Over the weekend, Microsoft released a Windows Defender signature file that falsely reports many PowerShell modules, including PowerCLI as containing a virus.
This is a FALSE POSITIVE widely affecting the PowerShell community.
https://social.technet.microsoft.com/Forums/en-US/40fa56dd-b73f-456a-9d97-cdb4500bc7ed/latest-updates-indicated-peasectoa-infection-?forum=WindowsDefenderATPPreview
There is no official statement from Microsoft yet, but the PowerCLI community on VMware {Code} has been working overtime! Here’s what you need to do to get back to automating:
- Update Windows Defender Signatures to the latest (>= 1.261.424.0).
- If your PowerShellGet module was affected, you may need to download manually from Github (https://github.com/PowerShell/PowerShellGet)
- Update: Kevin Marquette has a pretty good workaround for PowerShellGet, which reverts back it back to 1.0.0.1.
- Release the affected files from Quarantine, or reinstall PowerCLI (Install-Module VMware.PowerCLI -scope CurrentUser -force)
This story is still developing, so I will update as the info comes in.
This is a great time for a shout out to the PowerCLI community on VMware {Code}. Special thanks to the PowerCLI users that have been working on this over the weekend and this morning: Luc Dekens, Edgar Sanchez, Wouter Kursten, Scott Haas, and John Kavanagh
You can join the VMware {Code} Slack by signing up here: https://code.vmware.com/join
Any further updates will be here:
Windows Defender reports false positive for PowerShell Modules - VMware PowerCLI Blog - VMware Blogs