如何确认 ENS AMSI (恶意软件扫描界面)注入到进程中
Last Modified: 2023-07-06 12:44:22 Etc/GMT
Disclaimer
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
如何确认 ENS AMSI (恶意软件扫描界面)注入到进程中
Technical Articles ID:
KB94627
Last Modified: 2023-07-06 12:44:22 Etc/GMT Environment
端点保护平台 端点安全 (ENS) 自适应威胁防护 (ATP) 10.x ENS 威胁防护 10.x Microsoft Windows 11、10 Microsoft Windows Server 2022、2019、2016 Summary
要确认反恶意软件扫描接口(AMSI)排除项按预期工作,请执行以下操作:
检查 AMSI 是否正在进程中加载: 检查 AMSI
要确认是否已在进程监视器启动之前运行的进程已注入:
Related Information
有关 AMSI 阻止测试的详细说明,请参阅 KB59742-如何将 EICAR 测试文件与我们的产品配合使用。 要在 Windows Defender 中执行 AMSI 块测试,请执行以下操作:
反恶意软件提供程序可以返回1到32767之间的结果,这是一个估计的风险级别。结果越大,riskier 将继续与内容进行比较。 这些值是特定于提供程序的,可能表示恶意软件系列或 ID。任何低于或大于32768的结果均视为恶意软件,并阻止内容。 应用程序应使用 AMSI_RESULT_NOT_DETECTED = 1 AMSI_RESULT_BLOCKED_BY_ADMIN_START = 16384 AMSI_RESULT_BLOCKED_BY_ADMIN_END = 20479 AMSI_RESULT_DETECTED = 32768 因此,请使用字符串 32768 搜索 ENS 日志以突出显示可能的 AMSI 块。 恶意软件扫描接口(AMSI)生成的事件的可见性可能会受到限制。 以下步骤提供了 AMSI 日志记录机制:
用于测试
DisclaimerThe content of this article originated in English. If there are differences between the English content and its translation, the English content is always the most accurate. Some of this content has been provided using Machine Translation translated by Microsoft.
Affected ProductsLanguages:This article is available in the following languages: |
|