For an AMSI block test, see
KB59742 - How to use the EICAR test file with our products.
To perform an AMSI block test in Windows Defender:
- Open PowerShell and enter AMSI Test Sample: 7e72c3ce-861b-4339-8740-0ac1484c1386.
- Check the Windows Defender on-access scan log for details.
The Detection Win32/Mptest!amsi (Microsoft detection name) triggers on this string and is reported in the logs.
AMSI result values
The antimalware provider can return a result between 1 and 32767, inclusive, as an estimated risk level. The larger the result, the riskier to continue with the content.
These values are provider-specific, and might indicate a malware family or ID. Any totaled result equal to or larger than 32768 is considered malware, and the content blocked.
An application should use
AmsiResultIsMalware to determine this value.
AMSI_RESULT_CLEAN = 0
AMSI_RESULT_NOT_DETECTED = 1
AMSI_RESULT_BLOCKED_BY_ADMIN_START = 16384
AMSI_RESULT_BLOCKED_BY_ADMIN_END = 20479
AMSI_RESULT_DETECTED = 32768
So search the ENS logs using string
32768 to highlight possible AMSI blocks.
The visibility of Antimalware Scan Interface (AMSI) generated events can be limited.
The following steps provide an AMSI logging mechanism:
- Open an administrator CLI session
- Start logging AMSI events in c:\temp\:
Run: logman start AMSITrace -p Microsoft-Antimalware-Scan-Interface Event1 -o c:\temp\amsi.etl –ets
- To stop logging AMSI events:
Run: logman stop AMSITrace –ets
- To read the .etl run:
powershell "Get-WinEvent -Path c:\temp\amsi.etl -Oldest | Format-List *"
- Alternatively, you can do the following:
- Open Windows Event viewer (eventvwr.msc).
- Right-click Event Viewer (local).
- Open the saved log: Browse to c:\temp\ and select the etl file previously generated.
- Agree to the conversion to .evtx, click the Details tab, and view the XML after it's loaded.
Registered Provider IDs are found under:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AMSI\Providers\
HKLM\SW\Classes\CLSID\
Microsoft Windows Defender = {2781761E-28E0-4109-99FE-B9D127C57AFE}
McAfee ENS = {436D0575-3FCC-49C2-9E9C-5772A341E1D5}
Carbon Black = {009DDD00-35E7-4664-AFB3-732D5C459754}
Microsoft AMSI = {2a576b87-09a7-520e-c21a-4942f0271d67}
Script to test
WScript AMSI injection:
- Open Notepad.
- Paste the following text into Notepad:
i=10
If i=10 Then
msgbox("TEST, Click OK to close")
Else
Msgbox "Hello world"
End if
- Save as c:\temp\test.vbs.
- Open a command-line session, type wscript test.vbs and press Enter.