Sign In

Communications of the ACM

ACM News

This Is How Attackers Bypass Microsoft's AMSI Anti-Malware Scanning Protection


View as: Print Mobile App Share: Send by email Share on reddit Share on StumbleUpon Share on Hacker News Share on Tweeter Share on Facebook
Using security measures to try to protect one's computer.

Cybercriminals and security researchers usually utilize one of four commonly-used methods when seeking to bypass Microsofts Antimalware Scan Interface (AMSI), according to analysis by cybersecurity analysts at Sophos.

Credit: Kingston

Researchers have outlined the most popular tools and techniques used by threat actors to try and bypass Microsoft's Antimalware Scan Interface (AMSI). 

Making its debut in 2015, AMSI is a vendor-agnostic interface designed to integrate anti-malware products on a Windows machine and better protect end users, supporting features including scan request correlation and content source URL/IP reputation checks. 

AMSI's integration with Office 365 was recently upgraded to include Excel 4.0 (XLM) macro scanning to try and combat the increase of malicious macros as an infection vector. 

Microsoft's security solution is a barrier that today's Windows malware developers often try to circumvent -- either by methods such as obfuscation, steganography, or by preventing a file from being scanned and detected as malicious in initial attack stages.

From ZDNet
View Full Article

 


 

No entries found