AV detection triggered by encoded string used to execute "Start-EditorServices.ps1"

[SotoDucani]

System Details

System Details Output

### VSCode version: 1.32.3 a3db5be9b5c6ba46bb7555ec5d60178ecc2eaae4 x64

### VSCode extensions:
[email protected]
[email protected]
[email protected]

### PSES version: 1.12.0.0

### PowerShell version:
Name                           Value
----                           -----
PSVersion                      5.1.14409.1018
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.14409.1018
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Issue Description

Upon loading a new instance of VSCode with the Powershell Extension enabled, our AV system alerts on the fact that an encoded string is used to execute the "Start-EditorServices.ps1" file with appropriate parameters. AV reasoning behind the alert is that some malware uses encoded strings as a technique to bypass AV tools.

I'll be following up with AV since this is a new behavior and seems overly aggressive without any sort of additional behavioral context, however adding an option to change this behavior (switch to -file -param1 -param2) the Extension side might be worth consideration. Specifically in the event that AV vendors give poor responses to the issue, or more likely, that end-users of the extension will not have an appropriate avenue to even open an issue with vendors that decide to implement this kind of detection/alerting.

Expected Behaviour

• AV does not trigger upon execution of the extension.

Actual Behaviour

• AV triggers due to use of an encoded command

Attached Logs

• Command that is encoded:

'C:\Users\<username>\.vscode\extensions\ms-vscode.powershell-1.12.0\modules\PowerShellEditorServices\Start-EditorServices.ps1' -HostName 'Visual Studio Code Host' -HostProfileId 'Microsoft.VSCode' -HostVersion '1.12.0' -AdditionalModules @('PowerShellEditorServices.VSCode') -BundledModulesPath 'C:\Users\<username>\.vscode\extensions\ms-vscode.powershell-1.12.0\modules' -EnableConsoleRepl -LogLevel 'Normal' -LogPath 'C:\Users\<username>\.vscode\extensions\ms-vscode.powershell-1.12.0\logs\1554130784-8003246f-5049-4122-b631-51135dcbb6471554130776654\EditorServices.log' -SessionDetailsPath 'C:\Users\<username>\.vscode\extensions\ms-vscode.powershell-1.12.0\sessions\PSES-VSCode-11540-901291' -FeatureFlags @()

[Smokex365]

Getting the same issue with Avast. It's not giving me any usable logs (or ones I've found yet) to see what it's actually detecting other than the alert notification. The issue just started today it seems; had no issue last night so I'm not sure if it's a definition change or a change within the extension.

Being identified as a IDP.HELU.PSE16 - Fileless malware by Avast with definitions 190401-4 & Program version 19.3.2369 (build 19.3.4241.445)
https://i.imgur.com/OYUiIBR.png?1

[SotoDucani]

@Smokex365 Take a look at Script Tracing and if you can enable it: https://docs.microsoft.com/en-us/powershell/wmf/5.0/audit_script

That should give you a log of what's running so you can verify.

[SotoDucani]

For reference, PR #1774 is where this was introduced

[rkeithhill]

Ya, we know where it was introduced. :-) This change was made for a reason - getting parameters to the startup script can be tricky on Linux.

[TylerLeonhardt]

Hi all, can you try one of these builds:

PowerShell and PowerShell Preview release candidates.zip

This should have the AV fix. Note, if you've never used the Preview extension, look at these steps.

If you've never installed a VSIX before, here are the steps.

[SotoDucani]

@TylerLeonhardt Looks good for me, both 1.12.1 and 2..0.0-preview.3 look to be launching using an unencoded string and AV is not triggering upon execution. Thanks for the adjustment!

AV vendor's response was "Oh, just filter out the event type", which is what I expected.