AMSI detection

Windows Antimalware Scan Interface (AMSI) is a tool for unpacking and deobfuscation of malicious files. Microsoft developed this technology as a method to protect users from malware and implemented it in Windows 10. AMSI intercepts scripts and commands in real time.

The AMSI function is integrated into the following components of Windows 10:

• User Account Control (EXE elevation, COM, MSI or ActiveX installation)
• PowerShell (scripting, interactive usage, and dynamic code evaluation)
• Windows Script Host (wscript.exe and cscript.exe)
• JavaScript and VBScript
• Office VBA macros

In Kaspersky Research Sandbox, if Auto is selected as an execution environment and file has jsc, js, jse, ps1, vba, vbe or vbs extension, Microsoft Windows 10 with installed AMSI environment (if installed) will be used for the file execution.

To install Microsoft Windows 10 image, please contact your administrator.

The result of AMSI buffer analysis by anti-virus databases will be available on the report page. If the file performs actions evaluated as unusual by the detection technology, information about them will appear in the Suspicious activities.

Page top