Skip to content

Defender Flags "Import-Command .... dbatools.dat" as Trojan:PowerShell/Powdow.HBI!ams #9688

New issue
New issue
Closed
Closed
Defender Flags "Import-Command .... dbatools.dat" as Trojan:PowerShell/Powdow.HBI!ams#9688
Labels
bugs lifetriage requiredNew issue that has not been reviewed by maintainers
@PatrickWilli

Description

@PatrickWilli
PatrickWilli
opened on Jun 11, 2025

Verified issue does not already exist?

I have searched and found no existing issue.
There is one, but from 2022: #8241

What error did you receive?

Hello,

we use dbatools 2.0.4 for a long time and did not have any issues until yesterday.
Since yesterday the defender on some (not all!) machines flags the command "import-module dbatools" as malicious.

Image

This is the Defender Version Table:

Image

We could not find a pattern when it gets detected and when not (affected Windows Server 2019 + 2022, SQL Server 2019 + 2002), we also tried with the newest version and have the same problem:

Image

If you have any questions / need more information, please let me know.

Best regards,

Patrick

Steps to Reproduce

import-module dbatools

Please confirm that you are running the most recent version of dbatools

see screenshots above

Other details or mentions

We could not find any pattern when it get's detected and when not.
For example from our Clusters there is only 1 node affected, on the second node we can import the module.
It does not matter if the server is primary or secondary, the infections come up completly random.

If you need more information please let me know.

What PowerShell host was used when producing this error

Windows PowerShell (powershell.exe)

PowerShell Host Version

Name Value

PSVersion 5.1.17763.7309
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.17763.7309
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1

SQL Server Edition and Build number

We have multiple SQL Server versions. From 2016 to 2022, all versions are affected.

.NET Framework Version

Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP' -Recurse | Get-ItemProperty -Name version -EA 0 | Where PSChildName -Match '^(?!S)\p{L}' | Select PSChildName, version

PSChildName Version

v2.0.50727 2.0.50727.4927
v3.0 3.0.30729.4926
Windows Communication Foundation 3.0.4506.4926
Windows Presentation Foundation 3.0.6920.4902
v3.5 3.5.30729.4926
Client 4.8.03761
Full 4.8.03761
Client 4.0.0.0

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugs lifetriage requiredNew issue that has not been reviewed by maintainers

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions