For a period of time, Windows Defender was flagging several important PowerShell modules as infected with Peasecto.A. This would prevent users from running or installing those modules. Some of the impacted modules included
VMware.PowerCLI. Even VSCode was feeling the pain. The good news is that the issue is resolved for some modules now.
PS:> Get-MpComputerStatus | Select AntivirusSignature* AntivirusSignatureLastUpdated : 1/28/2018 8:28:37 PM AntivirusSignatureVersion : 1.261.424.0
These are the definition version that I have seen tested on these modules:
PackageManagementfixed in 1.261.424.0
PSScriptAnalyzerfixed in 1.261.441.0
MSOnlinefixed in 1.261.473.0
VMWare.PowerCLIfixed in 1.261.459.0
You may have to run Windows Updates and reboot if Windows Defender is not pulling the most recent definition. I have seen some inconsistent results in my testing on different machines.
It looks like the modules were fixed one at a time. I have a link at the bottom for where to report false positives.
There was not a lot of options other than disable defender or disable PowerShell AMSI while we waited for the definitions to get updated. I was pulling together what information that I could and posting it here as it came up. Now that the issue is mostly resolved, I rewrote the into so the important information is easy to discover.
There are lingering issues for some users with broken modules that will need to be re-installed. The
PackageManagement module will take some special steps that I outlined below.
Reinstall PowerShellGet and PackageManagement
PowerShellGet depends on
PackageManagement, issues with
PackageManagement can prevent
PowerShellGet from working. How do you install modules when
Install-Module has issues?
If Windows Defender did clean up files out of the
PackageManagement module, you can import the old version of
PowerShellGet in a fresh shell to use
Get-Module PowerShellGet -ListAvailable | Where Version -eq 22.214.171.124 | Import-Module Install-Module PackageManagement -Force Install-Module PowerShellGet -Force
PowerShell 5.1 should have the 126.96.36.199 version of both of these modules. So you should have a old version of the module to import. Also note that only users that updated to the new modules will have this issue.
PowerShell Core ships with the newer module by default and is not as easy to repair.
Indications that you are in a bad state
These are the error messages you get when in this bad state. If you call
Install-Module you should see something like this:
find-module : The 'find-module' command was found in the module 'PowerShellGet', but the module could not be loaded. For more information, run 'Import-Module PowerShellGet'. install-module : The 'install-module' command was found in the module 'PowerShellGet', but the module could not be loaded. For more information, run 'Import-Module PowerShellGet'.
If you try and import the
PowerShellGet module, then you will see this error message:
PS:> Import-Module PowerShellGet import-module : The required module 'PackageManagement' is not loaded. Load the module or remove the module from 'RequiredModules' in the file 'C:\Program Files\WindowsPowerShell\Modules\powershellget\1.6.0\powershellget.psd1'.
Early reporting on the issue
The details below contain all the information that was available to us before a fix was made available.
These are the first tweets talking about the issue:
What's this?— Luc Dekens (@LucD22) January 28, 2018
Defender real-time protection removing files from my #PowerShell modules!
FYI: Windows Defender is detecting Legit PowerShell Modules and PowerShell Core itself as PowerShell/PeaSecto.a https://t.co/i7DZEo3Pgn— Mark Kraus MVP (@markekraus) January 28, 2018
Might have overlooked this, but is there any guidance on dealing with #PowerShell AMSI false positives in Defender outside of DisableIOAVProtection? Some innocuous automation being flagged, would prefer not to turn this off...— Warren F. (@psCookieMonster) January 26, 2018
Mark was talking about this thread: Latest updates indicated Peasecto.A infection. This thread indicates that MSOnline and the Azure modules are impacted. Lots of good information is collecting here even as I post this.
Reddit was also noticing the issue.
- Windows Defender reporting Peasecto.A malware in some Microsoft PSD1 files
- System Center Endpoint protection flagging the MSOnline.psd1 file with Peasecto.A trojan
Issues started to pop up on GitHub projects.
For next time
Lee Holmes pointed out that Microsoft does have a process for submitting false positives.
Here's where to report false positives: https://t.co/NsQ34giE3e - it has nothing to do with AMSI. If the content triggers a signature, it would do it through basic scanning as well.— Lee Holmes (@Lee_Holmes) January 28, 2018
The next time you find Defender attacking the wrong files, you can submit a file for analysis.