Fix false CRITICAL on AMSI when PS.Security module fails to load

Made-with: Cursor

Author: TMHSDigital

lib/Helpers.ps1

@@ -378,12 +378,14 @@ function Test-IsPrivateIP {
 
 function Get-FileSignature {
     param([string]$FilePath)
+    # Force-load the module; suppress TypeData-conflict errors that occur in some PS 5.1 sessions
+    Import-Module Microsoft.PowerShell.Security -Force -ErrorAction SilentlyContinue -WarningAction SilentlyContinue 2>$null
     try {
         $sig = Get-AuthenticodeSignature $FilePath -ErrorAction SilentlyContinue
-        return $sig
-    } catch {
-        return $null
-    }
+        if ($sig) { return $sig }
+    } catch { }
+    # If the module still couldn't load, return a sentinel so callers don't treat it as "unsigned"
+    return [PSCustomObject]@{ Status = "CheckFailed"; StatusMessage = "Signature check unavailable (PS.Security module could not be loaded)." }
 }
 
 function Get-FileVersionInfo {

modules/Check-DefenseEvasion.ps1

@@ -66,7 +66,9 @@ function Invoke-DefenseEvasionChecks {
     $amsiDll = "$env:SystemRoot\System32\amsi.dll"
     if (Test-Path $amsiDll) {
         $sig = Get-FileSignature -FilePath $amsiDll
-        if (-not $sig -or $sig.Status -ne "Valid") {
+        if ($sig -and $sig.Status -eq "CheckFailed") {
+            Write-Status "AMSI signature check unavailable (PS.Security module could not be loaded)." -Color DarkGray
+        } elseif (-not $sig -or $sig.Status -ne "Valid") {
             Add-Finding -Severity "CRITICAL" -Category "DefenseEvasion" `
                 -Title "AMSI DLL Signature Invalid" `
                 -Description "amsi.dll at '$amsiDll' does not have a valid digital signature (Status: $(if ($sig) { $sig.Status } else { 'Missing' })). This may indicate the AMSI interface has been tampered with to bypass script scanning." `