Hi, just wanted to let you know that Microsoft Defender for Endpoint flags the Windows Powershell installer as ClickFix malware.
First observed in our organization on 2025-09-19 and last observed 2025-10-15.
I did not find any other comments or related issues besides a LinkedIn article that mentions https://github.com/posit-dev/air/releases/latest/download/
under the comment // Exclude known benign installer URLs
.
Process command line: C:\Windows\System32\cmd.exe C:\WINDOWS\system32\cmd.exe /S /C powershell -ExecutionPolicy Bypass -c irm https://github.com/posit-dev/air/releases/latest/download/air-installer.ps1 | iex C:/Users/xxx/
Threat name: Trojan:Win32/ClickFix.R!ml
Mitre techniques: T1036.005: Match Legitimate Resource Name or Location