AV software blocking dbatools import - flagging as malicious

[jemmiegod]

Verified issue does not already exist?

Yes

What error did you receive?

ParserError: C:...\PowerShell\Modules\dbatools\1.1.80\allcommands.ps1:1
Line |
1 | ### DO NOT EDIT THIS FILE DIRECTLY ###
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| This script contains malicious content and has been blocked by your antivirus software.

Steps to Reproduce

• Open a new PowerShell terminal
• Install-Module -MinimumVersion 1.1.80 -Name dbatools
• Import-Module dbatools

Are you running the latest release?

Yes

Other details or mentions

There was a discussion a while back about this, but the issue seems to have reappeared
PowerShell/PowerShell#15396

I have tried multiple versions of dbatools without success. Versions that have previously worked for months, no longer work
I have submitted this as a false positive to FireEye already.

What PowerShell host was used when producing this error

PowerShell Core (pwsh.exe), Windows PowerShell (powershell.exe), Windows PowerShell ISE (powershell_ise.exe), VS Code (terminal), VS Code (integrated terminal)

PowerShell Host Version

Name Value

---

PSVersion 7.1.5
PSEdition Core
GitCommitId 7.1.5
OS Microsoft Windows 10.0.19042
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0

SQL Server Edition and Build number

Microsoft SQL Server 2019 (RTM) - 15.0.2000.5 (X64) Sep 24 2019 13:48:23 Copyright (C) 2019 Microsoft Corporation Express Edition (64-bit) on Windows 10 Enterprise 10.0 (Build 19042: ) (Hypervisor)

.NET Framework Version

.NET 5.0.11

[wsmelton]

I don't believe there is much we can do about this. There are certain issues with Defender as well flagging it too that I don't think have been fully fixed yet.

[andreasjordan]

We shipped some updates so this is probably not the case anymore. So I will close this.

[Brett-Jay]

I am getting this error using DBATOOLS version 1.1.103. We use Carbon Black. DBATOOLS was working up until about 3 weeks past. Now we get this error when importing the module and Carbon Black pops a message that a Deny Action was applied.

PS C:\Users\xxxxxxx> Import-Module Dbatools

At C:\Program Files\WindowsPowerShell\Modules\Dbatools\1.1.103\allcommands.ps1:1 char:1

• DO NOT EDIT THIS FILE DIRECTLY

This script contains malicious content and has been blocked by your antivirus software.

• CategoryInfo : ParserError: (:) [], ParseException
• FullyQualifiedErrorId : ScriptContainedMaliciousContent

[nicpenning]

Same issue here. This is being flagged as malicious by Carbon Black today as well. 1.1.105 is being blocked with the same message as above. Reopen this issue? Or create a new one?

[andreasjordan]

Neither will have an effect - as we (the developers) can do nothing about this. If you are able to work with the vendor of Carbon Black on the details (like what specific file is maybe not signed), then we might be able to change something to prevent this.

[nicpenning]

@andreasjordan - I agree.

I did narrow down that Carbon Black doesn't like it when you create an object with GETPROCADDRESS and LOADLIBRARY in the same object.

So something like this will get blocked:

$category = [pscustomobject]@{
    GETPROCADDRESS                  = 'hello'
    LOADLIBRARY                      = 'world'
}

I know the code is different in the project but I was able to narrow it down to this. Any characters in front of or behind them still gets blocked.

Furthermore there are other areas in the code that require multiple blocks of text to run that will be blocked as well. But due to the amount of lines of code here, it turned out to be more of a challenge to isolate other parts the Carbon Black is detecting on.

Those with CB will need to work with their support to get a proper tuning.

[andreasjordan]

Let me add @potatoqualitee to this thread...

[wsmelton]

Overall those are false positives as they are not malicious. If they are indeed flagging for that value @nicpenning then it comes from this:

dbatools/functions/Get-DbaWaitStatistic.ps1

Lines 493 to 500 in 6cae0dd

	PREEMPTIVE_OS_GETLONGPATHNAME = 'Preemptive'
	PREEMPTIVE_OS_GETPROCADDRESS = 'Preemptive'
	PREEMPTIVE_OS_GETVOLUMENAMEFORVOLUMEMOUNTPOINT = 'Preemptive'
	PREEMPTIVE_OS_GETVOLUMEPATHNAME = 'Preemptive'
	PREEMPTIVE_OS_INITIALIZESECURITYCONTEXT = 'Preemptive'
	PREEMPTIVE_OS_LIBRARYOPS = 'Preemptive'
	PREEMPTIVE_OS_LOADLIBRARY = 'Preemptive'
	PREEMPTIVE_OS_LOGONUSER = 'Preemptive'

[nicpenning]

Of course. Nothing you can really do to fix that. Also, like I mentioned, this was just one instance of CB flagging the code. Even if you got rid of that part of the code, there are other "red flag" text that get tripped but I don't have the time to find them. VMWare will need to adjust the detection/prevention mechanisms.