dbatools icon indicating copy to clipboard operation
dbatools copied to clipboard

Published 20 hours ago verified publisher icon dataplat

dbatools is being flagged as malicious by FireEye Endpoint Security

Open jemmiegod opened this issue 2 years ago • 15 comments

Verified issue does not already exist?

Yes

What error did you receive?

ParserError: C:...\PowerShell\Modules\dbatools\1.1.80\allcommands.ps1:1 Line | 1 | ### DO NOT EDIT THIS FILE DIRECTLY ### | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | This script contains malicious content and has been blocked by your antivirus software.

Steps to Reproduce

  • Open a new PowerShell terminal
  • Install-Module -MinimumVersion 1.1.80 -Name dbatools
  • Import-Module dbatools

Are you running the latest release?

Yes

Other details or mentions

There was a discussion a while back about this, but the issue seems to have reappeared https://github.com/PowerShell/PowerShell/issues/15396

I have tried multiple versions of dbatools without success. Versions that have previously worked for months, no longer work I have submitted this as a false positive to FireEye already.

What PowerShell host was used when producing this error

PowerShell Core (pwsh.exe), Windows PowerShell (powershell.exe), Windows PowerShell ISE (powershell_ise.exe), VS Code (terminal), VS Code (integrated terminal)

PowerShell Host Version

Name Value

PSVersion 7.1.5 PSEdition Core GitCommitId 7.1.5 OS Microsoft Windows 10.0.19042 Platform Win32NT PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…} PSRemotingProtocolVersion 2.3 SerializationVersion 1.1.0.1 WSManStackVersion 3.0

SQL Server Edition and Build number

Microsoft SQL Server 2019 (RTM) - 15.0.2000.5 (X64) Sep 24 2019 13:48:23 Copyright (C) 2019 Microsoft Corporation Express Edition (64-bit) on Windows 10 Enterprise 10.0 <X64> (Build 19042: ) (Hypervisor)

.NET Framework Version

.NET 5.0.11

jemmiegod avatar Mar 15 '22 20:03 jemmiegod

I don't believe there is much we can do about this. There are certain issues with Defender as well flagging it too that I don't think have been fully fixed yet.

wsmelton avatar Mar 22 '22 02:03 wsmelton

We shipped some updates so this is probably not the case anymore. So I will close this.

andreasjordan avatar May 06 '22 16:05 andreasjordan

I am getting this error using DBATOOLS version 1.1.103. We use Carbon Black. DBATOOLS was working up until about 3 weeks past. Now we get this error when importing the module and Carbon Black pops a message that a Deny Action was applied.

PS C:\Users\xxxxxxx> Import-Module Dbatools

At C:\Program Files\WindowsPowerShell\Modules\Dbatools\1.1.103\allcommands.ps1:1 char:1

  • DO NOT EDIT THIS FILE DIRECTLY

This script contains malicious content and has been blocked by your antivirus software.

  • CategoryInfo : ParserError: (:) [], ParseException
  • FullyQualifiedErrorId : ScriptContainedMaliciousContent

Brett-Jay avatar Jun 06 '22 21:06 Brett-Jay

Same issue here. This is being flagged as malicious by Carbon Black today as well. 1.1.105 is being blocked with the same message as above. Reopen this issue? Or create a new one?

nicpenning avatar Jun 14 '22 21:06 nicpenning

Neither will have an effect - as we (the developers) can do nothing about this. If you are able to work with the vendor of Carbon Black on the details (like what specific file is maybe not signed), then we might be able to change something to prevent this.

andreasjordan avatar Jun 15 '22 06:06 andreasjordan

@andreasjordan - I agree.

I did narrow down that Carbon Black doesn't like it when you create an object with GETPROCADDRESS and LOADLIBRARY in the same object.

So something like this will get blocked:

$category = [pscustomobject]@{
    GETPROCADDRESS                  = 'hello'
    LOADLIBRARY                      = 'world'
}

I know the code is different in the project but I was able to narrow it down to this. Any characters in front of or behind them still gets blocked.

Furthermore there are other areas in the code that require multiple blocks of text to run that will be blocked as well. But due to the amount of lines of code here, it turned out to be more of a challenge to isolate other parts the Carbon Black is detecting on.

Those with CB will need to work with their support to get a proper tuning.

nicpenning avatar Jun 15 '22 14:06 nicpenning

Let me add @potatoqualitee to this thread...

andreasjordan avatar Jun 15 '22 14:06 andreasjordan

Overall those are false positives as they are not malicious. If they are indeed flagging for that value @nicpenning then it comes from this:

https://github.com/dataplat/dbatools/blob/6cae0dd18bda3ad8efd60404c2d05b402cc4a785/functions/Get-DbaWaitStatistic.ps1#L493-L500

wsmelton avatar Jun 15 '22 15:06 wsmelton

Of course. Nothing you can really do to fix that. Also, like I mentioned, this was just one instance of CB flagging the code. Even if you got rid of that part of the code, there are other "red flag" text that get tripped but I don't have the time to find them. VMWare will need to adjust the detection/prevention mechanisms.

nicpenning avatar Jun 15 '22 16:06 nicpenning

yeah, please report to CB. there's no way for us to contact them that I'm aware of :/

potatoqualitee avatar Jun 15 '22 16:06 potatoqualitee

We have entered a support request with Carbon Black.

Brett-Jay avatar Jun 28 '22 23:06 Brett-Jay

Thank you! Please let us know how it goes

potatoqualitee avatar Jun 29 '22 10:06 potatoqualitee

Reopening as it's continuing to happen to others.

potatoqualitee avatar Aug 03 '22 16:08 potatoqualitee

CB came back and said that in the next iterations of the main agent software, they will integrate a fix. If not the next upcoming version, it'll be in the one afterward.

Brett-Jay avatar Aug 03 '22 17:08 Brett-Jay

Oh, awesome, thank you @Brett-Jay !

potatoqualitee avatar Aug 04 '22 17:08 potatoqualitee

Issue seems related to PSFramework integration: https://github.com/PowershellFrameworkCollective/psframework/issues/517 We are currently working on resolving this with CB support

Geo-Ron avatar Dec 19 '22 08:12 Geo-Ron

@Geo-Ron PSFramework is not implemented in dbatools. The module originated in a way from work Fred did with our messaging system but I don't believe it is can be considered the se thing anymore.

wsmelton avatar Dec 19 '22 12:12 wsmelton

yeah, CB is just hating on dbatools, Pester and more. They really need to fix old issue and are dragging 🍑 , repeatedly promising "next release" and apparently not following through.

potatoqualitee avatar Dec 19 '22 13:12 potatoqualitee

@Geo-Ron please keep us updated. they also dont accept reports from non-customers so there's literally nothing we can do about it 😡

potatoqualitee avatar Dec 19 '22 13:12 potatoqualitee

Going to start using this as a tracker for AV software causing PowerShell issues, particularly with our module. Be aware that there is nothing we (as maintainers) can do about this issue. The AV software in general is generally going to flag multiple modules similar to ours as being malicious.

Please 👍 the post according to your AV software, if you don't see it listed in this issue please add a post with the AV name. If anyone has links on how to report incorrect findings to these AV vendors please share those too.

FireEye - https://github.com/dataplat/dbatools/issues/8241#issue-1170200178 Carbon Black - https://github.com/dataplat/dbatools/issues/8241#issuecomment-1147959896

wsmelton avatar Feb 21 '23 14:02 wsmelton

@Brett-Jay we have had one user report upgrading CB and reboot fixed the issue. Please let us know if that solves it on your environment as well. 🤞🏻

wsmelton avatar Feb 21 '23 19:02 wsmelton

#8949 - blocking by CB occurring with v2 release.

wsmelton avatar Jun 04 '23 17:06 wsmelton

@wsmelton What label do you suggest here? Or should we close as duplicate?

andreasjordan avatar Jun 27 '23 14:06 andreasjordan

Doesn't need a label IMO.

wsmelton avatar Jun 27 '23 18:06 wsmelton