Comments (8)
rhubarb-geek-nz
commented on June 13, 2024
For example, I have a very simple one line script calling nothing except PowerShell provided commands
$env:__PSDumpAMSILogContent='1'
$null = Get-ChildItem "$HOME\Downloads\*.exe" | ConvertTo-JSON -Depth 2
Run this script using a new pwsh.exe process so the environment variable is respected.
An example output is
WARNING: Resulting JSON is truncated as serialization has exceeded the set depth of 2
=== Amsi notification report content ===
<System.Diagnostics.FileVersionInfo>.GetVersionInfo(<C:\Users\OnlyMe\Downloads\dotnet-sdk-8.0.100-win-arm64.exe>)
=== Amsi notification report success: True ===
=== Amsi notification report content ===
<System.String>.Remove(<28>)
=== Amsi notification report success: True ===
=== Amsi notification report content ===
<System.Diagnostics.FileVersionInfo>.GetVersionInfo(<C:\Users\OnlyMe\Downloads\dotnet-sdk-8.0.204-win-x64.exe>)
=== Amsi notification report success: True ===
=== Amsi notification report content ===
<System.String>.Remove(<26>)
=== Amsi notification report success: True ===
=== Amsi notification report content ===
<System.Diagnostics.FileVersionInfo>.GetVersionInfo(<C:\Users\OnlyMe\Downloads\MediaCreationTool22H2.exe>)
=== Amsi notification report success: True ===
=== Amsi notification report content ===
<System.String>.Remove(<21>)
=== Amsi notification report success: True ===
=== Amsi notification report content ===
<System.Diagnostics.FileVersionInfo>.GetVersionInfo(<C:\Users\OnlyMe\Downloads\MSTeamsSetup_c_l_.exe>)
=== Amsi notification report success: True ===
=== Amsi notification report content ===
<System.String>.Remove(<17>)
=== Amsi notification report success: True ===
Is it really necessary to send all this information to AMSI given I already have Windows Defender installed and it is scanning my system?
from powershell.
SteveL-MSFT
commented on June 13, 2024
WG reviewed this and this logging is required on Windows to provide protection via Windows Defender (or possibly other AMSI compliant scanners).
from powershell.
rhubarb-geek-nz
commented on June 13, 2024
While some level of logging may be required, eg of script block content, the current implementation has jumped the shark.
Two simple cases
You are logging variable values, not the just the scripts.
$env:__PSDumpAMSILogContent='1'
$ConnectionString = 'Data Source=localhost;Integrated Security=False;Persist Security Info=False;User ID=sa;Password=changeit'
$connection = [System.Data.SqlClient.SqlConnection]::new($ConnectionString)
Results in
=== Amsi notification report content ===
<System.Data.SqlClient.SqlConnection>.new(<Data Source=localhost;Integrated Security=False;Persist Security Info=False;User ID=sa;Password=changeit>)
=== Amsi notification report success: True ===
And a simple error
$env:__PSDumpAMSILogContent='1'
Invoke-FooBar
Generated over a hundred lines of output,
=== Amsi notification report content ===
<System.String>.IsNullOrEmpty(<null>)
=== Amsi notification report success: True ===
=== Amsi notification report content ===
<System.Int32>.ToString()
=== Amsi notification report success: True ===
=== Amsi notification report content ===
<System.String>.Split(<
>)
=== Amsi notification report success: True ===
=== Amsi notification report content ===
<System.String>.Substring(<1>)
=== Amsi notification report success: True ===
=== Amsi notification report content ===
<System.String>.Substring(<1>)
=== Amsi notification report success: True ===
=== Amsi notification report content ===
<System.String>.Trim()
=== Amsi notification report success: True ===
=== Amsi notification report content ===
<System.String>.IndexOf(<~>)
=== Amsi notification report success: True ===
=== Amsi notification report content ===
<System.String>.EndsWith(<
>)
=== Amsi notification report success: True ===
=== Amsi notification report content ===
<System.String>.Insert(<14>, <�[0m>)
=== Amsi notification report success: True ===
=== Amsi notification report content ===
<System.String>.Insert(<1>, <�[36;1m>)
=== Amsi notification report success: True ===
=== Amsi notification report content ===
<System.Management.Automation.Internal.StringDecorated>.new(<�[36;1m | �[31;1m>)
=== Amsi notification report success: True ===
=== Amsi notification report content ===
<System.String>.Replace(<
>, < >)
=== Amsi notification report success: True ===
=== Amsi notification report content ===
<System.String>.Replace(<
>, < >)
=== Amsi notification report success: True ===
=== Amsi notification report content ===
<System.String>.Replace(< >, < >)
=== Amsi notification report success: True ===
=== Amsi notification report content ===
<System.Text.StringBuilder>.new()
=== Amsi notification report success: True ===
=== Amsi notification report content ===
<System.String>.Substring(<0>, <204>)
=== Amsi notification report success: True ===
=== Amsi notification report content ===
<System.Text.StringBuilder>.Append(<�[36;1m | �[31;1mThe term 'Invoke-FooBar' is not recognized as a name of a cmdlet, function, script file, or executable program. Check the spelling of the name, or if a path was included, verify that>)
=== Amsi notification report success: True ===
=== Amsi notification report content ===
<System.String>.Substring(<203>)
=== Amsi notification report success: True ===
=== Amsi notification report content ===
<System.String>.Trim()
=== Amsi notification report success: True ===
=== Amsi notification report content ===
<System.Text.StringBuilder>.Append(<
>)
=== Amsi notification report success: True ===
=== Amsi notification report content ===
<System.String>.Trim()
=== Amsi notification report success: True ===
=== Amsi notification report content ===
<System.Text.StringBuilder>.Append(<�[36;1m | �[31;1mthe path is correct and try again.>)
=== Amsi notification report success: True ===
=== Amsi notification report content ===
<System.Text.StringBuilder>.ToString()
=== Amsi notification report success: True ===
�[31;1mInvoke-FooBar: �[0mD:\WINDEV\shell\powershell-problems\base64\error.ps1:3�[0m
�[31;1m�[0m�[36;1mLine |�[0m
�[31;1m�[0m�[36;1m�[36;1m 3 | �[0m �[36;1mInvoke-FooBar�[0m
�[31;1m�[0m�[36;1m�[36;1m�[0m�[36;1m�[0m�[36;1m | �[31;1m ~~~~~~~~~~~~~�[0m
�[31;1m�[0m�[36;1m�[36;1m�[0m�[36;1m�[0m�[36;1m�[31;1m�[31;1m�[36;1m | �[31;1mThe term 'Invoke-FooBar' is not recognized as a name of a cmdlet, function, script file, or executable program. Check the spelling of the name, or if a path was included, verify that�[0m
�[31;1m�[0m�[36;1m�[36;1m�[0m�[36;1m�[0m�[36;1m�[31;1m�[31;1m�[36;1m�[31;1m�[36;1m | �[31;1mthe path is correct and try again.�[0m
You have turned a wonderful scripting engine into a security nightmare. Alas I do not trust PowerShell any more not to leak internal data.
If I can turn off the requirement for scripts to be signed, surely I should be able to turn off this travesty of an implementation,
from powershell.
SteveL-MSFT
commented on June 13, 2024
In your first case, I believe the actual script block to be executed (meaning variable expansion) is sent to AMSI so you can't hide executable code within a variable.
in your second case, those reports appears to be due to the large script for the Concise ErrorView formatting. So any script executed during formatting would also be sent to AMSI since 3rd parties can add their own scripts during formatting.
from powershell.
rhubarb-geek-nz
commented on June 13, 2024
Scanning a script block should occur when it is created from a string, this is the equivalent of loading a script file.
Yes with this approach you can't hide executable code within a string, but there is nothing wrong with a script in a string if it is not being executed, it is just data. But then neither can you hide database credentials, or SSN or bank account details or any other information you may be legitimately processing.
So lets say you think this is an excellent idea, and you are welcome to think that. There is another audience that considers this a gross violation of the expectation of being able to write programs with privacy. I can only assume now that there is no data privacy within a PowerShell execution environment on Windows, so as a tool or scripting language it should not be used, say, basically for anything other than hello world.
from powershell.
microsoft-github-policy-service
commented on June 13, 2024
This issue has been marked as by-design and has not had any activity for 1 day. It has been closed for housekeeping purposes.
from powershell.
microsoft-github-policy-service
commented on June 13, 2024
📣 Hey @rhubarb-geek-nz, how did we do? We would love to hear your feedback with the link below! 🗣️
🔗 https://aka.ms/PSRepoFeedback
from powershell.
rhubarb-geek-nz
commented on June 13, 2024
from powershell.
Related Issues (20)
- Restart-Computrr add proxyaccestype
- What programming guidelines are there for PowerShell against the AMSI threat vector? HOT 21
- Get-ADComputer doesn't return nTSecurityDescriptor content HOT 2
- update ::user privilege to access powershell HOT 9
- Out-File not reporting error on failure to write to UNC network path when stream is being repeatedly opened and closed. HOT 2
- When "Controlled Folder Access" is enabled, PowerShell 7.4.2 is so Slow it's Unusable HOT 5
- I want return an empty array in a function, but it return a null value. HOT 13
- Please support Ubuntu 24.04 as soon as possible,thku HOT 4
- ForEach-Object -Parallel / Start-ThreadJob don't honor unsilencing of silent-by-default streams via common parameters HOT 6
- Add support for Enterprise signed scripts HOT 7
- No runspace available to run scripts in this thread. You can provide one in the DefaultRunspace property HOT 11
- [Regression in 7.4.2] Statement in finally block stop working when ctrl-c is pressed that stops script running in the try block
- PowerShell extended property `BaseName` for `DirectoryInfo` is inconsistent when there is an `extension` HOT 34
- `$PSScriptRoot` unpopulated when script missing the `.ps1` file extension HOT 10
- `-LiteralPath` still interprets `~` HOT 12
- Invoke-Command does not support -Startuptype AutomaticDelayedStart HOT 3
- Default case in Switch not called when variable is in an undefined state HOT 6
- Integers passed to a method expected an array implicitly allocate an array of that length HOT 10
- Wildcards in the middle of a path don't work in Get-ChildItem with -Recurse and -File
- Split-Path can't resolve paths with [brackets] HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from powershell.