Additional details related to Trojan:PowerShell/Mountsi.A!ml #15415
Replies: 13 comments 2 replies
-
I don't think this is specific to your script. Defender has quarantined my This is insane. |
Beta Was this translation helpful? Give feedback.
-
Crushing, @tig! Hopefully this gets fixed soon. It was suggested that I ping @SteveL-MSFT and @PaulHigin to ask if they can get the MS Defender team to scan the GitHub Repos of popular community modules help teach the ML. |
Beta Was this translation helpful? Give feedback.
-
The Defender team continuously refines and update their heuristics to detect potential malicious scripts. I don't think there's a way to validate one moment in time and ensure it'll always pass detection (as the rules keep changing/improving) with the exception of signing it with the Windows certificate (yeah, that's not going to happen!). I'm pretty sure the Defender team already uses GitHub Open Source code as a resource, but I don't think they can just give any projects a free pass as you can't guarantee that a well known and popular piece of code doesn't get attacked and malicious code gets added. See this article as one example. |
Beta Was this translation helpful? Give feedback.
-
Thank you for the detailed response. Is there any way you can engage the Defender team to get a confirmation either way? |
Beta Was this translation helpful? Give feedback.
-
But @SteveL-MSFT, the fact that my PROFILE ps1 gets literally deleted by Defender is way different than Defender flagging ps1s that are actually found in the wild. I've had to disable Defender's scanning for this vuln to keep it from deleting my PowerShell profile! I can't believe I'm the only person this is happening to! |
Beta Was this translation helpful? Give feedback.
-
You're not. Our TeamCity builds started failing across the board two days ago after a Windows 10 security update. To get builds running again we had to disable real-time protection. Which was deemed acceptable in the short-term while IT works on bringing on a new AV system that is not Windows Defender. |
Beta Was this translation helpful? Give feedback.
-
For the record, I'm getting this issue as well. |
Beta Was this translation helpful? Give feedback.
-
@SteveL-MSFT I was just woken up at 3am this morning by alerting because a script we run on a nightly basis on ~10,000 endpoints Defender decided suddenly was a Trojan. This script hasn’t changed in months. These endpoints are in a PCI compliant segregated environment with no domain. This is a real problem. What’s the point of using a particular AV product if the ratio of false positives to legitimate events is high? At some point, it becomes the boy crying wolf. |
Beta Was this translation helpful? Give feedback.
-
Btw, Steve said this on Twitter
|
Beta Was this translation helpful? Give feedback.
-
First, apologies to @SteveL-MSFT if my last comment was a little salty. I realize this isn't Powershell's problem directly. For some additional info, the script in question hasn't been touched in 2 years, and after reviewing it looking for anything we were doing that might have triggered AMSI(like direct .Net calls or inline C# type of things), it's as vanilla Powershell as you can probably get. That said, the irony of it all is that this is the script we use to make sure certain file extensions and directories are in Defender's exclusion lists. We are temporarily disabling certain Defender behaviors like real-time network scanning. I can see why heuristics may have interpreted that behavior as potentially malicious, but if you can't manage Defender policies with the Defender Powershell module then what's the alternative? Again, for our environment, these endpoints are not in a domain and have no network access except for what we specifically allow, so solutions like Group Policy are not an option. It would be preferable if Defender had options to customize actions to take for different events. In this case, warn us, but don't quarantine immediately. Understandably, from a security perspective, that increases the potential risk for us, especially if a specific event is actually legitimately malicious. I'd argue though that that is something that we, as an organization, should have processes and solutions in place to handle such an event. In our case, due to the segregated nature of our network environment, potential impact is rather low. We can simply replace the affected endpoint(s) without any worry of the compromise being able to spread to other systems, so for us, such a risk may be acceptable. It wouldn't for everyone though, so this is a tricky problem to solve. Still, I think the problem is that Defender's heuristics are a wee bit too sensitive and need dialed back a bit. |
Beta Was this translation helpful? Give feedback.
-
WG-Security PowerShell must follow the AMSI result. If we add ability to alter how we respond, it becomes an attack vector to AMSI plug-ins. We would need an AMSI feature that tells us that we could, say warn, instead of block. This would probably be by return code from AMSI. Otherwise, you need to work through Microsoft Security Intelligence to get the file cleared as not malware. I think we can continue this as a discussion. |
Beta Was this translation helpful? Give feedback.
-
@TravisEz13, if I understand you correctly, you are asserting that every Powershell user on the planet, needs to individually get their |
Beta Was this translation helpful? Give feedback.
-
Summary of the new feature/enhancement
As a trusted community module maintainer, I would like a wealth of information shouted from the rooftops about how to prevent PowerShell scripts from being reported as a trojan by Windows Defender. Recently, a file that has not changed in 2 years was reported as a Trojan to two of our users.
While our file is not a trojan, false positives from Windows Defender impact the trustworthiness of our module. We've worked hard over the years to engender trust in both dbatools and PowerShell. Currently, I hold up our CI/CD process to review each commit to ensure it is not malicious before I publish it to the PowerShell Gallery.
Is there a solution for whitelisting trusted community modules and adding a feature to PSScriptAnalyzer that highlights problematic techniques?
So far, one user has confirmed that the signed version from the PowerShell Gallery is not triggering AV. The problem with this is that:
It seems that this may be a result of some enhancements to AMSI and machine learning
(I hope IronPython is impacted as well 😅)
Here's information about the Defender definition that alerted the user
I assume that
[Reflection.Assembly]::LoadFrom($assemblyPath)
, which we use to make imports as fast as possible, is the problematic technique, but I can't find any confirmation. Other blogs talk about using that for loading from memory but we are loading from disk. Once we get this issue solved, however, I'd like to know what to modify in other files. Perhaps the Gallery can detect these techniques and email module owners.Other PowerShell users are experiencing this a well as noted in the following links:
https://twitter.com/JustinWGrote/status/1392518022900850688
https://twitter.com/psCookieMonster/status/1392796401545981953
https://twitter.com/DrAzureAD/status/1361298815815417856
https://twitter.com/PrzemyslawKlys/status/1392933835978027019
PowerShell/vscode-powershell#3017
https://www.reddit.com/r/PowerShell/comments/jj4wzw/removing_trojanpowershellmountsiaml_trigger_from/
https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/defender-detected-powershell-ise-exe-as-trojan-powershell/m-p/2180534
In addition, this article suggests that the file being unsigned is the problem, and a commenter said that "Cleared it up by submitting it to Microsoft’s service at https://www.microsoft.com/en-us/wdsi/filesubmission." Do we make it part of our GitHub pipeline to submit changed files to that site?
Edit: I know that the PowerShell team is not the Defender team, but considering unsigned PowerShell files in a git repository (it's impossible to sign and commit, I've tried, it changes the SHA) trigger AV warnings, this may be a very big problem for PowerShell development and scripting in general. Taking a look at Warren's code, which has been flagged by Defender, nothing stands out.
Beta Was this translation helpful? Give feedback.
All reactions