Windows Defender and handling downloaded PowerShell scripts

Question

I use Set-ExecutionPolicy RemoteSigned and download some scripts and modules. These are my scripts so they are not signed. I could use Bypass or RemoteSigned or Unrestricted. I feel that Unrestricted feels a bit over the top so I got with RemoteSigned and indeed, even though my scripts are not signed, I can download them and run them... for a while. Then, "Windows Defender" catches up and completely deletes my scripts. My questions are:

• After I download a script, is there a programmatic way with PowerShell to instruct Windows Defender to mark that script on the exclusion list?

• Would you say that Unrestricted is a bit unsafe? If so, what is the process of making these scripts signed (or self-signed?), or is this not possible? i.e. Set to Unrestricted so that files are not nuked, then download the file, then somehow put it on an exclusion list, then set the ExecutionPolicy back to RemoteSigned?

Answer 1

Downloaded files are marked as from the internet. Your need to unblock them. Use the built-in cmdlet for that.

# Get specifics for a module, cmdlet, or function
(Get-Command -Name Unblock-File).Parameters
(Get-Command -Name Unblock-File).Parameters.Keys
Get-help -Name Unblock-File -Examples
# Results
<#
Unblock-File -Path C:\Users\User01\Documents\Downloads\PowerShellTips.chm
dir C:\Downloads\*PowerShell* | Unblock-File
Get-Item * -Stream "Zone.Identifier" -ErrorAction SilentlyContinue
C:\ps-test\Start-ActivityTracker.ps1
Get-Item C:\ps-test\Start-ActivityTracker.ps1 | Unblock-File
#>
Get-help -Name Unblock-File -Full
Get-help -Name Unblock-File -Online

Any script you use will be looked at for actions it is performing. Your AV solution (Windows Defender notwithstanding) will take action(s) on it if it appears to be doing unexpected/nefarious things at any point. This has nothing to do with whether they are signed or not, or what ExecutionPolicy you set.

EP = only means allow a script(s) to run, not control what the script does/is going to do and the EP is not a security boundary, as documented in the help files.

Unblock-File Module: Microsoft.PowerShell.Utility

Unblocks files that were downloaded from the Internet.

This is all related to Windows ADS.

'windows alternate data streams downloaded file'

### Detecting Alternate Data Streams with PowerShell and DOS

dir /s /r | find ":DATA"

Get-Item –Path 'C:\users\me\desktop\*' -Stream *

Get-Content –Path 'C:\users\me\some_file.exe' -Stream zone.identifier
# Results
<#
[ZoneTransfer]
ZoneId=3
1
2
#>

Downloaded file via zone 3, we now know that is the Internet Zone as depicted in the chart below.

Value Setting

• 0 My Computer
• 1 Local Intranet Zone
• 2 Trusted sites Zone
• 3 Internet Zone
• 4 Restricted Sites Zone

Or using MS SysInternals: streams.exe