Hi, just wanted to let you know that Microsoft Defender for Endpoint flags the Windows Powershell installer as ClickFix malware.
First observed in our organization on 2025-09-19 and last observed 2025-10-15.
I did not find any other comments or related issues besides a LinkedIn article that mentions https://github.com/posit-dev/air/releases/latest/download/ under the comment // Exclude known benign installer URLs.
Process command line: C:\Windows\System32\cmd.exe C:\WINDOWS\system32\cmd.exe /S /C powershell -ExecutionPolicy Bypass -c irm https://github.com/posit-dev/air/releases/latest/download/air-installer.ps1 | iex C:/Users/xxx/
Threat name: Trojan:Win32/ClickFix.R!ml
Mitre techniques: T1036.005: Match Legitimate Resource Name or Location
Hi, just wanted to let you know that Microsoft Defender for Endpoint flags the Windows Powershell installer as ClickFix malware.
First observed in our organization on 2025-09-19 and last observed 2025-10-15.
I did not find any other comments or related issues besides a LinkedIn article that mentions
https://github.com/posit-dev/air/releases/latest/download/under the comment// Exclude known benign installer URLs.