Closed narsinallamilli closed 1 year ago
Having same issue here, but with PowerShell 7.0.3 as suggested in the Wiki, please advise:
Microsoft Windows [Version 10.0.19041.450]
(c) 2020 Microsoft Corporation. All rights reserved.
C:\Users\ckwwi>pwsh PowerShell 7.0.3 Copyright (c) Microsoft Corporation. All rights reserved.
https://aka.ms/powershell
Type 'help' to get help.
PS C:\Users\ckwwi> Set-ExecutionPolicy RemoteSigned -scope CurrentUser
PS C:\Users\ckwwi> Invoke-Expression (New-Object System.Net.WebClient).DownloadString('https://get.scoop.sh')
ParserError:
Line |
1 | Invoke-Expression (New-Object System.Net.WebClient).DownloadString('h …
| ~~~~~~~~~~~~~~~~~
| This script contains malicious content and has been blocked by your antivirus software.
PS C:\Users\ckwwi> iwr -useb get.scoop.sh | iex Invoke-Expression: Line | 1 | iwr -useb get.scoop.sh | iex | ~~~ | This script contains malicious content and has been blocked by your antivirus software.
You may be able to disable Windows Defender temporarily while installing Scoop.
Yes, but since scoop is designed to work perfectly without admin rights, you can’t have disable Windows Defender as an install step. Is Defender reporting what malware it thinks scoop is?
Is Defender reporting what malware it thinks scoop is?
Yes, it's very likely to be Windows Defender (or SmartScreen maybe) unless you have a third-party antivirus installed.
@Calinou @jedieaston You both nailed it, thank you! I have Mcafee LiveSafe installed with Windows Defender set to "These settings are managed by vendor application McAfee Personal Firewall" and my error was recorded with McAfee LiveSafe firewall and Real-Time Scanning turned off. Opening up Windows Defender advanced settings I found that the Defender firewall was indeed still turned on. I thought that McAfee disabled Windows Defender Firewall to run its own firewall, but both were actually on and Defender was blocking the install as malware. I ran install again after disabling both with success:
PowerShell 7.0.3 Copyright (c) Microsoft Corporation. All rights reserved.
https://aka.ms/powershell Type 'help' to get help.
PS C:\Users\ckwwi> Invoke-Expression (New-Object System.Net.WebClient).DownloadString('https://get.scoop.sh') Initializing... Downloading scoop... Extracting... Creating shim... Downloading main bucket... Extracting... Adding ~\scoop\shims to your path. 'lastupdate' has been set to '2020-08-28T11:03:55.4318437-06:00' Scoop was installed successfully! Type 'scoop help' for instructions.
@narsinallamilli You'll most likely need to install Windows Powershell Version 7.x.x to eliminate this install error as noted in the wiki here: https://github.com/lukesampson/scoop/wiki/Antivirus-false-positive
One you have Powershell 7 installed you need to make sure that you install Scoop using Powershell 7 instead of 5.1. Powershell 7 installs alongside 5.1, so both can be run from windows and are stored as separate programs. You can either open a specific instance of Powershell 7 to execute the install, or you can execute it from Command Prompt. Note that command "powershell" from Command Prompt executes v5.1, so use the "pwsh" command to execute v7.x.x, then install Scoop as documented in the tutorial.
@chrisbigboulder @jedieaston @Calinou I’m deeply grateful! You helped me a lot. I spent a long time trying to install Chocolatey and the problem was the Windows Defender with Mcafee LiveSafe.
not worked in my laptop, i disabled both antivirus, but still same msg showing
Hi, I tried to install scoop on PC with McAfee with following error:
User ran C:\Program Files\WindowsApps\Microsoft.PowerShell_7.1.0.0_x64__8wekyb3d8bbwe\pwsh.exe. The Trojan named AMSI-FHR!AACF0989324C was detected but wasn't blocked because AMSI was set to Observe mode.
Analyzer / Detector
Analyzer content creation date 13.1.2021 10:17 AM
Product name McAfee Endpoint Security
Product version 10.6.1
Task name AMSIScan
Feature name AMSI
Threat
Action taken Would Block
Threat category Malware detected
Threat event ID 34937
Threat handled No
Threat name AMSI-FHR!AACF0989324C
Threat severity Critical
Threat timestamp 14.1.2021 4:23 PM
Threat type Trojan
Source
Source description "C:\Program Files\WindowsApps\Microsoft.PowerShell_7.1.0.0_x64__8wekyb3d8bbwe\pwsh.exe"
Source hostName --redacted--
Source process name C:\Program Files\WindowsApps\Microsoft.PowerShell_7.1.0.0_x64__8wekyb3d8bbwe\pwsh.exe
Target
Target hash --redacted--
Target host name --redacted--
Target user name User
Other
Vector type Local System
Cleanable Yes
Detection message McAfee Endpoint Security detected a threat.
Duration before detection (days) 0
Description User ran C:\Program Files\WindowsApps\Microsoft.PowerShell_7.1.0.0_x64__8wekyb3d8bbwe\pwsh.exe. The Trojan named AMSI-FHR!AACF0989324C was detected but wasn't blocked because AMSI was set to Observe mode.
First action status Succeeded
First attempted action Would Block
Scoops unpacks and seems to work (at least scoop help
works), but paths are not (env. PATH) set and quick app search from start menu does not see applications.
Powershell 7.10 was installed from MS Store.
Unfortunately, I don't have full control over this PC and cannot create antivirus exception or anything similar.
Hi this issue seems to be back, now by doing scoop update *
it already triggers it:
In my pc I only have Windows Defender.
Add an exception for the Scoop folder in your Defender settings
Add an exception for the Scoop folder in your Defender settings
Not a solution, since that requires admin rights. Do you have any other antivirus software besides Defender installed?
In my pc I only have Windows Defender.
I cannot add an exception for Windows Defender as I have partial admin rights and the Windows Defender exceptions are handled by the administrator.
By the way, this is the report on Windows Defender:
The only allowed action is Quarantine
What is the output Get-ExecutionPolicy
?
❯ Get-ExecutionPolicy
RemoteSigned
Can you run Set-ExecutionPolicy -Scope CurrentUser Unrestricted
and then try updating again?
Also what is the output of scoop config SCOOP_REPO
?
Can you run Set-ExecutionPolicy -Scope CurrentUser Unrestricted and then try updating again?
Same problem
Also what is the output of scoop config SCOOP_REPO?
It doesn't even return a value as it shows the same error. I am using shovel (scoop-core) but tried going back to scoop only and the error is also there with plain scoop.
The use of any forks (shovel etc.) is not supported by Scoop and from all the other cases I have seen here, going back to original scoop is not possible as of now.
To confirm if the problem occurs with scoop itself (and not shovel), can you try uninstalling everything related to scoop and reinstalling?
Or perhaps install the original scoop in a different location and retry.
Sorry if I was not clear enough, by "going back to scoop only" I meant that I uninstalled shovel (removed the ~/scoop folder) and used the installation script to install scoop from scratch.
The installation script works and I'm able to install 1 or 2 packages for some minutes (~5 min) but then AMSI kicks in and none of the scoop commands work anymore.
The installation script works and I'm able to install 1 or 2 packages for some minutes (~5 min) but then AMSI kicks in and none of the scoop commands work anymore.
That's really strange. I'm at a loss. Maybe others can suggest something.
Same issue, also getting detected as Virtool:PowerShell/PoshC2.gen!C
I can't even git clone
it, I've pinpointed the issue to shim
function core.ps1, when removing the code in the function I can again clone it.
The shim
function is used to copy a binary and create a shim. You can find the binaries here https://github.com/ScoopInstaller/Scoop/tree/master/supporting along with their checksums to verify them individually.
Also the function Optimize-SecurityProtocol
triggers it, removing this method and the shim
and I can run scoop again without defender spouting out a warning.
Did some more testing, it's only the Optimize-SecurityProtocol
that triggers it, the shim
function is not impacted.
So for those with problems, remove the Optimize-SecurityProtocol
function and the call to it.
Maybe related?
Kaspersky reports:
C:\Users\sgarcia\scoop\apps\scoop\current\supporting\shims\rshim\shim.exe Exploit.Win32.UAC.hwb
You can try to change shim executable, in %USERPROFILE%\.config\scoop\config.json
:
{
"lastupdate": "...",
"shim": "kiennq"
}
Possible values: https://github.com/ScoopInstaller/Scoop/blob/59088a9f0094ecaa0c36793eef232b3af237a59b/lib/core.ps1#L620-L622
I have submitted core.ps1
to Microsoft - submission id 8c45225d-b640-4dc2-9def-a795ad612f16. Hoping to get this false alert lifted for all 🙏
@arichtman did they get back to you? Was their a ticket number? Ideally point them back here
I don't recall seeing anything come back to me. The ticket number was 8c45225d-b640-4dc2-9def-a795ad612f16
but Windows Defender submissions only retains 30 days of history. https://www.microsoft.com/en-us/wdsi/submissionhistory
Closing this as it's not something that can be fixed in Scoop core.