Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
AV detection triggered by encoded string used to execute "Start-EditorServices.ps1"
See original GitHub issueSystem Details
System Details Output
### VSCode version: 1.32.3 a3db5be9b5c6ba46bb7555ec5d60178ecc2eaae4 x64
### VSCode extensions:
CoenraadS.bracket-pair-colorizer-2@0.0.28
ms-vscode.powershell@1.12.0
zhuangtongfa.Material-theme@2.21.0
### PSES version: 1.12.0.0
### PowerShell version:
Name Value
---- -----
PSVersion 5.1.14409.1018
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.14409.1018
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
Issue Description
Upon loading a new instance of VSCode with the Powershell Extension enabled, our AV system alerts on the fact that an encoded string is used to execute the “Start-EditorServices.ps1” file with appropriate parameters. AV reasoning behind the alert is that some malware uses encoded strings as a technique to bypass AV tools.
I’ll be following up with AV since this is a new behavior and seems overly aggressive without any sort of additional behavioral context, however adding an option to change this behavior (switch to -file -param1 -param2) the Extension side might be worth consideration. Specifically in the event that AV vendors give poor responses to the issue, or more likely, that end-users of the extension will not have an appropriate avenue to even open an issue with vendors that decide to implement this kind of detection/alerting.
Expected Behaviour
- AV does not trigger upon execution of the extension.
Actual Behaviour
- AV triggers due to use of an encoded command
Attached Logs
- Command that is encoded:
'C:\Users\<username>\.vscode\extensions\ms-vscode.powershell-1.12.0\modules\PowerShellEditorServices\Start-EditorServices.ps1' -HostName 'Visual Studio Code Host' -HostProfileId 'Microsoft.VSCode' -HostVersion '1.12.0' -AdditionalModules @('PowerShellEditorServices.VSCode') -BundledModulesPath 'C:\Users\<username>\.vscode\extensions\ms-vscode.powershell-1.12.0\modules' -EnableConsoleRepl -LogLevel 'Normal' -LogPath 'C:\Users\<username>\.vscode\extensions\ms-vscode.powershell-1.12.0\logs\1554130784-8003246f-5049-4122-b631-51135dcbb6471554130776654\EditorServices.log' -SessionDetailsPath 'C:\Users\<username>\.vscode\extensions\ms-vscode.powershell-1.12.0\sessions\PSES-VSCode-11540-901291' -FeatureFlags @()
Issue Analytics
- State:
- Created 4 years ago
- Comments:6 (1 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
@TylerLeonhardt Looks good for me, both 1.12.1 and 2…0.0-preview.3 look to be launching using an unencoded string and AV is not triggering upon execution. Thanks for the adjustment!
AV vendor’s response was “Oh, just filter out the event type”, which is what I expected.
Hi all, can you try one of these builds:
PowerShell and PowerShell Preview release candidates.zip
This should have the AV fix. Note, if you’ve never used the Preview extension, look at these steps.
If you’ve never installed a VSIX before, here are the steps.