AV software blocking dbatools import - flagging as malicious

[jemmiegod]

Verified issue does not already exist?

Yes

What error did you receive?

ParserError: C:...\PowerShell\Modules\dbatools\1.1.80\allcommands.ps1:1
Line |
1 | ### DO NOT EDIT THIS FILE DIRECTLY ###
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| This script contains malicious content and has been blocked by your antivirus software.

Steps to Reproduce

• Open a new PowerShell terminal
• Install-Module -MinimumVersion 1.1.80 -Name dbatools
• Import-Module dbatools

Are you running the latest release?

Yes

Other details or mentions

There was a discussion a while back about this, but the issue seems to have reappeared
PowerShell/PowerShell#15396

I have tried multiple versions of dbatools without success. Versions that have previously worked for months, no longer work
I have submitted this as a false positive to FireEye already.

What PowerShell host was used when producing this error

PowerShell Core (pwsh.exe), Windows PowerShell (powershell.exe), Windows PowerShell ISE (powershell_ise.exe), VS Code (terminal), VS Code (integrated terminal)

PowerShell Host Version

Name Value

---

PSVersion 7.1.5
PSEdition Core
GitCommitId 7.1.5
OS Microsoft Windows 10.0.19042
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0

SQL Server Edition and Build number

Microsoft SQL Server 2019 (RTM) - 15.0.2000.5 (X64) Sep 24 2019 13:48:23 Copyright (C) 2019 Microsoft Corporation Express Edition (64-bit) on Windows 10 Enterprise 10.0 (Build 19042: ) (Hypervisor)

.NET Framework Version

.NET 5.0.11

[wsmelton]

I don't believe there is much we can do about this. There are certain issues with Defender as well flagging it too that I don't think have been fully fixed yet.

[andreasjordan]

We shipped some updates so this is probably not the case anymore. So I will close this.

[Brett-Jay]

I am getting this error using DBATOOLS version 1.1.103. We use Carbon Black. DBATOOLS was working up until about 3 weeks past. Now we get this error when importing the module and Carbon Black pops a message that a Deny Action was applied.

PS C:\Users\xxxxxxx> Import-Module Dbatools

At C:\Program Files\WindowsPowerShell\Modules\Dbatools\1.1.103\allcommands.ps1:1 char:1

• DO NOT EDIT THIS FILE DIRECTLY

This script contains malicious content and has been blocked by your antivirus software.

• CategoryInfo : ParserError: (:) [], ParseException
• FullyQualifiedErrorId : ScriptContainedMaliciousContent

[nicpenning]

Same issue here. This is being flagged as malicious by Carbon Black today as well. 1.1.105 is being blocked with the same message as above. Reopen this issue? Or create a new one?

[andreasjordan]

Neither will have an effect - as we (the developers) can do nothing about this. If you are able to work with the vendor of Carbon Black on the details (like what specific file is maybe not signed), then we might be able to change something to prevent this.

[nicpenning]

@andreasjordan - I agree.

I did narrow down that Carbon Black doesn't like it when you create an object with GETPROCADDRESS and LOADLIBRARY in the same object.

So something like this will get blocked:

$category = [pscustomobject]@{
    GETPROCADDRESS                  = 'hello'
    LOADLIBRARY                      = 'world'
}

I know the code is different in the project but I was able to narrow it down to this. Any characters in front of or behind them still gets blocked.

Furthermore there are other areas in the code that require multiple blocks of text to run that will be blocked as well. But due to the amount of lines of code here, it turned out to be more of a challenge to isolate other parts the Carbon Black is detecting on.

Those with CB will need to work with their support to get a proper tuning.

[andreasjordan]

Let me add @potatoqualitee to this thread...

[wsmelton]

Overall those are false positives as they are not malicious. If they are indeed flagging for that value @nicpenning then it comes from this:

dbatools/functions/Get-DbaWaitStatistic.ps1

Lines 493 to 500 in 6cae0dd

	PREEMPTIVE_OS_GETLONGPATHNAME = 'Preemptive'
	PREEMPTIVE_OS_GETPROCADDRESS = 'Preemptive'
	PREEMPTIVE_OS_GETVOLUMENAMEFORVOLUMEMOUNTPOINT = 'Preemptive'
	PREEMPTIVE_OS_GETVOLUMEPATHNAME = 'Preemptive'
	PREEMPTIVE_OS_INITIALIZESECURITYCONTEXT = 'Preemptive'
	PREEMPTIVE_OS_LIBRARYOPS = 'Preemptive'
	PREEMPTIVE_OS_LOADLIBRARY = 'Preemptive'
	PREEMPTIVE_OS_LOGONUSER = 'Preemptive'

[nicpenning]

Of course. Nothing you can really do to fix that. Also, like I mentioned, this was just one instance of CB flagging the code. Even if you got rid of that part of the code, there are other "red flag" text that get tripped but I don't have the time to find them. VMWare will need to adjust the detection/prevention mechanisms.

[potatoqualitee]

yeah, please report to CB. there's no way for us to contact them that I'm aware of :/

[Brett-Jay]

We have entered a support request with Carbon Black.

[potatoqualitee]

Thank you! Please let us know how it goes

[potatoqualitee]

Reopening as it's continuing to happen to others.

[Brett-Jay]

CB came back and said that in the next iterations of the main agent software, they will integrate a fix. If not the next upcoming version, it'll be in the one afterward.

[potatoqualitee]

Oh, awesome, thank you @Brett-Jay !

[Geo-Ron]

Issue seems related to PSFramework integration: PowershellFrameworkCollective/psframework#517
We are currently working on resolving this with CB support

[wsmelton]

@Geo-Ron PSFramework is not implemented in dbatools. The module originated in a way from work Fred did with our messaging system but I don't believe it is can be considered the se thing anymore.

[potatoqualitee]

yeah, CB is just hating on dbatools, Pester and more. They really need to fix old issue and are dragging 🍑 , repeatedly promising "next release" and apparently not following through.

[potatoqualitee]

@Geo-Ron please keep us updated. they also dont accept reports from non-customers so there's literally nothing we can do about it 😡

[wsmelton]

Going to start using this as a tracker for AV software causing PowerShell issues, particularly with our module. Be aware that there is nothing we (as maintainers) can do about this issue. The AV software in general is generally going to flag multiple modules similar to ours as being malicious.

Please 👍 the post according to your AV software, if you don't see it listed in this issue please add a post with the AV name. If anyone has links on how to report incorrect findings to these AV vendors please share those too.

FireEye - #8241 (comment)
Carbon Black - #8241 (comment)

[wsmelton]

@Brett-Jay we have had one user report upgrading CB and reboot fixed the issue. Please let us know if that solves it on your environment as well. 🤞🏻

[wsmelton]

#8949 - blocking by CB occurring with v2 release.

[andreasjordan]

@wsmelton What label do you suggest here? Or should we close as duplicate?

[wsmelton]

Doesn't need a label IMO.