Windows Defender says oh-my-posh contains virus and blocks it

[tigerinus]

Prerequisites

• [x] I have read and understand the CONTRIBUTING guide
• [x] I looked for duplicate issues before submitting this one

Description

Environment

• Oh my Posh version: 3.147.0
• Theme: customized theme (pasted at the bottom)
• Operating System: Windows 10
• Shell: Windows PowerShell

PS D:\xiaoh\Documents\WindowsPowerShell> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      5.1.19041.906
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.19041.906
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

• Terminal: Windows PowerShell (Standard Windows Console)

Steps to Reproduce

1. Windows Defender got updated automatically.
2. Boot powershell

Expected behavior: oh-my-posh gets imported successfully

Actual behavior:

Customized Theme

{
    "final_space": true,
    "osc99": false,
    "console_title": false,
    "console_title_style": "",
    "console_title_template": "",
    "blocks": [
        {
            "type": "prompt",
            "alignment": "left",
            "horizontal_offset": 0,
            "vertical_offset": 0,
            "segments": [
                {
                    "type": "root",
                    "style": "plain",
                    "powerline_symbol": "",
                    "invert_powerline": false,
                    "foreground": "#FFEE58",
                    "foreground_templates": null,
                    "background": "",
                    "background_templates": null,
                    "leading_diamond": "",
                    "trailing_diamond": "",
                    "properties": {
                      "root_icon": ""
                    }
                },
                {
                    "type": "python",
                    "style": "diamond",
                    "invert_powerline": false,
                    "foreground": "#ffffff",
                    "foreground_templates": null,
                    "background": "#5fafd7",
                    "background_templates": null,
                    "leading_diamond": "",
                    "trailing_diamond": "<#5fafd7,#5858ff></>",
                    "properties": {
                        "prefix": " "
                    }
                },
                {
                    "type": "path",
                    "style": "diamond",
                    "powerline_symbol": "",
                    "invert_powerline": false,
                    "foreground": "#efefef",
                    "foreground_templates": null,
                    "background": "#5858ff",
                    "background_templates": null,
                    "leading_diamond": "",
                    "trailing_diamond": "<#5858ff,transparent></>",
                    "properties": {
                        "folder_separator_icon": "  ",
                        "home_icon": "🏠",
                        "folder_icon": "…",
                        "style": "mixed"
                    }
                },
                {
                    "type": "exit",
                    "style": "powerline",
                    "powerline_symbol": "",
                    "invert_powerline": false,
                    "foreground": "#ffffff",
                    "foreground_templates": null,
                    "background": "#800000",
                    "background_templates": null,
                    "leading_diamond": "",
                    "trailing_diamond": "",
                    "properties": {
                        "prefix": " "
                    }
                }
            ]
        }
    ]
}

[lnu]

like this one:https://github.com/JanDeDobbeleer/oh-my-posh/issues/218 @JanDeDobbeleer already submitted the binary for review. Any status?

PS: Sophos endpoint here(corporate laptop) and neverd had any warning.

[JanDeDobbeleer]

@tigerinus @lnu no, they closed that without notice. I'll see if I can reach out directly. The only way to bypass that today (doesn't happen everywhere) is to exclude it from Defender.

[silverqx]

I can confirm this, for me, it has started a few days before.

How did you solve it? I have tried to add C:\Program Files\WindowsPowerShell\Modules\oh-my-posh\3.147.0\oh-my-posh.psm1 file and C:\Program Files\WindowsPowerShell\Modules\oh-my-posh folder to the Defender's exclusion file/folder, but it did not help. For now, I have added powershell.exe as an exclusion process, but this is not a good solution.

[lnu]

@JanDeDobbeleer did you use this url to submit the exe for approval?

[JanDeDobbeleer]

@lnu correct

[lnu]

[JanDeDobbeleer]

@silverqx @tigerinus I submitted another request, additionally it seems related to this issue.

[silverqx]

Yea, it looks like there are many false positives, in that particular issue the reporter describes that command like this [Reflection.Assembly]::LoadFrom($assemblyPath) causes false positive, in the oh-my-posh project following line causes the false positive:

Invoke-Expression (& $poshCommand --init --shell=pwsh --config="$config")

I was thinking about trying to change this call, simply try to use another syntax 🤔, I didn't try it, don't have much time.

Still have powershell.exe in the exclusion list 🙃 @JanDeDobbeleer

[JanDeDobbeleer]

I'll leave this open to keep track of it myself.

[JanDeDobbeleer]

As per the analysis:

Analyst comments: The warning you experienced indicates that the application had not established reputation with the Microsoft Defender SmartScreen Application Reputation feature at that time. We can confirm that the application "posh-windows-amd64-3.exe" (sha256 – “ec350d7b6b8c5553a419425a98a0fa8a5d7d5a2f51b08743c421204168bdb14f”) has since established reputation and attempting to download or run the application should no longer show any warnings. Please note, however, that the submitted files are not signed using a valid digital certificate. Unsigned files will have to establish reputation each time a new version is released. Application Reputation warnings are meant to indicate when applications do not have known positive reputation. This doesn’t mean that the application is malicious, only that it is “unknown.” Users can still proceed to download and run the application. If establishing reputation immediately is critical, you may want to consider investing in an EV Authenticode certificate. A valid EV Authenticode certificate can immediately establish reputation with SmartScreen reputation services even if no prior reputation exists. In order to be considered a valid EV certificate, the certificate must be issued by a Certificate Authority that is authorized by the Microsoft Trusted Root Certificate Program and recognized as an Extended Validation issuer.

I'll see if code signing is an option. Haven't looked at this in 10 years 😅

EDIT: the cert is at least €299/year. So unless OSS becomes sustainable, that's not going to happen.

[parithon]

Perhaps sigstore can be helpful in this effort someday.

The mission of sigstore is to make it easy for developers to sign releases and for users to verify them. You can think of it like Let’s Encrypt for Code Signing.

[vexx32]

If this code is actually the problem:

Invoke-Expression (& $poshCommand --init --shell=pwsh --config="$config")

I would recommend trying to just drop the Invoke-Expression -- far as I can tell, that is entirely an unnecessary part of the command.

[silverqx]

I tried something like this now:

& $poshCommand --init --shell=pwsh --config="$config" | Invoke-Expression

It works, but afterwards I removed powershell.exe from defender exclusion list and even original line is not detected false positive anymore.

[JanDeDobbeleer]

@silverqx so this is working when invoked like that?

[JanDeDobbeleer]

@vexx32 that statement is incorrect as it actually outputs Powershell code which needs to be interpreted. Otherwise you get that string value.

[silverqx]

Defender doesn't detect it as positive anymore. @JanDeDobbeleer

[vexx32]

@vexx32 that statement is incorrect as it actually outputs Powershell code which needs to be interpreted. Otherwise you get that string value.

Fair enough! In that case you might want to manually construct a [scriptblock] from the output and invoke it rather than using Invoke-Expression... but yeah, it might be some code that is output from that which is what Defender's really objecting to. Hard to say.

[JanDeDobbeleer]

@tigerinus @silverqx the latest version swaps every occurrence of Invoke-Expression with the piped version. Curious to see if that would impact something.

[silverqx]

The pipe version should work the same as is described in docs.

[JanDeDobbeleer]

If suppose for now with the adjusted init scripts and docs we can close this for the time being?

[silverqx]

Defender doesn't detect it, so the issue has been solved.

[DominicCronin]

I've just installed oh-my-posh using:

winget install JanDeDobbeleer.OhMyPosh

When I invoke:

oh-my-posh --init --shell pwsh --config myconfig.json " | invoke-expression

it fails to run, and I see that McAfee has quarantined the exe.

[silverqx]

It should be reported to McAfee, when something calls xyz | Invoke-Expression it does not mean that it is malicious, I'm pretty sure that there is nothing malicious.

[DominicCronin]

It's not complaining about Invoke-Expression as far as I can see. It's the oh-my-posh exe that gets quarantined.

[Jkudjo]

it 2022 and Issue still lingers

[JanDeDobbeleer]

@Jkudjo thanks for reminding me what year it is. One would indeed forget with everything which is going on in the world.

[anaskhan28]

I am unable to install oh-my-posh on windows after excluding the folder too

[JanDeDobbeleer]

@anaskhan28 I don't understand what you mean by that. Can you explain in a bit more detail?

[anaskhan28]

after downloading oh-my-posh I ran it but it is not working so I thought it is happening because of windows defender then I exclude the path of oh-my-posh and runs it again still it's not working.. any idea why

[JanDeDobbeleer]

@anaskhan28 can you share the exact steps you're taking when saying "making it run"? Might be good to join the Discord to get a conversation going.

[github-actions[bot]]

This issue has been automatically locked since there has not been any recent activity (i.e. last half year) after it was closed. It helps our maintainers focus on the active issues. If you have found a problem that seems similar, please open a discussion first, complete the body with all the details necessary to reproduce, and mention this issue as reference.