Hi,

Does anyone who has a background in security research (ideally on Windows) and/or PCI-DSS compliance want to have a quick look at something?

I would like a second opinion on a PowerShell matter.

Background, AMSI allows applications to hook into Antivirus Scanning.

https://learn.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps

https://learn.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps#more-background-info-about-fileless-threats

PowerShell has implemented ... something ...

https://learn.microsoft.com/en-us/powershell/scripting/whats-new/what-s-new-in-powershell-73?view=powershell-7.3

PSAMSIMethodInvocationLogging - Extends the data sent to AMSI for inspection to include all invocations of .NET method members.

Now the problem is not the script scanning, the problem is it expands every string variable sent to .NET method invocations to the AV.

This is with no concept of privacy, restriction or sensitivity of the data. Everything that is a string goes to AV.

So if you implemented any code calling .NET methods, your arguments values are going to AV.

But not only that, if you call anybody elses code that calls .NET methods, even in a PowerShell module, that still gets sent to AV.

From what I have seen, stuff sent to AV finds it's way into the EventViewer, if it can get into the EventViewer it can end up anywhere.

So with no optout or discretion, all data values sent to .NET methods go to AV.

This is an attempt to outline the problem, but it is considered working as designed.

https://github.com/PowerShell/PowerShell/issues/21491

This includes attempts at mediation, and a proof of concept with an existing popular Luhn algorithm checker that leaks credit card numbers to AV.

https://github.com/PowerShell/PowerShell/issues/21536

Am I making a mountain out of a molehill or is there a real security risk here?

Thanks,

roobarb