Kaspersky Endpoint Security 12.1 for Windows

AMSI Protection

AMSI Protection component is intended to support Antimalware Scan Interface from Microsoft. The Antimalware Scan Interface (AMSI) allows third-party applications with AMSI support to send objects (for example, PowerShell scripts) to Kaspersky Endpoint Security for an additional scan and then receive the results from scanning these objects. Third-party applications may include, for example, Microsoft Office applications (see the figure below). For details on AMSI, please refer to the Microsoft documentation.

The AMSI Protection can only detect a threat and notify a third-party application about the detected threat. Third-party application after receiving a notification of a threat does not allow to perform malicious actions (for example, terminates).

AMSI operation example

AMSI Protection component may decline a request from a third-party application, for example, if this application exceeds maximum number of requests within a specified interval. Kaspersky Endpoint Security sends information about a rejected request from a third-party application to the Administration Server. The AMSI Protection component does not deny requests from those third-party applications for which continuous integration with the AMSI Protection component is enabled.

AMSI Protection is available for the following operating systems for workstations and servers:

  • Windows 10 Home / Pro / Pro for Workstations / Education / Enterprise;
  • Windows 11 Home / Pro / Pro for Workstations / Education / Enterprise;
  • Windows Server 2016 Essentials / Standard / Datacenter (including Core Mode);
  • Windows Server 2019 Essentials / Standard / Datacenter (including Core Mode);
  • Windows Server 2022 Standard / Datacenter / Datacenter: Azure Edition (including Core Mode).

In this section

Enabling and disabling the AMSI Protection

Using AMSI Protection to scan compound files