!  TM support helped to solve my issue.  They said it was not malware, but my folder shield was set up to protect all files in a folder.  She set it up so it only protects the documents, not the system files,  I have not had a problem since.  I also installed a secondary virus detector.  It did not show powershell as a problem, but it did detect several dormant viruses that TM had not detected. 
Photo of TM_Ann

TM_Ann, Official Rep

  • 950 Points 500 badge 2x thumb
Hi atlas3326

Possible that it was not detected by the Trend Micro program because it was on your exception list. Please check this link on how to configure the exception list. 
May I know the second antivirus program that you have used and its detection? For us to check it with our senior engineers.


Thank you
- Ann

This conversation is no longer open for comments or replies.