AMSI exclusions for PowerShell scripts by name aren't honored
Last Modified: 2022-03-29 04:08:52 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
AMSI exclusions for PowerShell scripts by name aren't honored
Technical Articles ID:
KB95419
Last Modified: 2022-03-29 04:08:52 Etc/GMT Environment
Endpoint Security (ENS) Adaptive Threat Protection (ATP) 10.x ENS Threat Prevention 10.x Summary
The Windows Antimalware Scan Interface (AMSI) is an API that Microsoft developed. AMSI is supported on Windows 10 (and later) and Windows Server 2016/2019 (and later) systems. AMSI allows applications and services to integrate with ENS Threat Prevention, providing better protection against malware. AMSI is integrated into the following components:
Owing to the limitations of buffer enumeration performed by AMSI, excluding a PowerShell script by name doesn't work. Problem
When executing a PowerShell script that you exclude by name, the script still gets scanned and a detection event might still occur.
Cause
For a given buffer, AMSI might provide a corresponding backing file name. ENS can use the file name to decide whether a given file or script should be excluded from scanning. The buffer attributes provided by AMSI are heavily application-specific. For example, JavaScript and VBScript engines tend to consistently provide a file name, and as a result, ENS can often honor exclusions. But, AMSI attributes provided for a PowerShell buffer aren't consistent in the same way. Sometimes, a file name is returned as an When the buffer comes for scanning, the PowerShell doesn't track the original source of all script blocks that run. For example, a script file that contains text scripts submits those text script blocks to AMSI. But, PowerShell doesn't contain the file name of the script file where the text script blocks are defined. This behavior is expected according to Microsoft's design of AMSI. It's not possible for ENS exclusions to reliably correlate the buffer with a file name. Workaround
There are a couple of possible workarounds:
Related Information
Microsoft article on AMSI_ATTRIBUTE enumeration "Excluding items from AMSI scanning" section of the Endpoint Security 10.7 Product Guide Affected ProductsLanguages:This article is available in the following languages: |
|