Microsoft Defender for Endpoint flags the Windows Powershell installer as ClickFix malware

Hi, just wanted to let you know that Microsoft Defender for Endpoint flags the Windows Powershell installer as ClickFix malware.
First observed in our organization on 2025-09-19 and last observed 2025-10-15.
I did not find any other comments or related issues besides a [LinkedIn article](https://www.linkedin.com/pulse/windows-defender-threat-hunting-campaign-ideas-adair-collins-lefze) that mentions `https://github.com/posit-dev/air/releases/latest/download/` under the comment `// Exclude known benign installer URLs`.

```
Process command line: C:\Windows\System32\cmd.exe C:\WINDOWS\system32\cmd.exe /S /C powershell -ExecutionPolicy Bypass -c irm https://github.com/posit-dev/air/releases/latest/download/air-installer.ps1 | iex C:/Users/xxx/
Threat name: Trojan:Win32/ClickFix.R!ml
Mitre techniques: T1036.005: Match Legitimate Resource Name or Location
```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Microsoft Defender for Endpoint flags the Windows Powershell installer as ClickFix malware #418

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Microsoft Defender for Endpoint flags the Windows Powershell installer as ClickFix malware #418

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions