[Question]: AntiVirus block the task

[Am-Na-D]

Task name

Winrm IIS Web App Management

Task version

3.*

Environment type (Please select at least one enviroment where you face this issue)

• Self-Hosted
• Microsoft Hosted
• VMSS Pool
• Container

Azure DevOps Server type

dev.azure.com (formerly visualstudio.com)

Azure DevOps Server Version (if applicable)

Azure Devops Server 2022.0.1

Operation system

windows server 2022 /2019/2016

Question

hi 
recently we faced a new problem and our antivirus blocked the Winrm iis web management task in a remote machine.
I look into the extension (https://github.com/microsoft/azure-pipelines-extensions/tree/master/Extensions/IISWebAppDeploy/Src/Tasks/IISWebAppMgmt/IISWebAppMgmtV3) and understand the reasons of the block is Invoke-expression command that exists inside on of the PowerShell in extension files.
now I wanna know, why that just happened.
What's the problem?
why AV must block this command?
is it a risky command for Windows?

NOTICE: the brand of our AN is BitDefender
NOTICE: our BitDefender use AMSI of the windows

[DenisNikulin5]

Hi @Am-Na-D, thank you for the question!

The threat is similar to the SQL injections - using the Invoke-Expression command can lead to arbitrary code execution. So a developer must be sure of what he does, and avoid this command if possible. That's why your antivirus software complains about this code.

Please check this: https://learn.microsoft.com/powershell/scripting/dev-cross-plat/security/preventing-script-injection

[Am-Na-D]

Thanks @DenisNikulin5
honestly, this command is inside one of azure devops server tasks
and when we use it inside the release, it doesn't work correctly
now I understand why that doesn't work correctly
I wanna know if other companies that use this task face this problem.
and how to solve them
the task uses Winrm to make a connection between 2 servers and with this command try to manage the IIS

[DenisNikulin5]

@Am-Na-D
Please create an issue in https://github.com/microsoft/azure-pipelines-extensions. Looks like it doesn't relate to the tasks in this repository.

For a fast workaround, I would suggest including the file in a whitelist for your antivirus software.

[github-actions]

This issue is stale because it has been open for 180 days with no activity. Remove the stale label or comment on the issue otherwise this will be closed in 5 days