dbatools 2.0.3 blocked by Carbon Black

[amanzeekverma]

Verified issue does not already exist?

I have searched and found no existing issue

What error did you receive?

Using any commands on powershell_ise.exe loads up dbatools.dat which CB is blocking.

BLOCK MESSAGE:
The application powershell_ise.exe attempted to execute fileless content that contains suspicious obfuscation techniques. This content contains highly suspicious obfuscated PowerShell code. A Deny policy action was applied.
https://attack.mitre.org/techniques/T1027/

Steps to Reproduce

# provide your command(s) executed pertaining to dbatools
# please include variable values (redacted or fake if needed) for reference

Using any commands on powershell_ise.exe loads up dbatools.dat which CB is blocking.

Please confirm that you are running the most recent version of dbatools

Yes 2.0.3

Other details or mentions

Latest Release of Carbon Black Sensors and dbatools.
Earlier dbatools 1.x were being allowed (after approving dbatools certs on CB); however with fileless execution; CB is flagging it.

Potentially has to do with the way ".dat" files are being loaded.

BLOCK MESSAGE:

The application powershell_ise.exe attempted to execute fileless content that contains suspicious obfuscation techniques. This content contains highly suspicious obfuscated PowerShell code. A Deny policy action was applied.
https://attack.mitre.org/techniques/T1027/

Quoting from: https://blog.netnerds.net/2023/03/whats-new-dbatools-2.0/
If you end up having any issues with your anti-virus, please file an issue immediately so that we can take a look. I may have to revert this change (AV's sometimes hate compression), but so far, it's worked well for me.

What PowerShell host was used when producing this error

Windows PowerShell ISE (powershell_ise.exe)

PowerShell Host Version

Name Value

---

PSVersion 5.1.22621.963
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.22621.963
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1

SQL Server Edition and Build number

N/A, not on test machine.

.NET Framework Version

PSChildName Version

---

Client 4.8.09032
Full 4.8.09032
Client 4.0.0.0

[wsmelton]

Have you tried using powershell.exe host instead of ISE?

[amanzeekverma]

Sorry was AFK, here is an output (that I think describes it better)

PS C:\Program Files\WindowsPowerShell\Modules> Import-Module dbatools
Import-Command : At line:1 char:1
+ ### DO NOT EDIT THIS FILE DIRECTLY ###
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This script contains malicious content and has been blocked by your antivirus software.
At C:\Program Files\WindowsPowerShell\Modules\dbatools\2.0.3\dbatools.psm1:203 char:9
+         Import-Command -Path "$script:PSModuleRoot/dbatools.dat"

[andreasjordan]

@wsmelton What label do you suggest?

[wsmelton]

It doesn't need a label. Closing as duplicate of #8241

[amanzeekverma]

#8241 is related to dbatools 1.x right? dbatools 2.x has compressed .dat file, which is making this as fileless execution being flagged? Why is this being closed as original one?
Quoting from: https://blog.netnerds.net/2023/03/whats-new-dbatools-2.0/
If you end up having any issues with your anti-virus, please file an issue immediately so that we can take a look. I may have to revert this change (AV's sometimes hate compression)

[wsmelton]

Issue with AV is across multiple versions we are using 8241 to track as it is pinned to our issues page.

[potatoqualitee]

Thank you for the post. I should update my blog to say "other than Carbon Black". They have been so unresponsive in helping us and other PowerShell projects which are constantly flagged as malicious. While it could be the new technique, I imagine it's just...Carbon Black.

You can also try cloning this repo and importing the psd1 from that. It's very different from the published one 🤞🏼