Giter Site home page Giter Site logo

whoamsi's Introduction

The purpose of this page is to be a repository of endpoint protection (AV, EDR, etc) that uses Microsoft's Antimalware Scan Interface (AMSI). This will provide some context around endpoint protection and possible attack vectors. Products with information missing have not been verified yet. This project expands on the work done by @Lee_Holmes and @PyroTek3 by keeping a publicly available list up-to-date.

Vendor/Product AMSI Date Reference
Avast Y 03/20/2016 https://forum.avast.com/index.php?topic=184491.msg1300884#msg1300884
AVG Y 03/08/2016 https://support.avg.com/answers?id=906b00000008oUTAAY
BitDefender Consumer Y 09/20/2016 https://forum.bitdefender.com/index.php?/topic/72455-antimalware-scan-service/
BitDefender Enterprise Y 05/25/2021 https://twitter.com/Bitdefender_Ent/status/1397187195669295111?s=20
Blackberry Optics (Cylance) Y https://docs.blackberry.com/content/dam/docs-blackberry-com/release-pdfs/en/blackberry-optics/2-5/CylanceOPTICS-Admin-Guide.pdf
Carbon Black Y 03/18/2020 https://www.carbonblack.com/2020/03/18/detecting-fileless-attacks-with-enterprise-edrs-amsi-visibility/
Check Point Harmony Endpoint Y 01/03/2019 https://community.checkpoint.com/t5/Endpoint/Endpoint-Security-E80-90-Client-released/m-p/20613#M460
Cisco Secure Endpoint
Comodo Y https://help.comodo.com/uploads/helpers/Comodo_Client_Security_11.3_User_Guide.pdf
CrowdStrike Falcon Y 12/18/2018 https://www.freepatentsonline.com/y2019/0188384.html
Cybereason Y 11/30/2021 https://www.cybereason.com/blog/cybereason-v21.1-lts-advancing-prevention-detection-and-response
Cynet 360 Autonomous Breach Protection Platform
Elastic
ESET Enterprise Inspector Y 04/12/2017 https://forum.eset.com/topic/11645-beta-eset-endpoint-security-66-is-available-for-evaluation
F-Secure Elements Y https://help.f-secure.com/product.html?business/computer-protection-windows/latest/en/task_ED11EEBB08DD4583AFA13EA59D3FC768-latest-en
FireEye HX Y 04/26/2021 https://www.fireeye.com/blog/products-and-services/2021/04/everybody-wins-in-mitre-attack-evaluations.html
Fortinet Y https://docs.fortinet.com/document/forticlient/6.4.3/ems-administration-guide/447132/malware-protection
Kaspersky Anti Targeted Attack Platform Y 10/10/2018 https://help.kaspersky.com/KIS/2019/en-US/119653.htm
MalwareBytes
McAfee Y 06/25/2018 https://kc.mcafee.com/corporate/index?page=content&id=PD27443
Palo Alto Networks Cortex Y 2/9/2021 https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/#:~:text=In%20addition%2C%20the%20Cortex%20XDR%20Agent%20features%20Behavioral%20Threat%20Protection%20modules%20leveraging%20the%20Anti%2DMalware%20Scan%20Interface%20(AMSI)%20to%20block%20PowerShell%20scripts.
Panda Adaptive Defense 360
SentinelOne Singularity Y 10/14/2020 https://support.sentinelone.com/hc/en-us/articles/1500005256241-How-the-SentinelOne-Agent-uses-Microsoft-AMSI-for-Detection
Sophos Intercept X Advanced Y 08/25/20 https://support.sophos.com/support/s/article/KB-000039096?language=en_US Thanks, @kmkz!
Symantec Advanced Threat Protection Y 07/15/2020 https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/release-notes/Whats-new-for-Symantec-Endpoint-Protection-14_3-.html Thanks, Jeff McJunkin!
Trend Micro Y https://cloudone.trendmicro.com/docs/workload-security/anti-malware-scan-configure/
Microsoft Defender for Endpoint Y 06/09/2015 https://www.microsoft.com/security/blog/2015/06/09/windows-10-to-offer-application-developers-new-malware-defenses/

whoamsi's People

Contributors

subat0mik avatar

Stargazers

avatar avatar Carlos Garrido avatar avatar Michael Moran avatar avatar x86fatah avatar Rafael Pimentel avatar Benjamin-Yves Trapp avatar Lei Huang avatar avatar JB avatar avatar DummyKitty avatar d4skor avatar Ahsan Ali Khan avatar DAssemblerxXBin3ryNinj! avatar AVA avatar avatar a3uRa avatar avatar avatar avatar avatar Chocolate avatar avatar Bryan Hoffower avatar Borja Merino avatar avatar Soumyani1 avatar avatar Oussmak avatar Reclu3e avatar avatar Javier avatar yEss5Lq avatar B1ue avatar 突突兔 avatar xuanluansec avatar blv.pro avatar Ronan Kervella avatar isihussain avatar fka dibs avatar Nicolas Vincent avatar Jax avatar avatar Marcello avatar mert çobanoğlu avatar avatar EvilCoder avatar cc Allen avatar UIWP0 avatar LSA avatar ថಘઅഞפּ ṛཥચ avatar avatar Heroman Zhang avatar bopin avatar avatar H4de5 avatar NoGreen avatar ⠀ avatar 盧露 avatar lapinou avatar NULL avatar avatar avatar ddnomad avatar Michael Cade avatar Alex P avatar avatar AbdelMoumene-Hadfi avatar GP avatar avatar Presian Yankulov avatar Zaban avatar Jojo avatar scr1pt avatar Suri avatar I0veD avatar avatar avatar avatar Cond0r avatar Ryan Emmons avatar Steven avatar avatar avatar zhuyi avatar WtZ avatar avatar asdasd avatar winterknife avatar Solomon Sklash avatar Francesco Faenzi avatar avatar 油鹿 avatar 祀画 avatar snovvcrash avatar avatar Arnaud Landry avatar

Watchers

Aung Khant avatar Jeff McJunkin avatar Robert avatar avatar Bourbon Jean-Marie avatar Philippe Lagadec avatar hidd3ncod3s avatar rootkit avatar SuperN0va avatar avatar avatar avatar avatar ryn0f1sh avatar avatar avatar

Forkers

plaintextcity derekt2 lightoyou yanshu911 idkwim fengjixuchui raitomx tzf-omkey goowen aviadh88 gl4ssesbo1 kaka77 fuzzyun1c0rn 1f3lse gmh5225 hzmslx billwu97

whoamsi's Issues

SentinelOne AMSI

SentinelOne supports AMSI but their docs are not publicly accessible.
https://support.sentinelone.com/hc/en-us/articles/1500005256241-How-the-SentinelOne-Agent-uses-Microsoft-AMSI-for-Detection

Support was added in the 4.4 Windows Agent, which had a general availability build 4.4 GA (4.4.3.149) - 14 October, 2020

Quotes from Docs:
Microsoft’s Antimalware Scan Interface is an API that applications and services use to send script content found in memory to registered AMSI handlers, like SentinelOne. The SentinelOne Agent gets the script content and provides users visibility on the content of scripts found on their endpoints. SentinelOne also uses AMSI for detection purposes.

On Windows 10 RS3+ endpoints, any process that calls the AMSI API to scan its content for malicious scripts loads and invokes the SentinelOne AMSI DLL file (SentinelAmsi64.dll or SentinelAmsi32.dll, depending on the process bit-architecture).

If the process is PowerShell, the Agent looks at the script to see if it is obfuscated, and sends the results to Deep Visibility.

Excluding a process does not stop the Agent from loading the SentinelOne AMSI DLL file, but it will stop the Agent from sending the script data to Deep Visibility.

Due to Microsoft API implementation, loading of SentinelOne AMSI DLL can either be enabled to all processes or fully disabled.

To disable the load of the SentinelOne AMSI DLL, add this Policy Override:

{
  "amsiConfig": {
    "registerAsAmsiProvider": false,
    "registerAsIoavProvider": false
  }
}

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.