[Bug 46798] New: Multiple Microsoft applications need support for Antimalware Scan Interface (AMSI) 'AMSI.dll'
wine-bugs at winehq.org
wine-bugs at winehq.org
Fri Mar 8 06:43:00 CST 2019
https://bugs.winehq.org/show_bug.cgi?id=46798
Bug ID: 46798
Summary: Multiple Microsoft applications need support for
Antimalware Scan Interface (AMSI) 'AMSI.dll'
Product: Wine
Version: 4.3
Hardware: x86-64
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: -unknown
Assignee: wine-bugs at winehq.org
Reporter: focht at gmx.net
Distribution: ---
Hello folks,
to track the introduction of Antimalware Scan Interface component with recent
commits. Search didn't return any Wine related bug reports hence I assume it's
some sekrit stuff CodeWeavers works on. My guess would be it's Microsoft Office
2016/Office 365 that has AMSI integration for VBA Macro's (VBE7.dll).
Microsoft docs:
https://docs.microsoft.com/en-us/windows/desktop/amsi/antimalware-scan-interface-portal
https://www.microsoft.com/security/blog/2015/06/09/windows-10-to-offer-application-developers-new-malware-defenses/
--- quote ---
Antimalware Scan Interface (AMSI)
Purpose
The Windows Antimalware Scan Interface (AMSI) is a versatile interface standard
that allows your applications and services to integrate with any antimalware
product that's present on a machine. AMSI provides enhanced malware protection
for your end-users and their data, applications, and workloads.
AMSI is agnostic of antimalware vendor; it's designed to allow for the most
common malware scanning and protection techniques provided by today's
antimalware products that can be integrated into applications. It supports a
calling structure allowing for file and memory or stream scanning, content
source URL/IP reputation checks, and other techniques.
AMSI also supports the notion of a session so that antimalware vendors can
correlate different scan requests. For instance, the different fragments of a
malicious payload can be associated to reach a more informed decision, which
would be much harder to reach just by looking at those fragments in isolation.
Windows components that integrate with AMSI
The AMSI feature is integrated into these components of Windows 10.
User Account Control, or UAC (elevation of EXE, COM, MSI, or ActiveX
installation)
PowerShell (scripts, interactive use, and dynamic code evaluation)
Windows Script Host (wscript.exe and cscript.exe)
JavaScript and VBScript
Office VBA macros
--- quote ---
Found an app that makes use of AMSI here:
https://github.com/wchen-r7/amsiscanner
--- quote ---
AMSI Scanner
A C/C++ implementation of Microsoft's Antimalware Scan Interface.
--- quote ---
--- snip ---
$ wine ./amsiscanner.exe amsiscanner.exe
0009:fixme:amsi:AmsiInitialize L"\794d\6d41\6973\6353\6e61\656er", 0x33fdd4
0009:fixme:amsi:AmsiOpenSession 0xdeadbeef, 0x33fdd0
0009:fixme:amsi:AmsiScanBuffer 0xdeadbeef, 0x340000, 178688,
L"\6d61\6973\6373\6e61\656e\2e72\7865er.\0188", 0xdeadbeef, 0x33fdcc
0009:fixme:amsi:AmsiUninitialize 0xdeadbeef
Sample size: 178688 bytes
Risk level = 1 (No threat detected)
--- snip ---
$ sha1sum amsiscanner.exe
257626250fd91de2f853758c3cccc8e5f5830113 amsiscanner.exe
$ du -sh amsiscanner.exe
176K amsiscanner.exe
$ wine --version
wine-4.3-188-gab7756619c
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list