v0.4.2: false-positive reduction and AMSI reliability fix

TMHSDigital · TMHSDigital · commit 1124bc6c4b81 · 2026-03-15T16:43:33.000-04:00
Made-with: Cursor
diff --git a/AmIHacked.ps1 b/AmIHacked.ps1
@@ -79,7 +79,7 @@ if ($script:NonInteractive) {
 }
 $script:RedactMap = @{}
 
-$script:Version = "0.4.1"
+$script:Version = "0.4.2"
 
 # ── Helpers (loaded first) ───────────────────────────────────────────────────
 
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,17 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
+## [0.4.2] - 2026-03-15
+
+### Fixed
+- **AMSI false CRITICAL** -- `Get-AuthenticodeSignature` fails silently in some PS 5.1 `-File` sessions; `Get-FileSignature` now returns a `CheckFailed` sentinel so callers distinguish module failures from unsigned files
+- **Scanner self-contamination** -- `remoteIpMoProxy_*` temp files created by the scanner's own CIM/WMI calls are no longer flagged as suspicious
+- **Stale COM registrations** -- HKCU COM overrides where the DLL no longer exists on disk are now skipped (inert registrations can't be exploited)
+- **Known-legitimate scheduled tasks** -- OneDrive, Opera, Zoom, Discord, and Teams updater tasks are no longer flagged as persistence
+- **Per-user session services** -- baseline diffs now skip Windows per-user service instances (e.g. `AarSvc_ddff8`) that change every login session
+- **`$args` shadowing** -- renamed to `$taskArgs` in scheduled task checks to avoid shadowing PowerShell's automatic variable
+- Restored Unicode box-drawing on verdict summary top border
+
 ## [0.4.1] - 2026-03-15
 
 ### Fixed
diff --git a/README.md b/README.md
@@ -12,7 +12,7 @@
 [![PowerShell 5.1+](https://img.shields.io/badge/PowerShell-5.1%2B-0d1117?style=for-the-badge&logo=powershell&logoColor=5391FE)](https://docs.microsoft.com/powershell/)
 [![Windows 10/11](https://img.shields.io/badge/Windows-10%20%2F%2011-0d1117?style=for-the-badge&logo=windows&logoColor=white)](https://www.microsoft.com/windows)
 [![License: MIT](https://img.shields.io/badge/License-MIT-0d1117?style=for-the-badge&logoColor=white)](LICENSE)
-[![Version](https://img.shields.io/badge/Version-0.4.1-FF6B6B?style=for-the-badge)](#changelog)
+[![Version](https://img.shields.io/badge/Version-0.4.2-FF6B6B?style=for-the-badge)](#changelog)
 
 [![Zero Dependencies](https://img.shields.io/badge/Dependencies-Zero-0d1117?style=flat-square&labelColor=0d1117)](#)
 [![MITRE ATT&CK](https://img.shields.io/badge/MITRE%20ATT%26CK-40%2B%20Techniques-ff3333?style=flat-square&labelColor=0d1117)](#mitre-attck-coverage)
@@ -140,7 +140,7 @@ Baselines enable **change detection** — the most powerful signal for catching
 
 ```
 ---AMIHACKED-SUMMARY-JSON---
-{"verdict":"CAUTION","critical":0,"warning":3,"info":12,"total":15,"duration":28.4,"reportPath":"...","version":"0.4.1"}
+{"verdict":"CAUTION","critical":0,"warning":3,"info":12,"total":15,"duration":28.4,"reportPath":"...","version":"0.4.2"}
 ```
 
 - Exit code reflects findings: **0** = clean, **1** = warnings only, **2** = critical findings detected

Original file line number	Diff line number	Diff line change
`@@ -79,7 +79,7 @@ if ($script:NonInteractive) {`
`79`	`79`	`}`
`80`	`80`	`$script:RedactMap = @{}`
`81`	`81`
`82`		`-$script:Version = "0.4.1"`
	`82`	`+$script:Version = "0.4.2"`
`83`	`83`
`84`	`84`	`# ── Helpers (loaded first) ───────────────────────────────────────────────────`
`85`	`85`