OSDBuilder icon indicating copy to clipboard operation
OSDBuilder copied to clipboard

Published 20 hours ago verified publisher icon OSDeploy

Installing OSDBuilder triggers malware warning.

Open epoch71 opened this issue 1 year ago • 9 comments

Got a warning re. malicious content when performing an import-module OSDBuilder today:

Suspicious activity blocked Feature: Antivirus PowerShell tried to load a malicious resource detected as Heur.BZC.ZFV.Boxter.341.C5E73568 and was blocked. Your device is safe.

Anyone else experienced this?

epoch71 avatar May 15 '23 15:05 epoch71

I have not experienced this because I only use OSDBuilder in an isolated VM with antivirus disabled.

Good information here: https://osdbuilder.osdeploy.com/docs/basics/requirements

alayac avatar May 15 '23 15:05 alayac

Please provide some details on the file that was detected, dig through the logs. Keep in mind that OSDBuilder hasn't been updated since February, so nothing has changed recently related to the Module

OSDeploy avatar May 15 '23 18:05 OSDeploy

Sorry for delay replying.

The malware warning was triggered when running the "Import-Module OSDBuilder" command (immediately after running Install-Module).

I've attached a pic of the warning (flagged by BitDefender).

OSDBuilder_Warning

There are no logs to dig through, since OSDBuilder is not yet installed on this machine. If there are other logs pertinent to this issue please direct me to them.

epoch71 avatar Jun 05 '23 08:06 epoch71

There are no logs to dig through, since OSDBuilder is not yet installed on this machine. If there are other logs pertinent to this issue please direct me to them.

The logs for your AV are what need to be reviewed. There should be a clear log that defines which file in the Module is infected. I don't have or use BitDefender so I'm unable to replicate.

OSDeploy avatar Jun 05 '23 13:06 OSDeploy

Seems it's not happy with Get-PSCloudScript.ps1 for some reason.

PS C:\Users\Andrew> import-module osdbuilder

import-module : Failed to import function C:\Program Files\WindowsPowerShell\Modules\OSD\23.5.9.1\Public\Functions\CloudSecret\Get-PSCloudScript.ps1: At C:\Program
Files\WindowsPowerShell\Modules\OSD\23.5.9.1\Public\Functions\CloudSecret\Get-PSCloudScript.ps1:1 char:1
+ <#
+ ~~
This script contains malicious content and has been blocked by your antivirus software.
At line:1 char:1
+ import-module osdbuilder
+ ~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Microsoft.PowerShell.Commands.ImportMo
   duleCommand

epoch71 avatar Jun 05 '23 13:06 epoch71

Ok, so it's not an issue with OSDBuilder, it is an issue with OSD Module. Can you try the following command? Import-Module OSD -Force -Verbose

OSDeploy avatar Jun 05 '23 14:06 OSDeploy

Transcript attached. import-transcript.txt

epoch71 avatar Jun 05 '23 15:06 epoch71

This is most certainly a false positive for BitDefender. I suggest submitting a sample for them to look at. Here's a similar issue https://community.bitwarden.com/t/bitdefender-saying-bitwardens-install-script-has-a-virus/52789

OSDeploy avatar Jun 05 '23 16:06 OSDeploy

Yeah I thought as much. I added the OSD/OSDBuilder script locations to BitDefender’s exceptions and was able to install the module without issues. Then when I did an Import-Media from an ISO I downloaded from Microsoft it started throwing malware detections at me during that process, for Microsoft DLL’s.

Time to choose a new AV tool I think.

epoch71 avatar Jun 06 '23 13:06 epoch71