extension Winrm Web IIS Management blocked

[Am-Na-D]

Extension name

Winrm IIS Web App Management

Extension version

3.*

Environment type (Please select at least one enviroment where you face this issue)

• Self-Hosted
• Microsoft Hosted
• VMSS Pool
• Container

Azure DevOps Server type

dev.azure.com (formerly visualstudio.com)

Azure DevOps Server Version (if applicable)

Azure Devops Server 2022.0.1

Operation system

windows server 2022 /2019/2016

Question

hi 
recently we faced a new problem and our antivirus blocked the Winrm iis web management task in a remote machine.
I look into the extension (https://github.com/microsoft/azure-pipelines-extensions/tree/master/Extensions/IISWebAppDeploy/Src/Tasks/IISWebAppMgmt/IISWebAppMgmtV3) and understand the reasons of the block is Invoke-expression command that exists inside on of the PowerShell in extension files.
now I wanna know, why that just happened.
What's the problem?
why AV must block this command?
is it a risky command for Windows?

NOTICE: the brand of our AN is BitDefender
NOTICE: our BitDefender use AMSI of the windows

[LeftTwixWand]

Hi @Am-Na-D
Generally, your defender identifies the potential vulnerability correctly.

The use of Invoke-Expression in PowerShell can be risky, particularly when incorporating unsanitized user input:

# Simulated user input that includes an injection attempt
$userInput = "Get-Date && Remove-Item -Path C:\SensitiveFile -Force"

# Dangerous use of Invoke-Expression with user input
Invoke-Expression "Write-Output 'The current date is: ';$userInput"

As the example shows, the command executed by Invoke-Expression might contain some malicious command, attaches via && operator. So, it's not recommended to use Invoke-Expression.

From our side we're trying to minimize its usage as much as we can. Also, we have built in sanitization for commands, we're executing, which prevents potential code injections.

Hope I answered your question😊
If you don't have any other questions - feel free to close this issue.