Feature Request - Additional details related to Trojan:PowerShell/Mountsi.A!ml

Summary of the new feature/enhancement

As a trusted community module maintainer, I would like a wealth of information shouted from the rooftops about how to prevent PowerShell scripts from being reported as a trojan by Windows Defender. Recently, a file that has not changed in 2 years was reported as a Trojan to two of our users.

While our file is not a trojan, false positives from Windows Defender impact the trustworthiness of our module. We’ve worked hard over the years to engender trust in both dbatools and PowerShell. Currently, I hold up our CI/CD process to review each commit to ensure it is not malicious before I publish it to the PowerShell Gallery.

Is there a solution for whitelisting trusted community modules and adding a feature to PSScriptAnalyzer that highlights problematic techniques?

So far, one user has confirmed that the signed version from the PowerShell Gallery is not triggering AV. The problem with this is that:

1. Not all PowerShell Developers can afford Code Signing Certificates
2. Not everyone uses the PowerShell Gallery and we’d like to continue offering installs via GitHub. Our code cannot be signed and saved to the repository.

It seems that this may be a result of some enhancements to AMSI and machine learning

Antimalware Scan Interface (AMSI) helps security software to detect such malicious scripts by exposing script content and behavior. AMSI integrates with scripting engines on Windows 10 as well as Office 365 VBA to provide insights into the execution of PowerShell, WMI, VBScript, JavaScript, and Office VBA macros.

(I hope IronPython is impacted as well 😅)

Here’s information about the Defender definition that alerted the user

I assume that [Reflection.Assembly]::LoadFrom($assemblyPath), which we use to make imports as fast as possible, is the problematic technique, but I can’t find any confirmation. Other blogs talk about using that for loading from memory but we are loading from disk. Once we get this issue solved, however, I’d like to know what to modify in other files. Perhaps the Gallery can detect these techniques and email module owners.

Other PowerShell users are experiencing this a well as noted in the following links:

https://twitter.com/JustinWGrote/status/1392518022900850688 https://twitter.com/psCookieMonster/status/1392796401545981953 https://twitter.com/DrAzureAD/status/1361298815815417856 https://twitter.com/PrzemyslawKlys/status/1392933835978027019 https://github.com/PowerShell/vscode-powershell/issues/3017 https://www.reddit.com/r/PowerShell/comments/jj4wzw/removing_trojanpowershellmountsiaml_trigger_from/ https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/defender-detected-powershell-ise-exe-as-trojan-powershell/m-p/2180534

In addition, this article suggests that the file being unsigned is the problem, and a commenter said that “Cleared it up by submitting it to Microsoft’s service at https://www.microsoft.com/en-us/wdsi/filesubmission.” Do we make it part of our GitHub pipeline to submit changed files to that site?

Edit: I know that the PowerShell team is not the Defender team, but considering unsigned PowerShell files in a git repository (it’s impossible to sign and commit, I’ve tried, it changes the SHA) trigger AV warnings, this may be a very big problem for PowerShell development and scripting in general. Taking a look at Warren’s code, which has been flagged by Defender, nothing stands out.

# Pester wasn't mocking git... 
# Borrowed idea from https://github.com/pester/Pester/issues/415
function Invoke-ExternalCommand {
    [cmdletbinding()]
    param($Command, [string[]]$Arguments, [switch]$Passthru)

    Write-Verbose "Running $Command with arguments $($Arguments -join "; ")"
    $result = $null
    $result = & $command @arguments  
    Write-Verbose "$($result | Out-String)"
    if($Passthru)
    {
        $Result
    }
}