Scoop
Scoop copied to clipboard
ScoopInstaller
scoop windows install in being block by antivirus
PS C:\Users\Narsi Nallamilli> Get-Host | Select-Object Version
Version
-------
5.1.18362.752
PS C:\Users\Narsi Nallamilli> iwr -useb get.scoop.sh | iex
iex : At line:1 char:1
+ #Requires -Version 5
+ ~~~~~~~~~~~~~~~~~~~~
This script contains malicious content and has been blocked by your antivirus software.
At line:1 char:26
+ iwr -useb get.scoop.sh | iex
+ ~~~
+ CategoryInfo : ParserError: (:) [Invoke-Expression], ParseException
+ FullyQualifiedErrorId : ScriptContainedMaliciousContent,Microsoft.PowerShell.Commands.InvokeExpressionCommand
Having same issue here, but with PowerShell 7.0.3 as suggested in the Wiki, please advise:
Microsoft Windows [Version 10.0.19041.450]
(c) 2020 Microsoft Corporation. All rights reserved.
C:\Users\ckwwi>pwsh PowerShell 7.0.3 Copyright (c) Microsoft Corporation. All rights reserved.
https://aka.ms/powershell
Type 'help' to get help.
PS C:\Users\ckwwi> Set-ExecutionPolicy RemoteSigned -scope CurrentUser PS C:\Users\ckwwi> Invoke-Expression (New-Object System.Net.WebClient).DownloadString('https://get.scoop.sh') ParserError: Line | 1 | Invoke-Expression (New-Object System.Net.WebClient).DownloadString('h … | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | This script contains malicious content and has been blocked by your antivirus software.
PS C:\Users\ckwwi> iwr -useb get.scoop.sh | iex Invoke-Expression: Line | 1 | iwr -useb get.scoop.sh | iex | ~~~ | This script contains malicious content and has been blocked by your antivirus software.
You may be able to disable Windows Defender temporarily while installing Scoop.
Yes, but since scoop is designed to work perfectly without admin rights, you can’t have disable Windows Defender as an install step. Is Defender reporting what malware it thinks scoop is?
Is Defender reporting what malware it thinks scoop is?
Yes, it's very likely to be Windows Defender (or SmartScreen maybe) unless you have a third-party antivirus installed.
I've just found out this also makes it impossible to open two shells and start two render processes simultaneously! I was at a very slow rendering, with more than 3000s still to go when I tried to speed things up and render another one in another shell... Bad mistake, to my astonishment it not only didn't work but also broke the first one!! 😞
@chrisbigboulder @jedieaston @Calinou I’m deeply grateful! You helped me a lot. I spent a long time trying to install Chocolatey and the problem was the Windows Defender with Mcafee LiveSafe.
not worked in my laptop, i disabled both antivirus, but still same msg showing
Hi, I tried to install scoop on PC with McAfee with following error:
User ran C:\Program Files\WindowsApps\Microsoft.PowerShell_7.1.0.0_x64__8wekyb3d8bbwe\pwsh.exe. The Trojan named AMSI-FHR!AACF0989324C was detected but wasn't blocked because AMSI was set to Observe mode.
Analyzer / Detector
Analyzer content creation date 13.1.2021 10:17 AM
Product name McAfee Endpoint Security
Product version 10.6.1
Task name AMSIScan
Feature name AMSI
Threat
Action taken Would Block
Threat category Malware detected
Threat event ID 34937
Threat handled No
Threat name AMSI-FHR!AACF0989324C
Threat severity Critical
Threat timestamp 14.1.2021 4:23 PM
Threat type Trojan
Source
Source description "C:\Program Files\WindowsApps\Microsoft.PowerShell_7.1.0.0_x64__8wekyb3d8bbwe\pwsh.exe"
Source hostName --redacted--
Source process name C:\Program Files\WindowsApps\Microsoft.PowerShell_7.1.0.0_x64__8wekyb3d8bbwe\pwsh.exe
Target
Target hash --redacted--
Target host name --redacted--
Target user name User
Other
Vector type Local System
Cleanable Yes
Detection message McAfee Endpoint Security detected a threat.
Duration before detection (days) 0
Description User ran C:\Program Files\WindowsApps\Microsoft.PowerShell_7.1.0.0_x64__8wekyb3d8bbwe\pwsh.exe. The Trojan named AMSI-FHR!AACF0989324C was detected but wasn't blocked because AMSI was set to Observe mode.
First action status Succeeded
First attempted action Would Block
Scoops unpacks and seems to work (at least scoop help works), but paths are not (env. PATH) set and quick app search from start menu does not see applications.
Powershell 7.10 was installed from MS Store.
Unfortunately, I don't have full control over this PC and cannot create antivirus exception or anything similar.
Hi this issue seems to be back, now by doing scoop update * it already triggers it:
In my pc I only have Windows Defender.
Add an exception for the Scoop folder in your Defender settings
Not a solution, since that requires admin rights. Do you have any other antivirus software besides Defender installed?
I cannot add an exception for Windows Defender as I have partial admin rights and the Windows Defender exceptions are handled by the administrator.
By the way, this is the report on Windows Defender:
The only allowed action is Quarantine
Can you run Set-ExecutionPolicy -Scope CurrentUser Unrestricted and then try updating again?
Also what is the output of scoop config SCOOP_REPO?
Can you run Set-ExecutionPolicy -Scope CurrentUser Unrestricted and then try updating again?
Same problem
Also what is the output of scoop config SCOOP_REPO?
It doesn't even return a value as it shows the same error. I am using shovel (scoop-core) but tried going back to scoop only and the error is also there with plain scoop.
The use of any forks (shovel etc.) is not supported by Scoop and from all the other cases I have seen here, going back to original scoop is not possible as of now.
To confirm if the problem occurs with scoop itself (and not shovel), can you try uninstalling everything related to scoop and reinstalling?
Or perhaps install the original scoop in a different location and retry.
Sorry if I was not clear enough, by "going back to scoop only" I meant that I uninstalled shovel (removed the ~/scoop folder) and used the installation script to install scoop from scratch.
The installation script works and I'm able to install 1 or 2 packages for some minutes (~5 min) but then AMSI kicks in and none of the scoop commands work anymore.
The installation script works and I'm able to install 1 or 2 packages for some minutes (~5 min) but then AMSI kicks in and none of the scoop commands work anymore.
That's really strange. I'm at a loss. Maybe others can suggest something.
Same issue, also getting detected as Virtool:PowerShell/PoshC2.gen!C
I can't even git clone it, I've pinpointed the issue to shim function core.ps1, when removing the code in the function I can again clone it.
The shim function is used to copy a binary and create a shim. You can find the binaries here https://github.com/ScoopInstaller/Scoop/tree/master/supporting along with their checksums to verify them individually.
Also the function Optimize-SecurityProtocol triggers it, removing this method and the shim and I can run scoop again without defender spouting out a warning.
Did some more testing, it's only the Optimize-SecurityProtocol that triggers it, the shim function is not impacted.
So for those with problems, remove the Optimize-SecurityProtocol function and the call to it.
Maybe related?
Kaspersky reports:
C:\Users\sgarcia\scoop\apps\scoop\current\supporting\shims\rshim\shim.exe Exploit.Win32.UAC.hwb
You can try to change shim executable, in %USERPROFILE%\.config\scoop\config.json:
{
"lastupdate": "...",
"shim": "kiennq"
}
Possible values: https://github.com/ScoopInstaller/Scoop/blob/59088a9f0094ecaa0c36793eef232b3af237a59b/lib/core.ps1#L620-L622
I have submitted core.ps1 to Microsoft - submission id 8c45225d-b640-4dc2-9def-a795ad612f16. Hoping to get this false alert lifted for all 🙏
@arichtman did they get back to you? Was their a ticket number? Ideally point them back here
I don't recall seeing anything come back to me. The ticket number was 8c45225d-b640-4dc2-9def-a795ad612f16 but Windows Defender submissions only retains 30 days of history. https://www.microsoft.com/en-us/wdsi/submissionhistory