Import-Module PSFramework stopped working

[EMarcais]

Hi guys,

I have been using your wonderful module for the last two years and basically use it heavily for logging purposes.
This started I think I pinpoint it to the installation of this windows update on my setup.
https://support.microsoft.com/en-us/topic/april-12-2022-kb5012599-os-builds-19042-1645-19043-1645-and-19044-1645-548cc67c-7f12-46fd-878e-589ba81ac2f5

The error I get are:

• from my profile:
  
  -when running Import-Module
  

I have installed Symantec Endpoint Protection and Carbon Black Cloud Sensor as security tools and defender turned-off.
The facts are:

• a VM I use installed with MS Windows server 2016 Standard and with the same security tools run smoothly.

here is the detailled information about my setup:
❯ [System.Environment]::OSVersion.Version

Major Minor Build Revision

---

10 0 19042 0

❯ Get-ComputerInfo | select WindowsProductName, WindowsVersion, OsHardwareAbstractionLayer
WindowsProductName WindowsVersion OsHardwareAbstractionLayer

---

Windows 10 Enterprise 2009 10.0.19041.1566

❯ systeminfo /fo csv | ConvertFrom-Csv | select OS*, System*, Hotfix* | Format-List

OS Name : Microsoft Windows 10 Enterprise
OS Version : 10.0.19042 N/A Build 19042
OS Manufacturer : Microsoft Corporation
OS Configuration : Member Workstation
OS Build Type : Multiprocessor Free
System Boot Time : 02/05/2022, 09:12:15
System Manufacturer : Dell Inc.
System Model : Latitude 7420
System Type : x64-based PC
System Directory : C:\windows\system32
Hotfix(s) : 15 Hotfix(s) Installed.,[01]: KB5012117,[02]: KB4562830,[03]: KB4570334,[04]: KB4577586,[05]: KB4580325,[06]: KB4586864,[07]: KB4589212,[08]: KB5003304,[09]: KB5005716,[10]:
KB5012599,[11]: KB5006753,[12]: KB5007273,[13]: KB5011352,[14]: KB5011651,[15]: KB5005260

Many thanks for your help

[EMarcais]

Carbon Black came back with the only solution they could find and put me in ByPass policy as of now. It's related to their security policy but they can't find what exactly trigger the blockage. I will let them research and closing this one as a miss.

[FriedrichWeinmann]

Glad you got unblocked, but can't say I'm happy they have issues with my project.
If it will help, I'm happy to have a discussion with one of their tech folks.
They can contact me any time via my corporate email address (<givenname>.<surname>@microsoft.com)

[EMarcais]

I will reach out to them and inform them you are available for research! Many thanks for your response and time maintaining this incredible tool!

[hotsauce-v2]

I identified I am encountering the same issue with Carbon Black and PSFramework. I likely will open up a case with them as well.

[EMarcais]

More context from carbon black team. They told me that carbon black is leveraging an anti-malware tool that is flagging something in PSFramework. They try to implement something to cover this but maybe you will have better luck.

[hotsauce-v2]

Carbon Black support told me that it was simply up to each individual environment to determine how they want to respond to their alerts (such as this one flagged as obfuscated techniques/code), and that the tool doesn't indicate which lines of the PS Module are considered malicious or suspicious. I inquired about if there was a feedback component to Carbon Black to submit the file for analysis, have the vendor contact Carbon Black, etc., but support said that this doesn't exist.

[FriedrichWeinmann]

Too bad :(
I can see why they wouldn't want to expose their detection criteria though (lest they be gamed by bad actors).
Oh well, "Obfuscated" is already one info more. maybe something I can try and nail down with the good ol' Revoke-Obfuscation project to help narrow down the file.

[Geo-Ron]

Issue seems related with dbaTools issue dataplat/dbatools#8241
We are currently working with CB support on this issue