Forum Discussion
365 Defender 'SuspiciousScriptDrop' malware was prevented alerts, False positive?
Hi all,
for two days perhaps coincidentally since the security updates were released via SCCM,
the following alarms alerts are continuously generated on Windows Server 2019 servers by Microsoft 365 Defender:
'SuspiciousScriptDrop' malware was prevented
'SuspiciousScriptDrop' malware was prevented on a Microsoft SQL server
'SuspiciousScriptDrop' malware was prevented on an IIS Web server
the event seems to be generated by the execution of a powershell script which always changes the final part of the name:
_PSScriptPolicyTest_e5xewz2b.d1e.ps1
__PSScriptPolicyTest_hfszzy13.twt.ps1
__PSScriptPolicyTest_mvd5cukz.i50.ps1
__PSScriptPolicyTest_buadpcch.hak.ps1
the malware detected is the following (VirusTotal detection ratio 0/0):
Trojan:JS/SuspiciousScriptDrop.B!pwsh
the file path is always:
C:\Windows\Temp\
the usser is always the LocalSystem user:
NT AUTHORITY\SYSTEM
command line:
powershell.exe -NoLogo -NoProfile -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -File Maintenance.ps1
Why are these alarms generated? Do we have to go deep into their analysis or are they false positives?