Installing OSDBuilder triggers malware warning.

[epoch71]

Got a warning re. malicious content when performing an import-module OSDBuilder today:

Suspicious activity blocked
Feature:
Antivirus
PowerShell tried to load a malicious resource detected as Heur.BZC.ZFV.Boxter.341.C5E73568 and was blocked. Your device is safe.

Anyone else experienced this?

[alayac]

I have not experienced this because I only use OSDBuilder in an isolated VM with antivirus disabled.

Good information here:
https://osdbuilder.osdeploy.com/docs/basics/requirements

[OSDeploy]

Please provide some details on the file that was detected, dig through the logs. Keep in mind that OSDBuilder hasn't been updated since February, so nothing has changed recently related to the Module

[epoch71]

Sorry for delay replying.

The malware warning was triggered when running the "Import-Module OSDBuilder" command (immediately after running Install-Module).

I've attached a pic of the warning (flagged by BitDefender).

There are no logs to dig through, since OSDBuilder is not yet installed on this machine. If there are other logs pertinent to this issue please direct me to them.

[OSDeploy]

There are no logs to dig through, since OSDBuilder is not yet installed on this machine. If there are other logs pertinent to this issue please direct me to them.

The logs for your AV are what need to be reviewed. There should be a clear log that defines which file in the Module is infected. I don't have or use BitDefender so I'm unable to replicate.

[epoch71]

Seems it's not happy with Get-PSCloudScript.ps1 for some reason.

PS C:\Users\Andrew> import-module osdbuilder

import-module : Failed to import function C:\Program Files\WindowsPowerShell\Modules\OSD\23.5.9.1\Public\Functions\CloudSecret\Get-PSCloudScript.ps1: At C:\Program
Files\WindowsPowerShell\Modules\OSD\23.5.9.1\Public\Functions\CloudSecret\Get-PSCloudScript.ps1:1 char:1
+ <#
+ ~~
This script contains malicious content and has been blocked by your antivirus software.
At line:1 char:1
+ import-module osdbuilder
+ ~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Microsoft.PowerShell.Commands.ImportMo
   duleCommand

[OSDeploy]

Ok, so it's not an issue with OSDBuilder, it is an issue with OSD Module. Can you try the following command?
Import-Module OSD -Force -Verbose

[epoch71]

Transcript attached.
import-transcript.txt

[OSDeploy]

This is most certainly a false positive for BitDefender. I suggest submitting a sample for them to look at. Here's a similar issue https://community.bitwarden.com/t/bitdefender-saying-bitwardens-install-script-has-a-virus/52789

[epoch71]

Yeah I thought as much. I added the OSD/OSDBuilder script locations to BitDefender’s exceptions and was able to install the module without issues. Then when I did an Import-Media from an ISO I downloaded from Microsoft it started throwing malware detections at me during that process, for Microsoft DLL’s.

Time to choose a new AV tool I think.