Managing script false positive detections (antimalware, AMSI, ASR).
Defender can detect/block scripts by several different security layers, for example:
- Antimalware (pre-execution) detection.
- AMSI-paired machine models (pre-execution) detection.
- AMSI-paired machine models (post-execution) detection.
- ASR rules.
False detections from points 1, 2, and 3 can be separately excluded via Security Center. The false positive ASR blocks can be excluded by using PowerShell, GPO, or ConfigureDefender.
AMSI-based detections are similar to other behavior-based detections. AMSI is used to supply machine learning models with code in clear text to avoid string obfuscation.
In the pre-execution case, the code is scanned and the script is blocked if recognized as malicious by behavior models.
In the post-execution case, the code execution is monitored and analyzed by dynamic behavior models. The execution is interrupted when the suspicious actions exceed the detection threshold. Although the scripting engine alerts can suggest that the particular script code is blocked (like "Wshshell.run"),
it does not mean that after excluding this detection, the blocked script code (like "Wshshell.run") will be allowed for other scripts. It is an important feature because otherwise, such exclusions would decrease the protection.