Uncategorized

Windows Defender reports false positive for PowerShell Modules

Over the weekend, Microsoft released a Windows Defender signature file that falsely reports many PowerShell modules, including PowerCLI as containing a virus.

This is a FALSE POSITIVE widely affecting the PowerShell community.

https://social.technet.microsoft.com/Forums/en-US/40fa56dd-b73f-456a-9d97-cdb4500bc7ed/latest-updates-indicated-peasectoa-infection-?forum=WindowsDefenderATPPreview

There is no official statement from Microsoft yet, but the PowerCLI community on VMware {Code} has been working overtime! Here’s what you need to do to get back to automating:

  1. Update Windows Defender Signatures to the latest (>= 1.261.424.0 1.261.459.0).
  2. If your PowerShellGet module was affected, you may need to download manually from Github (https://github.com/PowerShell/PowerShellGet)
    1. Update: Kevin Marquette has a pretty good workaround for PowerShellGet, which reverts back it back to 1.0.0.1.
  3. Release the affected files from Quarantine, or reinstall PowerCLI (Install-Module VMware.PowerCLI -scope CurrentUser -force)

This story is still developing, so I will update as the info comes in.

This is a great time for a shout out to the PowerCLI community on VMware {Code}. Special thanks to the PowerCLI users that have been working on this over the weekend and this morning: Luc Dekens, Edgar Sanchez, Wouter Kursten, Scott Haas, and John Kavanagh

You can join the VMware {Code} Slack by signing up here: https://code.vmware.com/join