I'm writing a Pester test to verify the configuration of Windows computers. One of the tests I need is to verify whether PowerShell AMSI is working or not.
There is an AMSI test string that can be used to verify the function. I created the following test.
It '"Antimalware Scan Interface" is working' {
# AMSI test string 'AMSI Test Sample: 7e72c3ce-861b-4339-8740-0ac1484c1386'
# (in the following as an obfuscated string)
# must throw an error if executed (blocked by AMSI)
$TestString = "FHJ+YHoTZ1ZARxNgUl5DX1YJEwRWBAFQAFBWHgsFAlEeBwAACh4LBAcDHgNSUAIHCwdQAgALBRQ="
$Bytes = [Convert]::FromBase64String($TestString)
$String = -join ($bytes | ForEach-Object { [char]($_ -bxor 0x33)})
{ Invoke-Expression -Command $String } | Should Throw
}
If I run the test, AMSI is working so well, that the complete Context block was not executed, i.e. the test was not executed and no success reported.
I receive "Error occurred in Context block" In Filename.Tests.ps1:420 Character:36 + Context 'Configure PowerShell' { + ~ The Script contains malicious data and was blocked by anti malware. (translated text. original might differ slightly.)
Instead the error, I want the Context executed and returned a "test successful" for throwing an error.
Any ideas how I could handle this issue or test AMSI otherwise?
