scoop windows install in being block by antivirus

[narsinallamilli]

PS C:\Users\Narsi Nallamilli> Get-Host | Select-Object Version                  
Version
-------
5.1.18362.752

PS C:\Users\Narsi Nallamilli> iwr -useb get.scoop.sh | iex                      
iex : At line:1 char:1
+ #Requires -Version 5
+ ~~~~~~~~~~~~~~~~~~~~
This script contains malicious content and has been blocked by your antivirus software.
At line:1 char:26
+ iwr -useb get.scoop.sh | iex
+                          ~~~
    + CategoryInfo          : ParserError: (:) [Invoke-Expression], ParseException
    + FullyQualifiedErrorId : ScriptContainedMaliciousContent,Microsoft.PowerShell.Commands.InvokeExpressionCommand

[chrisbigboulder]

Having same issue here, but with PowerShell 7.0.3 as suggested in the Wiki, please advise:

Microsoft Windows [Version 10.0.19041.450] (c) 2020 Microsoft Corporation. All rights reserved. C:\Users\ckwwi>pwsh PowerShell 7.0.3 Copyright (c) Microsoft Corporation. All rights reserved.
https://aka.ms/powershell Type 'help' to get help.

PS C:\Users\ckwwi> Set-ExecutionPolicy RemoteSigned -scope CurrentUser PS C:\Users\ckwwi> Invoke-Expression (New-Object System.Net.WebClient).DownloadString('https://get.scoop.sh') ParserError: Line | 1 | Invoke-Expression (New-Object System.Net.WebClient).DownloadString('h … | ~~~~~~~~~~~~~~~~~ | This script contains malicious content and has been blocked by your antivirus software.

PS C:\Users\ckwwi> iwr -useb get.scoop.sh | iex Invoke-Expression: Line | 1 | iwr -useb get.scoop.sh | iex | ~~~ | This script contains malicious content and has been blocked by your antivirus software.

[Calinou]

You may be able to disable Windows Defender temporarily while installing Scoop.

[jedieaston]

Yes, but since scoop is designed to work perfectly without admin rights, you can’t have disable Windows Defender as an install step. Is Defender reporting what malware it thinks scoop is?

[Calinou]

Is Defender reporting what malware it thinks scoop is?

Yes, it's very likely to be Windows Defender (or SmartScreen maybe) unless you have a third-party antivirus installed.

[chrisbigboulder]

@Calinou @jedieaston You both nailed it, thank you! I have Mcafee LiveSafe installed with Windows Defender set to "These settings are managed by vendor application McAfee Personal Firewall" and my error was recorded with McAfee LiveSafe firewall and Real-Time Scanning turned off. Opening up Windows Defender advanced settings I found that the Defender firewall was indeed still turned on. I thought that McAfee disabled Windows Defender Firewall to run its own firewall, but both were actually on and Defender was blocking the install as malware. I ran install again after disabling both with success:

PowerShell 7.0.3 Copyright (c) Microsoft Corporation. All rights reserved.

https://aka.ms/powershell Type 'help' to get help.

PS C:\Users\ckwwi> Invoke-Expression (New-Object System.Net.WebClient).DownloadString('https://get.scoop.sh') Initializing... Downloading scoop... Extracting... Creating shim... Downloading main bucket... Extracting... Adding ~\scoop\shims to your path. 'lastupdate' has been set to '2020-08-28T11:03:55.4318437-06:00' Scoop was installed successfully! Type 'scoop help' for instructions.

@narsinallamilli You'll most likely need to install Windows Powershell Version 7.x.x to eliminate this install error as noted in the wiki here: https://github.com/lukesampson/scoop/wiki/Antivirus-false-positive

One you have Powershell 7 installed you need to make sure that you install Scoop using Powershell 7 instead of 5.1. Powershell 7 installs alongside 5.1, so both can be run from windows and are stored as separate programs. You can either open a specific instance of Powershell 7 to execute the install, or you can execute it from Command Prompt. Note that command "powershell" from Command Prompt executes v5.1, so use the "pwsh" command to execute v7.x.x, then install Scoop as documented in the tutorial.

[luanjesus]

@chrisbigboulder @jedieaston @Calinou I’m deeply grateful! You helped me a lot. I spent a long time trying to install Chocolatey and the problem was the Windows Defender with Mcafee LiveSafe.

[kunalkishoresharma]

not worked in my laptop, i disabled both antivirus, but still same msg showing

[diggit]

Hi, I tried to install scoop on PC with McAfee with following error:

User ran C:\Program Files\WindowsApps\Microsoft.PowerShell_7.1.0.0_x64__8wekyb3d8bbwe\pwsh.exe. The Trojan named AMSI-FHR!AACF0989324C was detected but wasn't blocked because AMSI was set to Observe mode.
Analyzer / Detector
Analyzer content creation date 13.1.2021 10:17 AM
Product name   McAfee Endpoint Security
Product version 10.6.1
Task name          AMSIScan
Feature name   AMSI

Threat
Action taken      Would Block
Threat category               Malware detected
Threat event ID 34937
Threat handled No
Threat name     AMSI-FHR!AACF0989324C
Threat severity Critical
Threat timestamp           14.1.2021 4:23 PM
Threat type        Trojan

Source
Source description          "C:\Program Files\WindowsApps\Microsoft.PowerShell_7.1.0.0_x64__8wekyb3d8bbwe\pwsh.exe"
Source hostName           --redacted--
Source process name     C:\Program Files\WindowsApps\Microsoft.PowerShell_7.1.0.0_x64__8wekyb3d8bbwe\pwsh.exe

Target
Target hash        --redacted--
Target host name            --redacted--
Target user name            User

Other
Vector type        Local System
Cleanable           Yes
Detection message         McAfee Endpoint Security detected a threat.
Duration before detection (days)            0
Description        User ran C:\Program Files\WindowsApps\Microsoft.PowerShell_7.1.0.0_x64__8wekyb3d8bbwe\pwsh.exe. The Trojan named AMSI-FHR!AACF0989324C was detected but wasn't blocked because AMSI was set to Observe mode.
First action status            Succeeded
First attempted action   Would Block

Scoops unpacks and seems to work (at least scoop help works), but paths are not (env. PATH) set and quick app search from start menu does not see applications.

Powershell 7.10 was installed from MS Store.

Unfortunately, I don't have full control over this PC and cannot create antivirus exception or anything similar.

[jmigual]

Hi this issue seems to be back, now by doing scoop update * it already triggers it:

In my pc I only have Windows Defender.

[rashil2000]

Add an exception for the Scoop folder in your Defender settings

[jedieaston]

Add an exception for the Scoop folder in your Defender settings

Not a solution, since that requires admin rights. Do you have any other antivirus software besides Defender installed?

[rashil2000]

In my pc I only have Windows Defender.

[jmigual]

I cannot add an exception for Windows Defender as I have partial admin rights and the Windows Defender exceptions are handled by the administrator.

[jmigual]

By the way, this is the report on Windows Defender:

The only allowed action is Quarantine

[rashil2000]

What is the output Get-ExecutionPolicy?

[jmigual]

❯ Get-ExecutionPolicy
RemoteSigned

[rashil2000]

Can you run Set-ExecutionPolicy -Scope CurrentUser Unrestricted and then try updating again?

Also what is the output of scoop config SCOOP_REPO?

[jmigual]

Can you run Set-ExecutionPolicy -Scope CurrentUser Unrestricted and then try updating again?

Same problem

Also what is the output of scoop config SCOOP_REPO?

It doesn't even return a value as it shows the same error. I am using shovel (scoop-core) but tried going back to scoop only and the error is also there with plain scoop.

[rashil2000]

The use of any forks (shovel etc.) is not supported by Scoop and from all the other cases I have seen here, going back to original scoop is not possible as of now.

To confirm if the problem occurs with scoop itself (and not shovel), can you try uninstalling everything related to scoop and reinstalling?

Or perhaps install the original scoop in a different location and retry.

[jmigual]

Sorry if I was not clear enough, by "going back to scoop only" I meant that I uninstalled shovel (removed the ~/scoop folder) and used the installation script to install scoop from scratch.

The installation script works and I'm able to install 1 or 2 packages for some minutes (~5 min) but then AMSI kicks in and none of the scoop commands work anymore.

[rashil2000]

The installation script works and I'm able to install 1 or 2 packages for some minutes (~5 min) but then AMSI kicks in and none of the scoop commands work anymore.

That's really strange. I'm at a loss. Maybe others can suggest something.

[42wim]

Same issue, also getting detected as Virtool:PowerShell/PoshC2.gen!C I can't even git clone it, I've pinpointed the issue to shim function core.ps1, when removing the code in the function I can again clone it.

[rashil2000]

The shim function is used to copy a binary and create a shim. You can find the binaries here https://github.com/ScoopInstaller/Scoop/tree/master/supporting along with their checksums to verify them individually.

[42wim]

Also the function Optimize-SecurityProtocol triggers it, removing this method and the shim and I can run scoop again without defender spouting out a warning.

[42wim]

Did some more testing, it's only the Optimize-SecurityProtocol that triggers it, the shim function is not impacted. So for those with problems, remove the Optimize-SecurityProtocol function and the call to it.

[sgarcialaguna]

Maybe related?

Kaspersky reports:

C:\Users\sgarcia\scoop\apps\scoop\current\supporting\shims\rshim\shim.exe Exploit.Win32.UAC.hwb

[philippe-granet]

You can try to change shim executable, in %USERPROFILE%\.config\scoop\config.json:

{
    "lastupdate":  "...",
    "shim": "kiennq"
}

Possible values: https://github.com/ScoopInstaller/Scoop/blob/59088a9f0094ecaa0c36793eef232b3af237a59b/lib/core.ps1#L620-L622

[arichtman]

I have submitted core.ps1 to Microsoft - submission id 8c45225d-b640-4dc2-9def-a795ad612f16. Hoping to get this false alert lifted for all 🙏

[jcrben]

@arichtman did they get back to you? Was their a ticket number? Ideally point them back here

[arichtman]

I don't recall seeing anything come back to me. The ticket number was 8c45225d-b640-4dc2-9def-a795ad612f16 but Windows Defender submissions only retains 30 days of history. https://www.microsoft.com/en-us/wdsi/submissionhistory

[rashil2000]

Closing this as it's not something that can be fixed in Scoop core.