AMSI

The Anti Malware Scan Interface (AMSI) was introduced and integrated with Windows 10. When using the default Windows Defender Antivirus (WDAV), all PowerShell and VBScript scripts are sent through the detection mechanism of WDAV to validate if a script contains malware:

Reference: https://cloudblogs.microsoft.com/microsoftsecure/2015/06/09/windows-10-to-offer-application-developers-new-malware-defenses/.

This also works for dynamically executed scripts, as they will be sent to AMSI before being executed. This would look as follows:

On top of this functionality, AMSI has also been packed with the capability to validate if scripts are obfuscated or not. Windows 10 1709 brought a security feature called Exploit Guard. One of its mechanisms is to define policies for blocking all obfuscated scripts (which, in most cases, makes sense):

Further information on the topic as well as the ExploitGuard demo Tool can be found at the following link:

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction

Combining these two mechanisms with scanning every executed script for malware and blocking obfuscated scripts where malware could hardly be detected is a huge improvement on the current situation in Windows 7.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.145.83.150