The Antimalware Scan Interface (AMSI) is a plug-in interface which allows antimalware vendors to proffer their content-scanning services and which applications can call to submit content for scanning.
A security vulnerability report was submitted that claimed to have found a way to bypass AMSI scanning in PowerShell. The basic idea is to run a PowerShell script that uses functions like VirtualÂProtect and WriteÂProcessÂMemory to patch the hosting PowerShell interpreter so that it bypasses the calls to the AMSI provider and treats all content as having passed the antimalware scan. Once AMSI is disabled, the attacker can then deploy a malicious script to the PowerShell process, which is then executed by PowerShell without ever being scanned by any AMSI provider.
Okay, that’s nice. But what about the initial script that disables AMSI scanning? How did you trick PowerShell into running it? You had to get that script past the AMSI scanner in order to get it to run. So this report is saying, “If you have bypassed AMSI scanning, then you can bypass AMSI scanning.” In other words, it presupposes that it is already on the other side of the airtight hatchway.
This is like reporting that your house has a security vulnerability in its front door because somebody who has broken into the house can open the front door from the inside to let the bad guys in. But the person who broke into the house is already a bad guy. The homeowner has already lost: A bad guy is in the house, and they can just go ahead and do whatever they wanted directly. Opening the front door to let in more buddies makes it easier, but they’re already inside. They can already run around unplugging security cameras and pocketing all your jewelry.
Now, if the initial AMSI-disabling script itself passes AMSI scanning, then that’s a quality issue in the antimalware scanner. You can submit your AMSI-disabling script to the antimalware vendors for them to analyze and add detection.
Bonus chatter: AMSI is not a security boundary. It is a defense in depth measure to make it harder for malware to enter a process even though it has already tricked the user into running it. But it comes with the assumption that the process doing the scan has not already been compromised. Once you’ve compromised a process, you have already won. AMSI is trying to defend the boundary, not withstand an attack from within.
So an antivirus wants to scan my computer and delete whatever it wants. That’s great except… do you have a warrant? No? Turn around and help yourself out sir.
A better front door analogy might be relating to having a glass window in the door: "If the bad guy punches out the window, they can reach in and unlock the door rather than climb thought the broken glass". Putting a keyed lock-turn on the inside might make it a little harder to get in, but a bad guy who is able and willing to punch out the window is going to get in one...
Perhaps it’s even a better analogy than you realize, as people still insist an interior keyed lock-turn is safer, despite the ample evidence to the contrary.