subat0mik / whoamsi Goto Github PK
View Code? Open in Web Editor NEWAn effort to track security vendors' use of Microsoft's Antimalware Scan Interface
License: GNU General Public License v3.0
whoamsi's People
Contributors
Stargazers
Watchers
Forkers
plaintextcity derekt2 lightoyou yanshu911 idkwim fengjixuchui raitomx tzf-omkey goowen aviadh88 gl4ssesbo1 kaka77 fuzzyun1c0rn 1f3lse gmh5225 hzmslx billwu97whoamsi's Issues
SentinelOne AMSI
SentinelOne supports AMSI but their docs are not publicly accessible.
https://support.sentinelone.com/hc/en-us/articles/1500005256241-How-the-SentinelOne-Agent-uses-Microsoft-AMSI-for-Detection
Support was added in the 4.4 Windows Agent, which had a general availability build 4.4 GA (4.4.3.149) - 14 October, 2020
Quotes from Docs:
Microsoft’s Antimalware Scan Interface is an API that applications and services use to send script content found in memory to registered AMSI handlers, like SentinelOne. The SentinelOne Agent gets the script content and provides users visibility on the content of scripts found on their endpoints. SentinelOne also uses AMSI for detection purposes.
On Windows 10 RS3+ endpoints, any process that calls the AMSI API to scan its content for malicious scripts loads and invokes the SentinelOne AMSI DLL file (SentinelAmsi64.dll or SentinelAmsi32.dll, depending on the process bit-architecture).
If the process is PowerShell, the Agent looks at the script to see if it is obfuscated, and sends the results to Deep Visibility.
Excluding a process does not stop the Agent from loading the SentinelOne AMSI DLL file, but it will stop the Agent from sending the script data to Deep Visibility.
Due to Microsoft API implementation, loading of SentinelOne AMSI DLL can either be enabled to all processes or fully disabled.
To disable the load of the SentinelOne AMSI DLL, add this Policy Override:
{
"amsiConfig": {
"registerAsAmsiProvider": false,
"registerAsIoavProvider": false
}
}
Sophos AMSI support
Hi,
Just a small issue for an update because of the récent Sophos implementation of AMSI since august 2020 for versions/products:
Central Server Core Agent 2.6.0,
Central Windows Core Agent 2.6.0
Infos:
https://support.sophos.com/support/s/article/KB-000039096?language=en_US
Thanks for maintaining this awesome resource!
kmkz
CrowdStrike Falcon supports AMSI
Symantec AMSI evidence page is 404'd, new one is from Broadcom
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.