-
-
Notifications
You must be signed in to change notification settings - Fork 808
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AV software blocking dbatools import - flagging as malicious #8241
Comments
I don't believe there is much we can do about this. There are certain issues with Defender as well flagging it too that I don't think have been fully fixed yet. |
We shipped some updates so this is probably not the case anymore. So I will close this. |
I am getting this error using DBATOOLS version 1.1.103. We use Carbon Black. DBATOOLS was working up until about 3 weeks past. Now we get this error when importing the module and Carbon Black pops a message that a Deny Action was applied. PS C:\Users\xxxxxxx> Import-Module Dbatools At C:\Program Files\WindowsPowerShell\Modules\Dbatools\1.1.103\allcommands.ps1:1 char:1
This script contains malicious content and has been blocked by your antivirus software.
|
Same issue here. This is being flagged as malicious by Carbon Black today as well. 1.1.105 is being blocked with the same message as above. Reopen this issue? Or create a new one? |
Neither will have an effect - as we (the developers) can do nothing about this. If you are able to work with the vendor of Carbon Black on the details (like what specific file is maybe not signed), then we might be able to change something to prevent this. |
@andreasjordan - I agree. I did narrow down that Carbon Black doesn't like it when you create an object with GETPROCADDRESS and LOADLIBRARY in the same object. So something like this will get blocked:
I know the code is different in the project but I was able to narrow it down to this. Any characters in front of or behind them still gets blocked. Furthermore there are other areas in the code that require multiple blocks of text to run that will be blocked as well. But due to the amount of lines of code here, it turned out to be more of a challenge to isolate other parts the Carbon Black is detecting on. Those with CB will need to work with their support to get a proper tuning. |
Let me add @potatoqualitee to this thread... |
Overall those are false positives as they are not malicious. If they are indeed flagging for that value @nicpenning then it comes from this: dbatools/functions/Get-DbaWaitStatistic.ps1 Lines 493 to 500 in 6cae0dd
|
Of course. Nothing you can really do to fix that. Also, like I mentioned, this was just one instance of CB flagging the code. Even if you got rid of that part of the code, there are other "red flag" text that get tripped but I don't have the time to find them. VMWare will need to adjust the detection/prevention mechanisms. |
yeah, please report to CB. there's no way for us to contact them that I'm aware of :/ |
We have entered a support request with Carbon Black. |
Thank you! Please let us know how it goes |
Reopening as it's continuing to happen to others. |
CB came back and said that in the next iterations of the main agent software, they will integrate a fix. If not the next upcoming version, it'll be in the one afterward. |
Oh, awesome, thank you @Brett-Jay ! |
Issue seems related to PSFramework integration: PowershellFrameworkCollective/psframework#517 |
@Geo-Ron PSFramework is not implemented in dbatools. The module originated in a way from work Fred did with our messaging system but I don't believe it is can be considered the se thing anymore. |
yeah, CB is just hating on dbatools, Pester and more. They really need to fix old issue and are dragging 🍑 , repeatedly promising "next release" and apparently not following through. |
@Geo-Ron please keep us updated. they also dont accept reports from non-customers so there's literally nothing we can do about it 😡 |
Going to start using this as a tracker for AV software causing PowerShell issues, particularly with our module. Be aware that there is nothing we (as maintainers) can do about this issue. The AV software in general is generally going to flag multiple modules similar to ours as being malicious. Please 👍 the post according to your AV software, if you don't see it listed in this issue please add a post with the AV name. If anyone has links on how to report incorrect findings to these AV vendors please share those too. FireEye - #8241 (comment) |
@Brett-Jay we have had one user report upgrading CB and reboot fixed the issue. Please let us know if that solves it on your environment as well. 🤞🏻 |
#8949 - blocking by CB occurring with v2 release. |
@wsmelton What label do you suggest here? Or should we close as duplicate? |
Doesn't need a label IMO. |
Verified issue does not already exist?
Yes
What error did you receive?
ParserError: C:...\PowerShell\Modules\dbatools\1.1.80\allcommands.ps1:1
Line |
1 | ### DO NOT EDIT THIS FILE DIRECTLY ###
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| This script contains malicious content and has been blocked by your antivirus software.
Steps to Reproduce
Are you running the latest release?
Yes
Other details or mentions
There was a discussion a while back about this, but the issue seems to have reappeared
PowerShell/PowerShell#15396
I have tried multiple versions of dbatools without success. Versions that have previously worked for months, no longer work
I have submitted this as a false positive to FireEye already.
What PowerShell host was used when producing this error
PowerShell Core (pwsh.exe), Windows PowerShell (powershell.exe), Windows PowerShell ISE (powershell_ise.exe), VS Code (terminal), VS Code (integrated terminal)
PowerShell Host Version
Name Value
PSVersion 7.1.5
PSEdition Core
GitCommitId 7.1.5
OS Microsoft Windows 10.0.19042
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
SQL Server Edition and Build number
Microsoft SQL Server 2019 (RTM) - 15.0.2000.5 (X64) Sep 24 2019 13:48:23 Copyright (C) 2019 Microsoft Corporation Express Edition (64-bit) on Windows 10 Enterprise 10.0 (Build 19042: ) (Hypervisor)
.NET Framework Version
.NET 5.0.11
The text was updated successfully, but these errors were encountered: