The whoamsi from subat0mik

The purpose of this page is to be a repository of endpoint protection (AV, EDR, etc) that uses Microsoft's Antimalware Scan Interface (AMSI). This will provide some context around endpoint protection and possible attack vectors. Products with information missing have not been verified yet. This project expands on the work done by @Lee_Holmes and @PyroTek3 by keeping a publicly available list up-to-date.

Vendor/Product	AMSI	Date	Reference
Avast	Y	03/20/2016	https://forum.avast.com/index.php?topic=184491.msg1300884#msg1300884
AVG	Y	03/08/2016	https://support.avg.com/answers?id=906b00000008oUTAAY
BitDefender Consumer	Y	09/20/2016	https://forum.bitdefender.com/index.php?/topic/72455-antimalware-scan-service/
BitDefender Enterprise	Y	05/25/2021	https://twitter.com/Bitdefender_Ent/status/1397187195669295111?s=20
Blackberry Optics (Cylance)	Y		https://docs.blackberry.com/content/dam/docs-blackberry-com/release-pdfs/en/blackberry-optics/2-5/CylanceOPTICS-Admin-Guide.pdf
Carbon Black	Y	03/18/2020	https://www.carbonblack.com/2020/03/18/detecting-fileless-attacks-with-enterprise-edrs-amsi-visibility/
Check Point Harmony Endpoint	Y	01/03/2019	https://community.checkpoint.com/t5/Endpoint/Endpoint-Security-E80-90-Client-released/m-p/20613#M460
Cisco Secure Endpoint
Comodo	Y		https://help.comodo.com/uploads/helpers/Comodo_Client_Security_11.3_User_Guide.pdf
CrowdStrike Falcon	Y	12/18/2018	https://www.freepatentsonline.com/y2019/0188384.html
Cybereason	Y	11/30/2021	https://www.cybereason.com/blog/cybereason-v21.1-lts-advancing-prevention-detection-and-response
Cynet 360 Autonomous Breach Protection Platform
Elastic
ESET Enterprise Inspector	Y	04/12/2017	https://forum.eset.com/topic/11645-beta-eset-endpoint-security-66-is-available-for-evaluation
F-Secure Elements	Y		https://help.f-secure.com/product.html?business/computer-protection-windows/latest/en/task_ED11EEBB08DD4583AFA13EA59D3FC768-latest-en
FireEye HX	Y	04/26/2021	https://www.fireeye.com/blog/products-and-services/2021/04/everybody-wins-in-mitre-attack-evaluations.html
Fortinet	Y		https://docs.fortinet.com/document/forticlient/6.4.3/ems-administration-guide/447132/malware-protection
Kaspersky Anti Targeted Attack Platform	Y	10/10/2018	https://help.kaspersky.com/KIS/2019/en-US/119653.htm
MalwareBytes
McAfee	Y	06/25/2018	https://kc.mcafee.com/corporate/index?page=content&id=PD27443
Palo Alto Networks Cortex	Y	2/9/2021	https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/#:~:text=In%20addition%2C%20the%20Cortex%20XDR%20Agent%20features%20Behavioral%20Threat%20Protection%20modules%20leveraging%20the%20Anti%2DMalware%20Scan%20Interface%20(AMSI)%20to%20block%20PowerShell%20scripts.
Panda Adaptive Defense 360
SentinelOne Singularity	Y	10/14/2020	https://support.sentinelone.com/hc/en-us/articles/1500005256241-How-the-SentinelOne-Agent-uses-Microsoft-AMSI-for-Detection
Sophos Intercept X Advanced	Y	08/25/20	https://support.sophos.com/support/s/article/KB-000039096?language=en_US Thanks, @kmkz!
Symantec Advanced Threat Protection	Y	07/15/2020	https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/release-notes/Whats-new-for-Symantec-Endpoint-Protection-14_3-.html Thanks, Jeff McJunkin!
Trend Micro	Y		https://cloudone.trendmicro.com/docs/workload-security/anti-malware-scan-configure/
Microsoft Defender for Endpoint	Y	06/09/2015	https://www.microsoft.com/security/blog/2015/06/09/windows-10-to-offer-application-developers-new-malware-defenses/

whoamsi's People

Contributors

Stargazers

Watchers

whoamsi's Issues

Sophos AMSI support

Hi,
Just a small issue for an update because of the récent Sophos implementation of AMSI since august 2020 for versions/products:
Central Server Core Agent 2.6.0,
Central Windows Core Agent 2.6.0

Infos:
https://support.sophos.com/support/s/article/KB-000039096?language=en_US

Thanks for maintaining this awesome resource!
kmkz

SentinelOne AMSI

SentinelOne supports AMSI but their docs are not publicly accessible.
https://support.sentinelone.com/hc/en-us/articles/1500005256241-How-the-SentinelOne-Agent-uses-Microsoft-AMSI-for-Detection

Support was added in the 4.4 Windows Agent, which had a general availability build 4.4 GA (4.4.3.149) - 14 October, 2020

Quotes from Docs:
Microsoft’s Antimalware Scan Interface is an API that applications and services use to send script content found in memory to registered AMSI handlers, like SentinelOne. The SentinelOne Agent gets the script content and provides users visibility on the content of scripts found on their endpoints. SentinelOne also uses AMSI for detection purposes.

On Windows 10 RS3+ endpoints, any process that calls the AMSI API to scan its content for malicious scripts loads and invokes the SentinelOne AMSI DLL file (SentinelAmsi64.dll or SentinelAmsi32.dll, depending on the process bit-architecture).

If the process is PowerShell, the Agent looks at the script to see if it is obfuscated, and sends the results to Deep Visibility.

Excluding a process does not stop the Agent from loading the SentinelOne AMSI DLL file, but it will stop the Agent from sending the script data to Deep Visibility.

Due to Microsoft API implementation, loading of SentinelOne AMSI DLL can either be enabled to all processes or fully disabled.

To disable the load of the SentinelOne AMSI DLL, add this Policy Override:

{
  "amsiConfig": {
    "registerAsAmsiProvider": false,
    "registerAsIoavProvider": false
  }
}

subat0mik / whoamsi Goto Github PK

whoamsi's Introduction

whoamsi's People

Contributors

Stargazers

Watchers

Forkers

whoamsi's Issues

Sophos AMSI support

SentinelOne AMSI

Symantec AMSI evidence page is 404'd, new one is from Broadcom

CrowdStrike Falcon supports AMSI

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent