Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Failed to install: Windows Defender flags package #19

Open
ShadowLNC opened this issue Apr 10, 2021 · 1 comment
Open

Failed to install: Windows Defender flags package #19

ShadowLNC opened this issue Apr 10, 2021 · 1 comment

Comments

@ShadowLNC
Copy link

I get the following when trying to install:

Install-Package: C:\program files\powershell\7\Modules\PowerShellGet\PSModule.psm1:9711
Line |
9711 |  … talledPackages = PackageManagement\Install-Package @PSBoundParameters
     |                     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Package 'PSReflect-Functions' failed to be installed because: Operation did not complete successfully
     | because the file contains a virus or potentially unwanted software. :
     | 'C:\Users\Scott\AppData\Local\Temp\e5unvpcv\PSReflect.ps1'

Windows Defender also flags "HackTool:PowerShell/PowerView" on the same file.
@jaredcatkinson
Copy link
Owner

Hey Scott,

Unfortunately the module is built on PSReflect which is not inherently malicious, but has been used with a lot of PowerShell based hacking tools. This is a situation where PSReflect is more likely to be used for nefarious purposes than legitimate purposes (like PSReflect-Functions) and as a result Defender errors on the side of caution and labels it as a virus. My recommendation depends on your use case.

  1. If you are just interested in playing around with this in a test lab, then you can simply disable defender to solve the problem. You may have to redownload the module because defender sometimes quarantines a couple files.
  2. If you plan to use this in production, then it is possible to create an exception for the file in defender. Just be aware that any time you create an exception you are creating a potential blind spot. So I recommend potentially monitoring that location via a different non-preventative solution.
  3. If you aren't comfortable with the exception, it is possible to achieve similar results without reflection using a technique called Platform/Invoke (P/Invoke). This method is used frequently in the C# source code and serves as a base for the capabilities of many .NET classes. If you are using P/Invoke from PowerShell, you will be compiling code as part of your script which can leave compilation artifacts in the form of files on the file system. These artifacts aren't ideal in forensic or red teaming scenarios and avoiding them was the original use case for PSReflect.

I hope this helps. Please let me know if you are interested in further clarification.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ShadowLNC @jaredcatkinson