Trend Micro Internet Security 2018 v.12 - Folder Shield is detecting Powershell.exe every hr since May 11. At: 2:55, 3:55, 4:55 5:55 etc.

  • 1
  • Problem
  • Updated 4 months ago
  • In Progress
  • (Edited)
Trend Micro Internet Security 2018 v.12 - Folder Shield is detecting Powershell.exe every hour at 55 minutes past the hour. Since May 11. 2:55, 3:55, 4:55 etc. Carbonite was installed May 10, but according to them, they do Not use powershell. ~Robert - Global Computer Consultants.net

Win 7 Pro x64 SP1, on a workgroup, no domains, no servers.

Running the Trend Micro Anti Threat Online scan tool now.  

Looked at the Windows security Logs:  Shows Event 4672: Special Logon  Every hour @ 55 minutes past the hour...
Photo of rwcarmen

rwcarmen

  • 100 Points 100 badge 2x thumb

Posted 4 months ago

  • 1
Photo of Tom Emmelot

Tom Emmelot, Champion

  • 25,562 Points 20k badge 2x thumb
Hi

Welcome to TM Home users Community, a public site where volunteers try to help each-other , also there are TM Employees that can give answers, that is only at working hours. I am just a volunteer!
First tell me the maps you are protecting?
And if something is starting every hour you must look in the "Task Scheduler"
Hope to here from you.

Kind regards,
Tom

Photo of rwcarmen

rwcarmen

  • 100 Points 100 badge 2x thumb
The Folder Shield is protecting C:\Users\Administrator account.  The entire account.

SOLVED:  I think.  So Carbonite Is the culprit.  Carbonite added an item using Powershell in the task scheduler to look for upgrades to their software.  
Name:  {5F6010C8-60E5-41f3-BF5B-C3AF5DBE12D4}
Author:  Carbonite
Description: This task checks for upgrades to Carbonite. Please do not delete.
Item:  Start a Program
Details: Powershell -noexit -command "&{carbProgDataPath = $env:ProgramData + '\Carbonite\Carbonite Backup\';$upgradeExe = 'CarboniteUpgrade.exe ';$UpgradeFullPath = carbProgramDataPath

Carbonite is on the line right now telling me its not theirs.  Wasnt created by them..... 

I deleted the item from task scheduler.  Thanks Tom

I'll see if Trend Micro finds it again.

Thanks for your suggestion Tom!!

Robert

Photo of Tom Emmelot

Tom Emmelot, Champion

  • 25,562 Points 20k badge 2x thumb
Hi

You can also put the program  in the "Exception list"
Configuring the Exception List of Trend Micro Security software
https://esupport.trendmicro.com/en-us/home/pages/technical-support/1059964.aspx?_ga=1.140400243.1592...
Good luck!

Kind regards,
Tom

Photo of TM_Malik

TM_Malik

  • 9,374 Points 5k badge 2x thumb
Hi rwcarmen,

Is it also true that you have added the whole C: Drive to be protected by the Folder Shield feature? If so, please make sure that folders protected by the Folder Shield are only your personal ones.

Carbonite is not a program that's something malicious.

Thank you!