Reply to thread

Message

<blockquote data-quote="MacDefender" data-source="post: 841309" data-attributes="member: 83059">Just to point out: your malware can literally bundle its own Python or Lua or bash shell or any other interpreter that is compiled with zero AMSI support and there’s nothing that AMSI can do about that.AMSI is great for use cases like malware attempting to use the system copy of Powershell to run obfuscated scripts because as it deobfuscates itself, chances are increased that your AV is shown enough by AMSI that it can recognize a malicious action.For the myriad of cases that AMSI doesn’t cover, it falls back to the behavior blocker’s job to monitor how the whole black box is behaving. Script or no script, at the end of the day malware carries out malicious actions. And behavior blockers are supposed to look for that.Long story short: it’s great to implement AMSI but it’s not really as critical or cool as the marketing materials make it out to be.</blockquote>

[QUOTE="MacDefender, post: 841309, member: 83059"] Just to point out: your malware can literally bundle its own Python or Lua or bash shell or any other interpreter that is compiled with zero AMSI support and there’s nothing that AMSI can do about that. AMSI is great for use cases like malware attempting to use the system copy of Powershell to run obfuscated scripts because as it deobfuscates itself, chances are increased that your AV is shown enough by AMSI that it can recognize a malicious action. For the myriad of cases that AMSI doesn’t cover, it falls back to the behavior blocker’s job to monitor how the whole black box is behaving. Script or no script, at the end of the day malware carries out malicious actions. And behavior blockers are supposed to look for that. Long story short: it’s great to implement AMSI but it’s not really as critical or cool as the marketing materials make it out to be. [/QUOTE]

Verification