PowerShell version 5.0 and later includes a low-level programming API designed just for anti-malware scanners. The AntiMalware Scan Interface (AMSI) allows AMSI capable scanners to examine PowerShell code, even when the code is Base64-encoded. AMSI works also with WSCRIPT executables (VBScript, Jscript).
from Microsoft:
The Antimalware Scan Interface (AMSI) is a generic interface standard that allows applications and services to integrate with any antimalware product present on a machine. It provides enhanced malware protection for users and their data, applications, and workloads. https://msdn.microsoft.com/en-us/library/windows/desktop/dn889587(v=vs.85).aspx
I have tested a script on Windows 10 machine with Windows Defender (AMSI capable scanner) enabled and as you can see below, it won’t run:
I have tested the same script on a Windows 10 machine with a non AMSI capable scanner (Windows Defender disabled) and it doesn’t block the “malicious” code:
Note: In order to benefit from the AMSI capable scanner, you need of course PowerShell version 5.0 or later, which is the default version for Windows 10 and Windows Server 2016. PowerShell version 5.0 and 5.1 is available for Windows Server 2012 R2, Windows Server 2012, Windows server 2008 R2 SP1, Windows 8.1 and Windows 7 SP1 and should be installed, since there are security enhancements, JEA (Just enough admin) support, new cmdlets, etc. (https://msdn.microsoft.com/en-us/powershell/wmf/5.1/release-notes).
You must be logged in to post a comment.