-
-
Notifications
You must be signed in to change notification settings - Fork 803
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dbatools 2.0.3 blocked by Carbon Black #8949
Comments
Have you tried using powershell.exe host instead of ISE? |
Sorry was AFK, here is an output (that I think describes it better)
|
@wsmelton What label do you suggest? |
It doesn't need a label. Closing as duplicate of #8241 |
#8241 is related to dbatools 1.x right? dbatools 2.x has compressed .dat file, which is making this as fileless execution being flagged? Why is this being closed as original one? |
Issue with AV is across multiple versions we are using 8241 to track as it is pinned to our issues page. |
Thank you for the post. I should update my blog to say "other than Carbon Black". They have been so unresponsive in helping us and other PowerShell projects which are constantly flagged as malicious. While it could be the new technique, I imagine it's just...Carbon Black. You can also try cloning this repo and importing the psd1 from that. It's very different from the published one 🤞🏼 |
Verified issue does not already exist?
I have searched and found no existing issue
What error did you receive?
Using any commands on powershell_ise.exe loads up dbatools.dat which CB is blocking.
BLOCK MESSAGE:
The application powershell_ise.exe attempted to execute fileless content that contains suspicious obfuscation techniques. This content contains highly suspicious obfuscated PowerShell code. A Deny policy action was applied.
https://attack.mitre.org/techniques/T1027/
Steps to Reproduce
Using any commands on powershell_ise.exe loads up dbatools.dat which CB is blocking.
Please confirm that you are running the most recent version of dbatools
Yes 2.0.3
Other details or mentions
Latest Release of Carbon Black Sensors and dbatools.
Earlier dbatools 1.x were being allowed (after approving dbatools certs on CB); however with fileless execution; CB is flagging it.
Potentially has to do with the way ".dat" files are being loaded.
BLOCK MESSAGE:
Quoting from: https://blog.netnerds.net/2023/03/whats-new-dbatools-2.0/
If you end up having any issues with your anti-virus, please file an issue immediately so that we can take a look. I may have to revert this change (AV's sometimes hate compression), but so far, it's worked well for me.
What PowerShell host was used when producing this error
Windows PowerShell ISE (powershell_ise.exe)
PowerShell Host Version
Name Value
PSVersion 5.1.22621.963
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.22621.963
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
SQL Server Edition and Build number
N/A, not on test machine.
.NET Framework Version
PSChildName Version
Client 4.8.09032
Full 4.8.09032
Client 4.0.0.0
The text was updated successfully, but these errors were encountered: