After setting the HideConsoleWindow = $true in project.psd1 and package the powershell script into exe file. Once I execute the exe file, antivirus program detected it as malicious code and removed the exe file completely. If I set it back to $false, all working well without any issue. Is there any solution for this please?
Thank you for sharing about this as it is very helpful to know the precise behavior (on/off switch) that can trigger some behavior-based security application. I would advise that you will need to check with the CrowdStrike vendor for guidance on this.
I see that have an article that might be related to this at How to Create Custom Rules with CrowdStrike. Can you check into this and let us know if it helps?
@adam - Can you advise a litlte bit around what the HideConsoleWindow property is specifically doing when enabled? That may help in the future with respect to programming exceptions around application behavior.
We create a hidden cmd window and then attach it to the process.
_console = new Process();
_console.StartInfo = new ProcessStartInfo();
_console.StartInfo.UseShellExecute = false;
_console.StartInfo.CreateNoWindow = true;
_console.StartInfo.FileName = "cmd";
_console.Start();
var attached = AttachConsole(_console.Id);
This is the same behaviour if you put Obfuscate = $true, crowdstrike will remove it .
@PSNewStarter - Bluntly, the answer is no. There is no solution to this. You have a decision to make to move this forward. Either
a) Do not use the aforementioned .NET features which are considered threatening by your security applications. Learn to live without those features.
or
b) Work with the operator of your security application to configure exceptions or find another solution with your IT department (e.g. a test environment where Antivirus/EDR solutions can be relaxed for purposes of development).
More
The reason that the security application (e.g. CrowdStrike) was deployed was precisely to force this conversation. The operators of the security application will ban the threatening behavior first and force those with legitimate purposes (like you) to come forward and document for the record their need for an exception.
Uninspectable executable binaries with no provenance or reputation are going to be a problem for Antivirus/EDR solutions. Security hardening is an upward trend. Normally, there is an opportunity from the vendor to upload the binary file (e.g. false positive) for inspection by them and inclusion to their allow list. This can increase the reputation of the file and help it to avoid conviction.
I am sorry there is not a more direct answer here.
tl;dr
You will need to work closely with your security application vendor