Detecting Windows AMSI Bypass Techniques

Windows Antimalware Scan Interface (AMSI) is an agnostic security feature in the Windows operating system (OS) that allows applications and services to integrate with security products installed on a computer. Introduced by Microsoft in 2015, it provides a standard interface that allows solutions to scan files, memory, and other data for threats. This can help workloads and applications from a wide range of attacks, including malicious scripts and malware, that can be used to compromise a system.

How it works
When an application or a service requests a scan, the request is sent to the AMSI provider, which is typically a security solution installed on the system. The AMSI provider then performs the scan using its own malware detection algorithms and returns the results to the requesting application or service. As the AMSI interface is designed to be highly extensible, security solutions can add new scanning capabilities as needed.

Read more…
Source: Trend Micro