{"id":110626,"date":"2024-12-10T07:00:00","date_gmt":"2024-12-10T15:00:00","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/oldnewthing\/?p=110626"},"modified":"2024-12-10T09:37:52","modified_gmt":"2024-12-10T17:37:52","slug":"20241210-00","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20241210-00\/?p=110626","title":{"rendered":"It rather involved being on the other side of this airtight hatchway: Disabling anti-malware scanning"},"content":{"rendered":"<p>The <a href=\"https:\/\/learn.microsoft.com\/windows\/win32\/amsi\/antimalware-scan-interface-portal\"> Antimalware Scan Interface<\/a> (AMSI) is a plug-in interface which allows antimalware vendors to proffer their content-scanning services and which applications can call to submit content for scanning.<\/p>\n<p>A security vulnerability report was submitted that claimed to have found a way to bypass AMSI scanning in PowerShell. The basic idea is to run a PowerShell script that uses functions like <code>Virtual\u00adProtect<\/code> and <code>Write\u00adProcess\u00adMemory<\/code> to patch the hosting PowerShell interpreter so that it bypasses the calls to the AMSI provider and treats all content as having passed the antimalware scan. Once AMSI is disabled, the attacker can then deploy a malicious script to the PowerShell process, which is then executed by PowerShell without ever being scanned by any AMSI provider.<\/p>\n<p>Okay, that&#8217;s nice. But what about the initial script that disables AMSI scanning? How did you trick PowerShell into running it? You had to get that script past the AMSI scanner in order to get it to run. So this report is saying, &#8220;If you have bypassed AMSI scanning, then you can bypass AMSI scanning.&#8221; In other words, it presupposes that it is already on the other side of the airtight hatchway.<\/p>\n<p>This is like reporting that your house has a security vulnerability in its front door because somebody who has broken into the house can open the front door from the inside to let the bad guys in. But the person who broke into the house <i>is already a bad guy<\/i>. The homeowner has already lost: A bad guy is in the house, and they can just go ahead and do whatever they wanted directly. Opening the front door to let in more buddies makes it easier, but they&#8217;re already inside. They can already run around unplugging security cameras and pocketing all your jewelry.<\/p>\n<p>Now, if the initial AMSI-disabling script itself passes AMSI scanning, then that&#8217;s a quality issue in the antimalware scanner. You can submit your AMSI-disabling script to the antimalware vendors for them to analyze and add detection.<\/p>\n<p><b>Bonus chatter<\/b>: AMSI is not a security boundary. It is a defense in depth measure to make it harder for malware to enter a process even though it has already tricked the user into running it. But it comes with the assumption that the process doing the scan has not already been compromised. Once you&#8217;ve compromised a process, you have already won. AMSI is trying to defend the boundary, not withstand an attack from within.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>If you have already infiltrated the process, then you can disable things from the inside.<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[26],"class_list":["post-110626","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-other"],"acf":[],"blog_post_summary":"<p>If you have already infiltrated the process, then you can disable things from the inside.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/110626","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=110626"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/110626\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=110626"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=110626"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=110626"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}