9

93803123

Does WD include AMSI in home and pro editions of Windows or it's on only for E3/E5 ?
AMSI is present in all of the latest versions of Windows 10. But I'm pretty sure that Microsoft keeps playing with it, trying to get it right.

Things like AMSI are a gamble. When confronted with a script-based attack, AMSI might or might not block it. It depends upon how Microsoft made it.And I can tell you that AMSI is like Windows 10. You cannot know what Microsoft is doing because they won't say. And even if you did know, you cannot trust it. AMSI implementation is quite vague. I don't think that even the Microsoft developers know. Seems to me like they experiment a lot with AMSI.

If you are worried about malicious scripts, then the only proper way to handle them is to block script file types and their underlying interpreter\sponsor processes from launching.
 

notabot

Level 12
AMSI is present in all of the latest versions of Windows 10. But I'm pretty sure that Microsoft keeps playing with it, trying to get it right.

Things like AMSI are a gamble. When confronted with a script-based attack, AMSI might or might not block it. It depends upon how Microsoft made it.And I can tell you that AMSI is like Windows 10. You cannot know what Microsoft is doing because they won't say. And even if you did know, you cannot trust it. AMSI implementation is quite vague. I don't think that even the Microsoft developers know. Seems to me like they experiment a lot with AMSI.

If you are worried about malicious scripts, then the only proper way to handle them is to block script file types and their underlying interpreter\sponsor processes from launching.
AMSI is an interface though, in theory a different AV provider who uses the AMSI interface could have good detection rates - though I have not seen any tests specifically for fileless/scriptors so it's not clear to me if one vendor is better than the others there.
 
9

93803123

AMSI is an interface though, in theory a different AV provider who uses the AMSI interface could have good detection rates - though I have not seen any tests specifically for fileless/scriptors so it's not clear to me if one vendor is better than the others there.
The best AMSI results are from Microsoft because it doesn't share how to implement AMSI to the publishers.

AMSI is only a basic protection. It's not something to place any significant trust into it. The probability is that it will fail you when you need it the most.