Malware that embeds a null character in its code can bypass security scans performed by the Anti-Malware Scan Interface (AMSI) on Windows 10 boxes.
Microsoft fixed this vulnerability last week when it released the February 2018 Patch Tuesday security updates.
Flaw affects AMSI Windows 10 security feature
The vulnerability resides with
Anti-Malware Scan Interface (AMSI), a generic security feature that acts as an intermediary point between apps and local antivirus engines.
AMSI allows an app to send a file to be scanned by the local security software and return the results. AMSI was introduced with Windows 10 and is vendor agnostic, meaning it will automatically send the file to any AMSI-compatible AV engine on the local PC, not just the built-in Windows Defender.
While AMSI can be used to scan all types of files, Microsoft specifically developed AMSI to help inspect scripts invoked at runtime, such as PowerShell, VBScript, Ruby, and others, which have become a preferred method of avoiding detection on computers using classic signature-based antivirus engines.
In other words, AMSI acts as a post-execution scanner of checks additional resources loaded or triggered by an executed file.
.........................
.........................
.........................
