Windows 防御者和处理下载的 PowerShell 脚本
[英]Windows Defender and handling downloaded PowerShell scripts
问题描述
I use Set-ExecutionPolicy RemoteSigned and download some scripts and modules.
我使用Set-ExecutionPolicy RemoteSigned并下载一些脚本和模块。 These are my scripts so they are not signed.这些是我的脚本,所以它们没有签名。 I could use Bypass or RemoteSigned or Unrestricted .我可以使用Bypass或RemoteSigned或Unrestricted 。 I feel that Unrestricted feels a bit over the top so I got with RemoteSigned and indeed, even though my scripts are not signed, I can download them and run them... for a while.我觉得Unrestricted感觉有点过头了,所以我选择了RemoteSigned ,事实上,即使我的脚本没有签名,我也可以下载它们并运行它们......一段时间。 Then, "Windows Defender" catches up and completely deletes my scripts.然后,“Windows Defender”赶上并完全删除了我的脚本。 My questions are:我的问题是:
After I download a script, is there a programmatic way with PowerShell to instruct Windows Defender to mark that script on the exclusion list?
下载脚本后,是否有 PowerShell 以编程方式指示 Windows Defender 在排除列表中标记该脚本?Would you say that
Unrestrictedis a bit unsafe?你会说Unrestricted有点不安全吗? If so, what is the process of making these scripts signed (or self-signed?), or is this not possible?如果是这样,使这些脚本签名(或自签名?)的过程是什么,或者这不可能? ie Set to Unrestrictedso that files are not nuked, then download the file, then somehow put it on an exclusion list, then set the ExecutionPolicy back toRemoteSigned?即设置为Unrestricted以便文件不会被核对,然后下载文件,然后以某种方式将其放在排除列表中,然后将 ExecutionPolicy 设置回RemoteSigned?
1 个解决方案
解决方案1
1 已采纳 2020-12-14 22:51:40
Downloaded files are marked as from the internet.下载的文件被标记为来自互联网。 Your need to unblock them.您需要解除对它们的阻止。 Use the built-in cmdlet for that.为此,请使用内置 cmdlet。
# Get specifics for a module, cmdlet, or function
(Get-Command -Name Unblock-File).Parameters
(Get-Command -Name Unblock-File).Parameters.Keys
Get-help -Name Unblock-File -Examples
# Results
<#
Unblock-File -Path C:\Users\User01\Documents\Downloads\PowerShellTips.chm
dir C:\Downloads\*PowerShell* | Unblock-File
Get-Item * -Stream "Zone.Identifier" -ErrorAction SilentlyContinue
C:\ps-test\Start-ActivityTracker.ps1
Get-Item C:\ps-test\Start-ActivityTracker.ps1 | Unblock-File
#>
Get-help -Name Unblock-File -Full
Get-help -Name Unblock-File -Online
Any script you use will be looked at for actions it is performing.您使用的任何脚本都将被查看它正在执行的操作。 Your AV solution (Windows Defender notwithstanding) will take action(s) on it if it appears to be doing unexpected/nefarious things at any point.如果您的 AV 解决方案(尽管有 Windows Defender)在任何时候似乎正在做意外/邪恶的事情,它将对其采取措施。 This has nothing to do with whether they are signed or not, or what ExecutionPolicy you set.这与它们是否签名或您设置的 ExecutionPolicy 无关。
EP = only means allow a script(s) to run, not control what the script does/is going to do and the EP is not a security boundary, as documented in the help files. EP = 仅表示允许脚本运行,而不是控制脚本执行/将要执行的操作,并且 EP 不是安全边界,如帮助文件中所述。
Unblock-File Module: Microsoft.PowerShell.Utility
Unblocks files that were downloaded from the Internet.
This is all related to Windows ADS.这都与 Windows ADS 有关。
'windows alternate data streams downloaded file'
### Detecting Alternate Data Streams with PowerShell and DOS
dir /s /r | find ":DATA"
Get-Item –Path 'C:\users\me\desktop\*' -Stream *
Get-Content –Path 'C:\users\me\some_file.exe' -Stream zone.identifier
# Results
<#
[ZoneTransfer]
ZoneId=3
1
2
#>
Downloaded file via zone 3, we now know that is the Internet Zone as depicted in the chart below.通过区域 3 下载的文件,我们现在知道这是 Internet 区域,如下图所示。
Value Setting
- 0 My Computer 0 我的电脑
- 1 Local Intranet Zone 1 个本地 Intranet 区域
- 2 Trusted sites Zone 2 受信任的站点区域
- 3 Internet Zone 3 互联网专区
- 4 Restricted Sites Zone 4 限制站点区域
Orusing MS SysInternals: streams.exe或使用 MS SysInternals:streams.exe
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.