AMSI stands for Anti-Malware Scan Interface and it is another feature of Windows Defender for detecting malicious actors. AMSI is targeted especially at malicious scripts and other less obvious/dangerous programmatic components.
AMSI can perform detection also in a heuristic way, which means that a program’s behavior is one of criteria to flag it as malicious or not. Moreover, it can perform in-memory detection by loading the AMSI module into each process memory.
Engine developed by Microsoft as a result of the file-less attacks that were starting to become more and more popular in the past, i.e., threat actors did not use to download malicious files or scripts within the file system but start working exclusively in memory.
On AMSI powered systems, any PowerShell or VBScript code, before it’s executed by the PowerShell engine, is picked up by the AMSI. The AMSI, in turn, sends it over to the antimalware solution. The anti malware solution will give a thumbs up or a thumbs down based on its signature database. If it’s a thumbs down, PowerShell will not execute that code, whether it is downloaded from the internet and run in memory or run from a script.
AMSI deeply integrates with several components of Microsoft Windows, having visibility over:
In the Antivirus provider layer, you can use either Windows Defender or third-party solutions.
Assuming for example that a powershell.exe process is opened, the AMSI.dll library is automatically injected into the opened process. Every time a command is executed or a module is loaded into powershell.exe, AMSI sends it to the antimalware engine that checks and validates or not that command for execution.
<aside> ⚠️ The flaw of AMSI is that it has not integrated into its code a way to understand whether the detected action is lawful or not, but it always has to rely on the antimalware. This allows detection of malicious scripts regardless of input method (disk, encoded command, in memory etc.) but it is dependent on the signature based detection by the registered antivirus.
</aside>
