For a period of time, Windows Defender was flagging several important PowerShell modules as infected with Peasecto.A. This would prevent users from running or installing those modules. Some of the impacted modules included PackageManagement, MSOnline, PSScriptAnalyzer, and VMware.PowerCLI. Even VSCode was feeling the pain. The good news is that the issue is resolved for some modules now.

PS:> Get-MpComputerStatus | Select AntivirusSignature*

AntivirusSignatureLastUpdated   : 1/28/2018 8:28:37 PM
AntivirusSignatureVersion       : 1.261.424.0

These are the definition version that I have seen tested on these modules:

• PackageManagement fixed in 1.261.424.0
• PSScriptAnalyzer fixed in 1.261.441.0
• MSOnline fixed in 1.261.473.0
• VMWare.PowerCLI fixed in 1.261.459.0

You may have to run Windows Updates and reboot if Windows Defender is not pulling the most recent definition. I have seen some inconsistent results in my testing on different machines.

It looks like the modules were fixed one at a time. I have a link at the bottom for where to report false positives.

Updated:

Microsoft has released Defender signatures version 1.261.459.0 which fixes all #PowerCLI modules. #PowerShellhttps://t.co/EQ2Qtu8jT2

— VMware PowerCLI (@PowerCLI) January 30, 2018

There was not a lot of options other than disable defender or disable PowerShell AMSI while we waited for the definitions to get updated. I was pulling together what information that I could and posting it here as it came up. Now that the issue is mostly resolved, I rewrote the into so the important information is easy to discover.

There are lingering issues for some users with broken modules that will need to be re-installed. The PackageManagement module will take some special steps that I outlined below.

Reinstall PowerShellGet and PackageManagement

Because PowerShellGet depends on PackageManagement, issues with PackageManagement can prevent PowerShellGet from working. How do you install modules when Install-Module has issues?

If Windows Defender did clean up files out of the PackageManagement module, you can import the old version of PowerShellGet in a fresh shell to use Install-Module again.

Get-Module PowerShellGet -ListAvailable |
    Where Version -eq 1.0.0.1 |
    Import-Module

Install-Module PackageManagement -Force
Install-Module PowerShellGet -Force

PowerShell 5.1 should have the 1.0.0.1 version of both of these modules. So you should have a old version of the module to import. Also note that only users that updated to the new modules will have this issue.

PowerShell Core ships with the newer module by default and is not as easy to repair.

Indications that you are in a bad state

These are the error messages you get when in this bad state. If you call Find-Module or Install-Module you should see something like this:

find-module : The 'find-module' command was found in the module 'PowerShellGet', but the module
could not be loaded. For more information, run 'Import-Module PowerShellGet'.

install-module : The 'install-module' command was found in the module 'PowerShellGet', but the
module could not be loaded. For more information, run 'Import-Module PowerShellGet'.

If you try and import the PowerShellGet module, then you will see this error message:

PS:> Import-Module PowerShellGet

import-module : The required module 'PackageManagement' is not loaded. Load the module or remove
the module from 'RequiredModules' in the file 'C:\Program
Files\WindowsPowerShell\Modules\powershellget\1.6.0\powershellget.psd1'.

Early reporting on the issue

The details below contain all the information that was available to us before a fix was made available.

Twitter

These are the first tweets talking about the issue:

What's this?
Defender real-time protection removing files from my #PowerShell modules!

— Luc Dekens (@LucD22) January 28, 2018

FYI: Windows Defender is detecting Legit PowerShell Modules and PowerShell Core itself as PowerShell/PeaSecto.a https://t.co/i7DZEo3Pgn

— Mark Kraus MVP (@markekraus) January 28, 2018

That awkward moment when Windows Defender declares that your #PowerShell module is a threat. pic.twitter.com/DJxvBYenJi

— Boe Prox (@proxb) January 28, 2018

Might have overlooked this, but is there any guidance on dealing with #PowerShell AMSI false positives in Defender outside of DisableIOAVProtection? Some innocuous automation being flagged, would prefer not to turn this off...

— Warren F. (@psCookieMonster) January 26, 2018

TechNet

Mark was talking about this thread: Latest updates indicated Peasecto.A infection. This thread indicates that MSOnline and the Azure modules are impacted. Lots of good information is collecting here even as I post this.

Reddit

Reddit was also noticing the issue.

• Windows Defender reporting Peasecto.A malware in some Microsoft PSD1 files
• System Center Endpoint protection flagging the MSOnline.psd1 file with Peasecto.A trojan

Github Issues

Issues started to pop up on GitHub projects.

• VSCode
• PowerShell Core
• oneget
• PSSciptAnalyzer

Other links

• VMWare.PowerCLI

For next time

Lee Holmes pointed out that Microsoft does have a process for submitting false positives.

Here's where to report false positives: https://t.co/NsQ34giE3e - it has nothing to do with AMSI. If the content triggers a signature, it would do it through basic scanning as well.

— Lee Holmes (@Lee_Holmes) January 28, 2018

The next time you find Defender attacking the wrong files, you can submit a file for analysis.