search

jaredcatkinson / PSReflect-Functions

Module to provide PowerShell functions that abstract Win32 API functions
BSD 3-Clause "New" or "Revised" License
234 stars 60 forks source link

Failed to install: Windows Defender flags package #19

Open ShadowLNC opened 3 years ago

ShadowLNC commented 3 years ago

I get the following when trying to install:

Install-Package: C:\program files\powershell\7\Modules\PowerShellGet\PSModule.psm1:9711
Line |
9711 |  … talledPackages = PackageManagement\Install-Package @PSBoundParameters
     |                     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Package 'PSReflect-Functions' failed to be installed because: Operation did not complete successfully
     | because the file contains a virus or potentially unwanted software. :
     | 'C:\Users\Scott\AppData\Local\Temp\e5unvpcv\PSReflect.ps1'

Windows Defender also flags "HackTool:PowerShell/PowerView" on the same file.

jaredcatkinson commented 3 years ago

Hey Scott,

Unfortunately the module is built on PSReflect which is not inherently malicious, but has been used with a lot of PowerShell based hacking tools. This is a situation where PSReflect is more likely to be used for nefarious purposes than legitimate purposes (like PSReflect-Functions) and as a result Defender errors on the side of caution and labels it as a virus. My recommendation depends on your use case.

  1. If you are just interested in playing around with this in a test lab, then you can simply disable defender to solve the problem. You may have to redownload the module because defender sometimes quarantines a couple files.
  2. If you plan to use this in production, then it is possible to create an exception for the file in defender. Just be aware that any time you create an exception you are creating a potential blind spot. So I recommend potentially monitoring that location via a different non-preventative solution.
  3. If you aren't comfortable with the exception, it is possible to achieve similar results without reflection using a technique called Platform/Invoke (P/Invoke). This method is used frequently in the C# source code and serves as a base for the capabilities of many .NET classes. If you are using P/Invoke from PowerShell, you will be compiling code as part of your script which can leave compilation artifacts in the form of files on the file system. These artifacts aren't ideal in forensic or red teaming scenarios and avoiding them was the original use case for PSReflect.

I hope this helps. Please let me know if you are interested in further clarification.