PowershellFrameworkCollective / psframework

A module that provides tools for other modules and scripts
MIT License
432 stars 41 forks source link

Import-Module PSFramework stopped working #517

Open EMarcais opened 2 years ago

EMarcais commented 2 years ago

Hi guys,

I have been using your wonderful module for the last two years and basically use it heavily for logging purposes. This started I think I pinpoint it to the installation of this windows update on my setup. https://support.microsoft.com/en-us/topic/april-12-2022-kb5012599-os-builds-19042-1645-19043-1645-and-19044-1645-548cc67c-7f12-46fd-878e-589ba81ac2f5

The error I get are:

I have installed Symantec Endpoint Protection and Carbon Black Cloud Sensor as security tools and defender turned-off. The facts are:

here is the detailled information about my setup: ❯ [System.Environment]::OSVersion.Version

Major Minor Build Revision


10 0 19042 0

❯ Get-ComputerInfo select WindowsProductName, WindowsVersion, OsHardwareAbstractionLayer WindowsProductName WindowsVersion OsHardwareAbstractionLayer

Windows 10 Enterprise 2009 10.0.19041.1566

❯ systeminfo /fo csv | ConvertFrom-Csv | select OS, System, Hotfix* | Format-List

OS Name : Microsoft Windows 10 Enterprise OS Version : 10.0.19042 N/A Build 19042 OS Manufacturer : Microsoft Corporation OS Configuration : Member Workstation OS Build Type : Multiprocessor Free System Boot Time : 02/05/2022, 09:12:15 System Manufacturer : Dell Inc. System Model : Latitude 7420 System Type : x64-based PC System Directory : C:\windows\system32 Hotfix(s) : 15 Hotfix(s) Installed.,[01]: KB5012117,[02]: KB4562830,[03]: KB4570334,[04]: KB4577586,[05]: KB4580325,[06]: KB4586864,[07]: KB4589212,[08]: KB5003304,[09]: KB5005716,[10]: KB5012599,[11]: KB5006753,[12]: KB5007273,[13]: KB5011352,[14]: KB5011651,[15]: KB5005260

Many thanks for your help

EMarcais commented 2 years ago

Carbon Black came back with the only solution they could find and put me in ByPass policy as of now. It's related to their security policy but they can't find what exactly trigger the blockage. I will let them research and closing this one as a miss.

FriedrichWeinmann commented 2 years ago

Glad you got unblocked, but can't say I'm happy they have issues with my project. If it will help, I'm happy to have a discussion with one of their tech folks. They can contact me any time via my corporate email address (<givenname>.<surname>@microsoft.com)

EMarcais commented 2 years ago

I will reach out to them and inform them you are available for research! Many thanks for your response and time maintaining this incredible tool!

hotsauce-v2 commented 2 years ago

I identified I am encountering the same issue with Carbon Black and PSFramework. I likely will open up a case with them as well.

EMarcais commented 2 years ago

More context from carbon black team. They told me that carbon black is leveraging an anti-malware tool that is flagging something in PSFramework. They try to implement something to cover this but maybe you will have better luck.

hotsauce-v2 commented 2 years ago

Carbon Black support told me that it was simply up to each individual environment to determine how they want to respond to their alerts (such as this one flagged as obfuscated techniques/code), and that the tool doesn't indicate which lines of the PS Module are considered malicious or suspicious. I inquired about if there was a feedback component to Carbon Black to submit the file for analysis, have the vendor contact Carbon Black, etc., but support said that this doesn't exist.

FriedrichWeinmann commented 2 years ago

Too bad :( I can see why they wouldn't want to expose their detection criteria though (lest they be gamed by bad actors). Oh well, "Obfuscated" is already one info more. maybe something I can try and nail down with the good ol' Revoke-Obfuscation project to help narrow down the file.

Geo-Ron commented 1 year ago

Issue seems related with dbaTools issue https://github.com/dataplat/dbatools/issues/8241 We are currently working with CB support on this issue