Icinga Framework and Plugins fails if Windows Defender gets activated

[stevie-sy]

Normally we don't use the Windows Defender on our servers. Instead we have a other solution for virus and malware installed. But we had on one server the strange situation, that the Defender gets activated for some inexplicable reasons). After this, every check from the framework/plugins fails with following error:

At line:1 char:1
+ try { Use-Icinga; } catch { Write-Output 'The Icinga PowerShell Frame ...

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

This script contains malicious content and has been blocked by your antivirus software.

    + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException

    + FullyQualifiedErrorId : ScriptContainedMaliciousContent

As is often the case, it is unfortunately no longer possible to recreate this situation on the test system. What I know from my colleagues PowerShell is on the exclude list in the used software. I think It's nothing you can really fix. But maybe it is something for your knowledge base. ;-)
Unfortunately, I am not familiar with Defender and how to configure them that the framework checks work. But I think you are ;-)

[LordHepipud]

This is an interesting issue. There are two ways to deal with this in my opinion

• Use some sort of exclude (as you already mentioned)
• Re-Write the "malicious" code to pass the checks and not trigger Windows Defender

Did this only happen when running over the Icinga Agent or locally as well? I would assume that the Try-Catch-Block with the additional error handling and detailed information is something the Windows Defender does not like.

If there would be a way to re-produce this, I would be happy. On my Windows 10 test machines, Windows Defender is always enabled and haven't seen this issue before.

I already tried to install Windows Server 2019 with enabled Windows Defender and didn't get this message as well.

[stevie-sy]

Today a colleague from our server admins told me, that Windows Defender gots enabled during the update process of our security solution on W2019 server. We tried already to reproduce this on our Icinga Test Server. But it doesn't happend again to get (event) logs.

Sadly I can't say If this happens locally as well, because I haven't access to the server. And because it's a production server, my colleague tried to to fix it as fast as possible. If we have some ideas to give it an other try to reproduce it, we will tell you.

Until we find the reason why Defender was nagging, the easiest/fastest way is to use some exclude and write this in your knowledge base. Maybe it's one of those cases that occur very rarely.

[stevie-sy]

My colleagues from the server admin group did some more testing. They find out, that during the update process of our security solution, the new version doesn't register itself correctly in Windows. That's why Windows activate the Defender, which isn't configured like our used solution with all the rules, exclusions etc. And as a result the Icinga PowerShell-Framework/Plugins and also every other self-written module are blocked

During this process there are only two event log entries:

We think for such cases an entry in your knowledge base should be enough. What's your opinion for this?

[LordHepipud]

In general, we could provide a simple knowledge base entry for this. I'm still confused on why Windows Defender is reporting PowerShell and Icinga for Windows itself as malware.

On the test machines I have here, it is not reported. I will try to create as draft for a KB entry as PR and will publish it with v1.6.0.

If we get a final solution and reason for this, it would be way better of course, but also a KB entry would be fine.

[LordHepipud]

Could I use the provided screenshots for this?

[stevie-sy]

Yes you can use the screenshots. I have already anonymized sensitive data on the screenshots like hostnames