Q&A svchost process is blocking a non-Microsoft-signed binary: fsamsi64.dll

Zartarra

Level 6
Thread author
Verified
Well-known
May 9, 2019
261
Hello all

I am using F-Secure Safe 18.2. In the Security-Mitigrations logs I found many warning with all the same message:

Process '\Device\HarddiskVolume4\Windows\System32\svchost.exe' (PID 2520) was blocked from loading the non-Microsoft-signed binary '\Program Files (x86)\F-Secure\SAFE\Ultralight\ulcore\1642777614\fsamsi64.dll'. The PID points to Windows management Instrumentation service.

I found on the F-secure community the following: Win 10 Event Log - fsamsi64.dll - image hash of a file is not valid. On the Avast community I found a similar message (Avast and Security-Mitigations warning events).

I tried to turn off the code integrity for svchost.exe in the Exploit protection setting but that did not resolve the issue.

Does anyone have an idea to solve this issue?
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
Well-known
Jul 27, 2015
4,865
Good catch @Zartarra . This one was interesting, most because of how easy it is to trace the silly blame game between several AV vendors and Microsoft. I wouldn't be too surprised if it's even more 3rd party AV vendors that have error logs on the same "amsi".dll file.

Would disabling Memory Integrity solve this issue?
I agree with @Gandalf_The_Grey on this one.
 

Zartarra

Level 6
Thread author
Verified
Well-known
May 9, 2019
261
I turned off the memory protection but the issue is still there :cry:. I even used the regkey in Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios.
 

Zartarra

Level 6
Thread author
Verified
Well-known
May 9, 2019
261
I tested a bit further. I disabled the exploit protection, still the same issue.

I have a policy enabled to protect svchost.exe. Maybe that can be an issue. I disabled it on a test machine but still the same. Going to search further on an fresh installed VM.
 

Zartarra

Level 6
Thread author
Verified
Well-known
May 9, 2019
261
I maybe found the issue. I have a policy enabled to enable svchost.exe mitigrations. When I set the policy back to "not configured" and delete manually the regkey, the event is not registered again in the eventviewer.

Policy - Mitigratie svchost.png