AMSI Provider
UsermodeAntimalware Scan Interface provider for script content scanning.
Overview
AMSI (Antimalware Scan Interface) is a Windows API that allows applications to send content to antimalware providers for scanning. DioIPS registers as an AMSI provider to receive script content from integrated applications.
AMSI-Integrated Applications
PowerShell
Script blocks, commands, and modules
Windows Script Host
VBScript and JScript content
Office VBA
Macro content from Office documents
.NET
In-memory assembly loading
How It Works
- 1Application calls AMSI with script content
- 2Windows routes content to registered providers
- 3DioIPS receives and logs the content
- 4Content is matched against IPS rules
- 5Events appear in the ETW tab
Captured Information
- • Application — Which app sent the content
- • Content type — Script, buffer, or stream
- • Content — Actual script/data content
- • Session — AMSI session identifier
- • Process — PID and process name
Detection Examples
Obfuscated PowerShell
AMSI receives deobfuscated content, revealing hidden commands that static analysis would miss.
Fileless Malware
Scripts executed directly in memory are captured before execution.
Macro Execution
Office VBA macros are scanned before they run.
IPS Rule Examples
AMSI: *Invoke-Mimikatz* | Action: Block
AMSI: *-EncodedCommand* | Action: Alert
AMSI: *DownloadString* | Action: Log
Limitations
- • AMSI can be bypassed by attackers (patching amsi.dll)
- • Only works with AMSI-integrated applications
- • Requires Windows 10 or later
- • Some content may be truncated for large scripts