This script contains malicious content and has been blocked by your antivirus software.

[Tenkorex]

Describe the bug

Attempting to run winutil in Powershell with admin, errors with virus warning.

To Reproduce
PS C:\WINDOWS\system32> iwr -useb https://christitus.com/win | iex iex : At line:1 char:1
+
This script contains malicious content and has been blocked by your antivirus software.
At line:1 char:40

• iwr -useb https://christitus.com/win | iex

•                                    ~~~
  

  • CategoryInfo : ParserError: (:) [Invoke-Expression], ParseException
  • FullyQualifiedErrorId : ScriptContainedMaliciousContent,Microsoft.PowerShell.Commands.InvokeExpressionCommand

Expected behaviour
A clear and concise description of what you expected to happen.

Screenshot

Edition Windows 11 Pro
Version 23H2
Installed on ‎27/‎01/‎2024
OS build 22631.3296
Experience Windows Feature Experience Pack 1000.22687.1000.0

Additional context

Only Windows antivirus and firewall installed.

[PRTaz3]

Same here. I tried it both on my home PC and my work PC. It was working yesterday and seems to be an issue this morning.

[ModernTTY]

As seen in README.md a LOT of antivirus(including Windows defender) have been known to block this script, because it heavily modifies the system. Because of the way that the script works(is written in PowerShell) there isn’t much we can do.

[Butterfly-Dragon]

same here.

this is on a new system. I was about to install everything i needed to run it properly. First thing it does... it tells me this is severely suspicious. As it does with pretty much everything i want to install since it it "not normally used/downloaded"

[PRTaz3]

Had to allow it through Defender. Kinda sucks as I've used it for a while now and it just started blocking it this morning.

Thank you @ModernTTY for pointing out that it will just get blocked.

[ModernTTY]

BTW Chris himself had this issue. Can be seen in stream archive https://m.youtube.com/watch?v=xzUcDbIh-0w. But yes there isn’t much we can do about that.

[Butterfly-Dragon]

i am feeling super dumb right now because i rarely if ever use windows security for anything. So. How do i add the execution of this script to the exclusions? i cannot spend 1 hour and an half watching a stream to spot the 2 seconds where he solves it.

[Butterfly-Dragon]

so far i tried adding https://raw.githubusercontent.com/ChrisTitusTech/winutil/main/winutil.ps1 and even *.ps1 as an exclusion. To no effect. So. What am i supposed to exclude?

[ModernTTY]

@Butterfly-Dragon you can see it from 1:28 to 2:14. Now i think unfortunately you will have to clone repo, then exclude the folder, then run winutil.ps1. Don’t think you can exclude otherwise.

[ModernTTY]

so far i tried adding https://raw.githubusercontent.com/ChrisTitusTech/winutil/main/winutil.ps1 and even *.ps1 as an exclusion. To no effect. So. What am i supposed to exclude?

Yeah I don't think you can exclude without cloning the repo.

[Butterfly-Dragon]

*sigh* count on microsoft for deciding it needs to get in the way of a quick system reinstall

[PRTaz3]

In Windows Defender - go to Virus & Threat Protection - Protection History
You should see a Threat Blocked if you ran the powershell script - if you click to open it you should have a button that says Action which should have an option to allow. If not there run the script again and go check the new instance should have it.
This should let you run the script.

[Butterfly-Dragon]

i tried cloning and running locally after excluding directory. It was still blocked.

So i just deleted the clone. Disabled realtime protection and ran it. F--- microsoft for messing stuff up untill you have to go around naked with your jewels on display to do anything or wait 50 days.

[Butterfly-Dragon]

In Windows Defender - go to Virus & Threat Protection - Protection History You should see a Threat Blocked if you ran the powershell script - if you click to open it you should have a button that says Action which should have an option to allow. If not there run the script again and go check the new instance should have it. This should let you run the script.

that would have been sensible indeed. But this is a "severe threat" so i was not given the option. It still blocked after excluding the file and the directory and the file's extension.

so i just removed all exceptions removed the clone. disabled realtime protection and ran the script online as it should have been from the beginning. I hate to do this stuff but it seems like unless you go around naked this script was "too dangerous" to run even with the exceptions.

[Zixim]

In Windows Defender - go to Virus & Threat Protection - Protection History You should see a Threat Blocked if you ran the powershell script - if you click to open it you should have a button that says Action which should have an option to allow. If not there run the script again and go check the new instance should have it. This should let you run the script.

this worked for me, Thanks !

[JuRo1971]

In Windows Defender - go to Virus & Threat Protection - Protection History You should see a Threat Blocked if you ran the powershell script - if you click to open it you should have a button that says Action which should have an option to allow. If not there run the script again and go check the new instance should have it. This should let you run the script.

this worked for me, Thanks !

The question is, what is excluded from Defender. Powershell, the trojan in general, only the script?! I have the same issue on all of my computers after last Windows updates. @ChrisTitusTech Maybe you can leave a proper instruction. I use the script directly via a shortcut on the desktop. Thanks!

[JuRo1971]

In Windows Defender - go to Virus & Threat Protection - Protection History You should see a Threat Blocked if you ran the powershell script - if you click to open it you should have a button that says Action which should have an option to allow. If not there run the script again and go check the new instance should have it. This should let you run the script.

this worked for me, Thanks !

The question is, what is excluded from Defender. Powershell, the trojan in general, only the script?! I have the same issue on all of my computers after last Windows updates. @ChrisTitusTech Maybe you can leave a proper instruction.I use the script directly

[Zixim]

well, obviously allowing the threat, or even disabling real-time protection while running the script isn't ideal.
But at least it's a way to be able to run it. Just remember to reactivate your protection once you're done with the script.

[JuRo1971]

well, obviously allowing the threat, or even disabling real-time protection while running the script isn't ideal. But at least it's a way to be able to run it. Just remember to reactivate your protection once you're done with the script.

can't this be included in the (a) script?

disable defender, start script and run tweaks, close script, enable defender ...

[Butterfly-Dragon]

yes i still have the antivirus running in the background as soon as i will be done installing everything i will kill the script and return the antivirus to its original position. I will start configuring everything and browsing the interwebzors later, not the time now.

[Butterfly-Dragon]

time to reboot. Thanks for the help

[ModernTTY]

well, obviously allowing the threat, or even disabling real-time protection while running the script isn't ideal. But at least it's a way to be able to run it. Just remember to reactivate your protection once you're done with the script.

can't this be included in the (a) script?

disable defender, start script and run tweaks, close script, enable defender ...

I don’t think so, defender will block that.

[JuRo1971]

well, obviously allowing the threat, or even disabling real-time protection while running the script isn't ideal. But at least it's a way to be able to run it. Just remember to reactivate your protection once you're done with the script.

can't this be included in the (a) script?
disable defender, start script and run tweaks, close script, enable defender ...

I don’t think so, defender will block that.

so what is the recommended procedure with the most comfort?

[ModernTTY]

well, obviously allowing the threat, or even disabling real-time protection while running the script isn't ideal. But at least it's a way to be able to run it. Just remember to reactivate your protection once you're done with the script.

can't this be included in the (a) script?
disable defender, start script and run tweaks, close script, enable defender ...

I don’t think so, defender will block that.

so what is the recommended procedure with the most comfort?

Unfortunately for now its going to be manually disabling real time protection running the script, then enabling real time protection

[ChrisTitusTech]

This should be fixed now. I can confirm the latest Windows Defender updates flagged winutil.ps1 as a virus.

However, no major code was changed and I merged some basic fixes in from the test branch and now it launches fine.

The best I can come up with is they flagged the hash of the old ps1 script. I do worry that they will update this and flag it again in the future.

[JuRo1971]

Dies sollte nun behoben sein. Ich kann bestätigen, dass die neuesten Windows Defender-Updates winutil.ps1 als Virus gekennzeichnet haben.

Es wurde jedoch kein größerer Code geändert und ich habe einige grundlegende Korrekturen aus dem Testzweig eingefügt und jetzt startet es einwandfrei.

Das Beste, was mir einfällt, ist, dass sie den Hash des alten PS1-Skripts markiert haben. Ich mache mir Sorgen, dass sie dies aktualisieren und in Zukunft erneut kennzeichnen werden.

Chris, many thanks for your prompt action. I can confirm that it starts now as expected. Greetings JuRo

[DeanBP1225]

Malwarebytes is also blocking, Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 3/30/2024
Protection Event Time: 10:16
Log File: 78937c2c-eea8-11ee-8c08-00155d92bee8.json

-Software Information-
Version: 5.1.2.109
Components Version: 1.0.1207
Update Package Version: 1.0.82800
License: Premium

-System Information-
OS: Windows 11 (Build 26085.1)
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Exploit.T1003CredentialAccess, , Blocked, 518, 392684, 0.0.0, ,

-Exploit Data-
Affected Application: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
Protection Layer: APT Behavior Protection
Protection Technique: T1003 - Credential Access
File Name:
URL:

(end)

[J-eremy]

Microsoft has a lot to do with all the malware lists. Its VERY pay to play with them. Chances are if they are targeting Chris specifically, or the script has made it onto their radar for any reason they will propagate the detection across many other providers and it will start showing up in may anti-viral software. I mean come on, they now report "cracks" as potentially unwanted.

Needless to say, I only use windows now specifically to play games and adobe.

[YusufKhalifadev]

@Tenkorex
It has been fixed now in #1766
so you should close the issue

[DeanBP1225]

still having same issue. I have to turn malwarebytes off to be able to run winutil.

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 5/27/2024
Protection Event Time: 14:52
Log File: a826d8b6-1c62-11ef-9dc1-00155d92bee8.json

-Software Information-
Version: 5.1.5.116
Components Version: 1.0.1251
Update Package Version: 1.0.85131
License: Premium

-System Information-
OS: Windows 11 (Build 26120.670)
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Exploit.T1003CredentialAccess, , Blocked, 518, 392684, 0.0.0, ,

-Exploit Data-
Affected Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Protection Layer: APT Behavior Protection
Protection Technique: T1003 - Credential Access
File Name:
URL:

(end)