How to confirm ENS AMSI (Antimalware Scan Interface) injection into processes

Technical Articles ID: KB94627
Last Modified: 2023-06-21 04:47:42 Etc/GMT

Environment

Endpoint Protection Platform
Endpoint Security (ENS) Adaptive Threat Protection (ATP) 10.x
ENS Threat Prevention 10.x

Microsoft Windows 11, 10
Microsoft Windows Server 2022, 2019, 2016

Summary

To confirm Antimalware Scan Interface (AMSI) exclusions are working as expected:

Check if AMSI is loading in a process:
To check what processes AMSI .dlls inject into

Open a Command-line session, running as Administrator.
Run the following commands:
To view the Microsoft .dll's:
tasklist /m amsi*

To confirm that the ENS Threat Prevention AMSI is loaded:
tasklist /m mfeamsiprovider.dll

To check that ENS ATP AMSI is loaded:
tasklist /m atpamsiguard.dll

Check that MVISION Endpoint AMSI is loaded:
tasklist /m mveamsiguard64.dll

Or:

Start the Sysinternals Process Monitor Tool.
Specify the following filters:
"Operation" "Is" "Load Image"
"Path" "Contains" "AMSI"

Expect to see injection by MfeAmsiProvider.dll and ATPAmsiGuard.dll into processes loaded after procmon starts.

To confirm if a process already running before process monitor start is injected:

Double-click on the process entry and open an Event Properties Window.
Select the Process tab. Click the column header and sort the entries by Company.
Under McAfee and Musarubra, LLC, check for MfeAmsiProvider.dll and ATPAmsiGuard.dll entries.

NOTE: Below are the AMSI configuration locations in the respective product policies in ePolicy Orchestrator (ePO):

ENS Threat Prevention: Policy Catalog, ENS Threat Prevention, On-Access Scan, <Policy Name>, Enable AMSI (provides enhanced script scanning)
ENS ATP: Policy Catalog, ENS ATP, Options, <Policy Name>, Enable enhanced script scanning (includes AMSI integration)
Endpoint Protection Platform: Policy Catalog, Endpoint Protection Platform, General, <Policy Name>, Enable script scanning

Related Information

For an AMSI block test, see KB59742 - How to use the EICAR test file with our products.
To perform an AMSI block test in Windows Defender:

Open PowerShell and enter AMSI Test Sample: 7e72c3ce-861b-4339-8740-0ac1484c1386.
Check the Windows Defender on-access scan log for details.
The Detection Win32/Mptest!amsi (Microsoft detection name) triggers on this string and is reported in the logs.

AMSI result values
The antimalware provider can return a result between 1 and 32767, inclusive, as an estimated risk level. The larger the result, the riskier to continue with the content.
These values are provider-specific, and might indicate a malware family or ID. Any totaled result equal to or larger than 32768 is considered malware, and the content blocked.
An application should use AmsiResultIsMalware to determine this value.

AMSI_RESULT_CLEAN = 0
AMSI_RESULT_NOT_DETECTED = 1
AMSI_RESULT_BLOCKED_BY_ADMIN_START = 16384
AMSI_RESULT_BLOCKED_BY_ADMIN_END = 20479
AMSI_RESULT_DETECTED = 32768

So search the ENS logs using string 32768 to highlight possible AMSI blocks.

The visibility of Antimalware Scan Interface (AMSI) generated events can be limited.
The following steps provide an AMSI logging mechanism:

Open an administrator CLI session
Start logging AMSI events in c:\temp\:
Run: logman start AMSITrace -p Microsoft-Antimalware-Scan-Interface Event1 -o c:\temp\amsi.etl –ets
To stop logging AMSI events:
Run: logman stop AMSITrace –ets
To read the .etl run:
powershell "Get-WinEvent -Path c:\temp\amsi.etl -Oldest | Format-List *"
Alternatively, you can do the following:
1. Open Windows Event viewer (eventvwr.msc).
2. Right-click Event Viewer (local).
3. Open the saved log: Browse to c:\temp\ and select the etl file previously generated.
4. Agree to the conversion to .evtx, click the Details tab, and view the XML after it's loaded.
  
  Registered Provider IDs are found under:
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AMSI\Providers\
  HKLM\SW\Classes\CLSID\
  Microsoft Windows Defender = {2781761E-28E0-4109-99FE-B9D127C57AFE}
  McAfee ENS = {436D0575-3FCC-49C2-9E9C-5772A341E1D5}
  Carbon Black = {009DDD00-35E7-4664-AFB3-732D5C459754}
  Microsoft AMSI = {2a576b87-09a7-520e-c21a-4942f0271d67}

Script to test WScript AMSI injection:

Open Notepad.
Paste the following text into Notepad:
i=10
If i=10 Then
msgbox("TEST, Click OK to close")
Else
Msgbox "Hello world"
End if
Save as c:\temp\test.vbs.
Open a command-line session, type wscript test.vbs and press Enter.

Affected Products

Languages:

This article is available in the following languages:

Knowledge Center

How to confirm ENS AMSI (Antimalware Scan Interface) injection into processes

Environment

Summary

Related Information

Affected Products

Languages:

Title

Title

Knowledge Center

How to confirm ENS AMSI (Antimalware Scan Interface) injection into processes

Environment

Summary

Related Information

Affected Products

Languages:

Choose your region

Title

Title